Package: motion
Version: 4.3.2-1
Severity: wishlist
Attached is my systemd hardening errata for motion.
It won't work for everyone, but
at least SOME of it could be added to debian/motion.service.
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.18.0-0.deb11.4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
# Security hardening.
#
# Read from http://camera1.cyber.com.au
# Write to file:///var/lib/motion/
# Write to smtp://localhost
[Service]
CapabilityBoundingSet=
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
DevicePolicy=closed
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=noaccess
ProtectSystem=strict
ProcSubset=pid
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RemoveIPC=yes
UMask=0027
ProtectHostname=yes
IPAddressAllow=localhost
IPAddressAllow=203.7.155.0/24
IPAddressDeny=any
WorkingDirectory=/var/lib/%p
## This is causing me problems by chowning things I don't want it to!
# StateDirectory=%p
# 19:11 <twb> TIL if you do ReadWritePaths=/a/b/c /a/b/d then your systemd
unit can't rename(2) /a/b/c/evidence.mkv to /a/b/d/evidence.mkv
# 19:12 <twb> Because even though they're the same filesystem, the UNIT sees
them as separate bind mounts
# ReadWritePaths=/var/lib/motion/new
# ReadWritePaths=/var/lib/motion/old
ReadWritePaths=/var/lib/motion
$ systemd-analyze security motion
NAME DESCRIPTION
EXPOSURE
✗ PrivateNetwork= Service has
access to the host's network 0.5
✓ User=/DynamicUser= Service runs
under a static non-root user identity
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot
change UID/GID identities/capabilities
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no
administrator privileges
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no
ptrace() debugging abilities
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may
allocate Internet sockets 0.3
✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot
create user namespaces
✓ RestrictAddressFamilies=~… Service cannot
allocate exotic sockets
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot
change file ownership/access mode/capabilities
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot
override UNIX file/IPC permission checks
✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no
network configuration privileges
✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot
load kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no
raw I/O access
✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes
cannot change the system clock
✗ DeviceAllow= Service has a
device ACL with some special devices 0.1
✗ IPAddressDeny= Service defines
IP address allow list with non-localhost entries 0.1
✓ KeyringMode= Service doesn't
share key material with other services
✓ NoNewPrivileges= Service processes
cannot acquire new privileges
✓ NotifyAccess= Service child
processes cannot alter service state
✓ PrivateDevices= Service has no
access to hardware devices
✓ PrivateMounts= Service cannot
install system mounts
✓ PrivateTmp= Service has no
access to other software's temporary files
✓ PrivateUsers= Service does not
have access to other users
✓ ProtectClock= Service cannot
write to the hardware clock or system clock
✓ ProtectControlGroups= Service cannot
modify the control group file system
✓ ProtectHome= Service has no
access to home directories
✓ ProtectKernelLogs= Service cannot
read from or write to the kernel log ring buffer
✓ ProtectKernelModules= Service cannot
load or read kernel modules
✓ ProtectKernelTunables= Service cannot
alter kernel tunables (/proc/sys, …)
✗ ProtectProc=
0.1
✓ ProtectSystem= Service has
strict read-only access to the OS file hierarchy
✓ RestrictAddressFamilies=~AF_PACKET Service cannot
allocate packet sockets
✓ RestrictSUIDSGID= SUID/SGID file
creation by service is restricted
✓ SystemCallArchitectures= Service may
execute system calls only with native ABI
✓ SystemCallFilter=~@clock System call allow
list defined for service, and @clock is not included
✓ SystemCallFilter=~@debug System call allow
list defined for service, and @debug is not included
✓ SystemCallFilter=~@module System call allow
list defined for service, and @module is not included
✓ SystemCallFilter=~@mount System call allow
list defined for service, and @mount is not included
✓ SystemCallFilter=~@raw-io System call allow
list defined for service, and @raw-io is not included
✓ SystemCallFilter=~@reboot System call allow
list defined for service, and @reboot is not included
✓ SystemCallFilter=~@swap System call allow
list defined for service, and @swap is not included
✓ SystemCallFilter=~@privileged System call allow
list defined for service, and @privileged is not included
✓ SystemCallFilter=~@resources System call allow
list defined for service, and @resources is not included
✓ AmbientCapabilities= Service process
does not receive ambient capabilities
✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no
audit subsystem access
✓ CapabilityBoundingSet=~CAP_KILL Service cannot
send UNIX signals to arbitrary processes
✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot
create device nodes
✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no
elevated networking privileges
✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no
access to kernel logging
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no
privileges to change resource use parameters
✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot
create cgroup namespaces
✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot
create IPC namespaces
✓ RestrictNamespaces=~CLONE_NEWNET Service cannot
create network namespaces
✓ RestrictNamespaces=~CLONE_NEWNS Service cannot
create file system namespaces
✓ RestrictNamespaces=~CLONE_NEWPID Service cannot
create process namespaces
✓ RestrictRealtime= Service realtime
scheduling access is restricted
✓ SystemCallFilter=~@cpu-emulation System call allow
list defined for service, and @cpu-emulation is not included
✓ SystemCallFilter=~@obsolete System call allow
list defined for service, and @obsolete is not included
✗ RestrictAddressFamilies=~AF_NETLINK Service may
allocate netlink sockets 0.1
✗ RootDirectory=/RootImage= Service runs
within the host's root directory 0.1
✓ SupplementaryGroups= Service has no
supplementary groups
✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot
adjust SMACK MAC
✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot
issue reboot()
✓ Delegate= Service does not
maintain its own delegated control group subtree
✓ LockPersonality= Service cannot
change ABI personality
✓ MemoryDenyWriteExecute= Service cannot
create writable executable memory mappings
✓ RemoveIPC= Service user
cannot leave SysV IPC objects around
✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot
create hostname namespaces
✗ UMask= Files created by
service are group-readable by default 0.1
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot
mark files immutable
✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot
lock memory into RAM
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot
issue chroot()
✓ ProtectHostname= Service cannot
change system host/domainname
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot
establish wake locks
✓ CapabilityBoundingSet=~CAP_LEASE Service cannot
create file leases
✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot
use acct()
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot
issue vhangup()
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot
program timers that wake up the system
✗ RestrictAddressFamilies=~AF_UNIX Service may
allocate local sockets 0.1
✓ ProcSubset= Service has no
access to non-process /proc files (/proc subset=)
→ Overall exposure level for motion.service: 1.1 OK 🙂
