Hi, the aide (https://github.com/aide/aide) tool builds checksums of files on the system and sends an alert if things change on the system. In the Debian package, this is done from cron. I would like to move that to a systemd timer and in passing use some of systemd's security features. Here is my service:
[Unit] Description=dailyaide check StartLimitIntervalSec=7200 StartLimitBurst=1 [Service] Type=oneshot User=root Group=root Environment="CREDENTIALS_DIRECTORY=/nonexistent" ProtectSystem=strict ProtectClock=yes ProtectKernelModules=no ProtectKernelLogs=yes ProtectControlGroups=yes PrivateDevices=no ProtectKernelTunables=yes ProtectControlGroups=yes ProtectHome=read-only ReadWritePaths=/run/aide /var/lib/aide /var/log/aide /var/spool/exim4 /var/log/exim4 /var/tmp /tmp RestrictRealtime=yes RestrictSUIDSGID=yes PrivateTmp=no ExecStartPre-=/bin/umount /run/credentials ExecStart=/usr/local/sbin/dailyaidecheck --systemdservice You might see that I have tried some things to get rid of the mount of /run/credentials which allows an attacker to hide something in /run/credentials without aide being able to see it because it gets some temporary filesystem mounted over that path. Unfortunately, neither of those tricks have worked, and my /run/credentials/foo that I created before starting my service remains undetected. What do I do to disable the credentials mechanism in my service? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
