Done: https://salsa.debian.org/dns-team/bind9/merge_requests/1
Do I need to send also a merge request on:
https://salsa.debian.org/dns-team/bind ?
Thanks for your remarks.
Here:
https://salsa.debian.org/dns-team/bind9.git (and future
https://salsa.debian.org/dns-team/bind.git), you'll probably need an guest
account that could be created here: https://signup.salsa.debian.org/
Ondrej
--
Ondřej Surý
On Thu, Feb 1, 2018, at 09:44, Ludovic Gasc wrote:
> Hi,
>
> On
Hi,
On Mon, 29 Jan 2018 11:18:47 -0500 Simon Deziel wrote:
> SystemCallArchitectures=native
> # note: AF_NETLINK is needed for getifaddrs(3)
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
I'm also working to increase the security of bind via systemd without MAC
enabled, I have int
Hi,
In addition to what Russ proposed to add, I've been running with those
additional restrictions:
SystemCallArchitectures=native
# note: AF_NETLINK is needed for getifaddrs(3)
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
They are available on older systemd versions so they shoul
Hi,
It would be really nice to have those hardening options used. I use them
locally on Ubuntu. Please note that the Private*/Protect* options (using
the mount namespace) require this change to the Apparmor profile:
-/usr/sbin/named {
+/usr/sbin/named flags=(attach_disconnected) {
Thanks,
Simon
FTR, these are the "others" using (just as a reference, I think we can
easily add more):
Fedora/RHEL:
https://src.fedoraproject.org/rpms/bind/blob/master/f/named.service
PrivateTmp=true
SLES:
Unknown, but https://build.opensuse.org/package/revisions/network/bind
sports a nice "Add back init scrip
Package: bind9
Version: 1:9.10.3.dfsg.P4-12.3
Severity: wishlist
BIND named is a great candidate for enabling systemd hardening features,
since it has very limited required access to the local file system and
a long history of security issues due to its complexity.
I'm currently using the followi
7 matches
Mail list logo