From Fedora Project Wiki
No edit summary
No edit summary
Line 1: Line 1:
= Enable systemd service hardening features for default and high profile services =
= Enable systemd service hardening features for default system services =


{{Change_Proposal_Banner}}
{{Change_Proposal_Banner}}


== Summary ==
== Summary ==
Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default and high profile services.
Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default system services.


== Owner ==
== Owner ==
Line 58: Line 58:
* `RemoveIPC=yes`
* `RemoveIPC=yes`


We will enable as many of these as feasible for the services but not every knob is going to be applicable to every service. For example, `ProtectHome=yes` wouldn't work for any of the systemd user services, but `ProtectHome=read-only` by default is ok and `PrivateNetwork=yes` can only be used for services that work purely locally. We will aim to cover all the default services as well as some of the most commonly used services such as Nginx or PostgreSQL.  The goal is to have the services work as expected with the default functionality but to potentially require tweaking the settings if the configuration is changed by users.  For instance, if we add `ProtectHome=yes` to Apache httpd.service and the user wishes to serve files out of their home directory, they may need to override the systemd setting to 'ProtectHome=read-only' to allow for the service to read from the user home directory in addition to changing the service specific configuration files to enable this feature. All of these settings need to be configured on a per service basis instead of global override to avoid impacting users on upgrades and retain appropriate scope.
We will enable as many of these as feasible for the services but not every knob is going to be applicable to every service. For example, `ProtectHome=yes` wouldn't work for any of the systemd user services, but `ProtectHome=read-only` by default is ok and `PrivateNetwork=yes` can only be used for services that work purely locally. We will aim to cover all the default system services as well as some of the most commonly used services such as Nginx or PostgreSQL.  The goal is to have the services work as expected with the default functionality but to potentially require tweaking the settings if the configuration is changed by users.  For instance, if we add `ProtectHome=yes` to Apache httpd.service and the user wishes to serve files out of their home directory, they may need to override the systemd setting to 'ProtectHome=read-only' to allow for the service to read from the user home directory in addition to changing the service specific configuration files to enable this feature. All of these settings need to be configured on a per service basis instead of global override to avoid impacting users on upgrades. For a Fedora 39 workstation, we have the following system services which should considered within the scope of the change (excluding systemd associated ones which already have a number of knobs on).  We may also consider doing this for some of the high profile services including say Nginx and PostgreSQL permitting time considerations and other contributors joining this effort.
 
