Re: Enable systemd hardening options for named

2018-01-16 Thread Reindl Harald
Am 16.01.2018 um 13:52 schrieb Daniel Stirnimann: Hello all, Just wondering, if one is already using selinux in enforcing mode, does systemd hardening provide any additional benefit? surely - it's about layered security what are you doing when SELinux makes troubles and you need it so set

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
2018-01-16 13:52 GMT+01:00 Daniel Stirnimann : > Hello all, > > Just wondering, if one is already using selinux in enforcing mode, does > systemd hardening provide any additional benefit? > Very good question, I'm not sure at all: To my understanding, it might be

Re: Enable systemd hardening options for named

2018-01-16 Thread Daniel Stirnimann
Hello all, Just wondering, if one is already using selinux in enforcing mode, does systemd hardening provide any additional benefit? Daniel On 16.01.18 12:21, Ludovic Gasc wrote: > Hi, > > I have merged config files from Tony, Robert, and me. > I have tried to be the most generic, the result

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
Hi, I have forgotten to say that I have also removed "-u bind" option in /etc/default/bind9, because it isn't necessary anymore: The named daemon is started as bind user directly with this configuration. I might found 3 new interesting options:

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
Hi, I have merged config files from Tony, Robert, and me. I have tried to be the most generic, the result below. It seems to work here without regression, except a warning: managed-keys-zone: Unable to fetch DNSKEY set '.': operation canceled But only at the first boot, I don't see the message

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
2018-01-16 11:58 GMT+01:00 Reindl Harald : > > > Am 16.01.2018 um 11:46 schrieb Tony Finch: > >> Robert Edmonds wrote: >> >>> >>> I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE >>> during the process runtime permits open-ended

Re: Enable systemd hardening options for named

2018-01-16 Thread Reindl Harald
Am 16.01.2018 um 11:46 schrieb Tony Finch: Robert Edmonds wrote: I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE during the process runtime permits open-ended reloading of the config at runtime (e.g., binding to a new IP address on port 53 without

Re: Enable systemd hardening options for named

2018-01-16 Thread Tony Finch
Robert Edmonds wrote: > > I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE > during the process runtime permits open-ended reloading of the config at > runtime (e.g., binding to a new IP address on port 53 without needing to > restart the daemon). BIND

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
2018-01-16 10:22 GMT+01:00 Reindl Harald : > > > Am 16.01.2018 um 10:20 schrieb Ludovic Gasc: > >> 2018-01-15 19:11 GMT+01:00 Reindl Harald h.rei...@thelounge.net>>: >> >> >> ReadOnlyDirectories=/etc >> ReadOnlyDirectories=/usr >> >> >>

Re: Enable systemd hardening options for named

2018-01-16 Thread Reindl Harald
Am 16.01.2018 um 10:20 schrieb Ludovic Gasc: 2018-01-15 19:11 GMT+01:00 Reindl Harald >: ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr FYI, you can use ProtectSystem=strict to have more strict rules for the root

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
2018-01-15 19:11 GMT+01:00 Reindl Harald : > > ReadOnlyDirectories=/etc > ReadOnlyDirectories=/usr > FYI, you can use ProtectSystem=strict to have more strict rules for the root filesystem: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=