`abrtd.service
 
abrt-journal-core.service
 
abrt-oops.service
 
abrt-pstoreoops.service
 
abrt-vmcore.service
 
abrt-xorg.service
 
accounts-daemon.service
 
alsa-restore.service
 
alsa-state.service
 
anaconda-direct.service
 
anaconda-fips.service
 
anaconda-nm-config.service
 
anaconda-nm-disable-autocons.service
 
anaconda-noshell.service
 
anaconda-pre.service
 
anaconda.service
 
anaconda-sshd.service
 
arp-ethers.service
 
auditd.service
 
auth-rpcgss-module.service
 
avahi-daemon.service
 
blivet.service
 
blk-availability.service
 
bluetooth.service
 
bolt.service
 
brltty.service
 
canberra-system-bootup.service
 
canberra-system-shutdown-reboot.service
 
canberra-system-shutdown.service
 
chronyd-restricted.service
 
chronyd.service
 
chrony-wait.service
 
colord.service
 
console-getty.service
 
cups-browsed.service
 
cups.service
 
dbus-broker.service
 
dbus-daemon.service
 
dbus-org.freedesktop.hostname1.service
 
dbus-org.freedesktop.import1.service
 
dbus-org.freedesktop.locale1.service
 
dbus-org.freedesktop.login1.service
 
dbus-org.freedesktop.machine1.service
 
dbus-org.freedesktop.portable1.service
 
dbus-org.freedesktop.timedate1.service
 
debug-shell.service
 
dm-event.service
 
dnf-makecache.service
 
dnf-system-upgrade-cleanup.service
 
dnf-system-upgrade.service
 
dnsmasq.service
 
dracut-cmdline.service
 
dracut-initqueue.service
 
dracut-mount.service
 
dracut-pre-mount.service
 
dracut-pre-pivot.service
 
dracut-pre-trigger.service
 
dracut-pre-udev.service
 
dracut-shutdown-onfailure.service
 
dracut-shutdown.service
 
emergency.service
 
fedora-third-party-refresh.service
 
firewalld.service
 
flatpak-add-fedora-repos.service
 
flatpak-system-helper.service
 
fprintd.service
 
fsidd.service
 
fstrim.service
 
fwupd-offline-update.service
 
fwupd-refresh.service
 
fwupd.service
 
gdm.service
 
geoclue.service
 
grub-boot-indeterminate.service
 
gssproxy.service
 
htcacheclean.service
 
httpd.service
 
httpd.service.d
 
hypervfcopyd.service
 
hypervkvpd.service
 
hypervvssd.service
 
iio-sensor-proxy.service
 
import-state.service
 
initrd-cleanup.service
 
initrd-parse-etc.service
 
initrd-switch-root.service
 
initrd-udevadm-cleanup-db.service
 
instperf.service
 
ipp-usb.service
 
iscsid.service
 
iscsi-init.service
 
iscsi-onboot.service
 
iscsi.service
 
iscsi-shutdown.service
 
iscsi-starter.service
 
iscsiuio.service
 
kdump.service
 
kmod-static-nodes.service
 
ldconfig.service
 
libvirtd.service
 
libvirt-guests.service
 
livesys-late.service
 
livesys.service
 
loadmodules.service
 
logrotate.service
 
low-memory-monitor.service
 
lvm2-lvmdbusd.service
 
lvm2-lvmpolld.service
 
lvm2-monitor.service
 
man-db-cache-update.service
 
man-db-restart-cache-update.service
 
mcelog.service
 
mdcheck_continue.service
 
mdcheck_start.service
 
mdmonitor-oneshot.service
 
mdmonitor.service
 
ModemManager.service
 
ndctl-monitor.service
 
netavark-dhcp-proxy.service
 
NetworkManager-dispatcher.service
 
NetworkManager.service
 
NetworkManager-wait-online.service
 
nfs-blkmap.service
 
nfsdcld.service
 
nfs-idmapd.service
 
nfs-mountd.service
 
nfs-server.service
 
nfs-utils.service
 
nftables.service
 
nis-domainname.service
 
nm-priv-helper.service
 
numad.service
 
nvmefc-boot-connections.service
 
nvmf-autoconnect.service
 
ostree-boot-complete.service
 
ostree-finalize-staged-hold.service
 
ostree-finalize-staged.service
 
ostree-prepare-root.service
 
ostree-remount.service
 
packagekit-offline-update.service
 
packagekit.service
 
pam_namespace.service
 
pcscd.service
 
plocate-updatedb.service
 
plymouth-halt.service
 
plymouth-kexec.service
 
plymouth-poweroff.service
 
plymouth-quit.service
 
plymouth-quit-wait.service
 
plymouth-read-write.service
 
plymouth-reboot.service
 
plymouth-start.service
 
plymouth-switch-root-initramfs.service
 
plymouth-switch-root.service
 
podman-auto-update.service
 
podman-clean-transient.service
 
podman-restart.service
 
podman.service
 
polkit.service
 
power-profiles-daemon.service
 
psacct.service
 
qemu-guest-agent.service
 
qemu-pr-helper.service
 
quotaon.service
 
raid-check.service
 
rc-local.service
 
realmd.service
 
rescue.service
 
rpcbind.service
 
rpc-gssd.service
 
rpc-statd-notify.service
 
rpc-statd.service
 
rpmdb-migrate.service
 
rpmdb-rebuild.service
 
rtkit-daemon.service
 
saslauthd.service
 
selinux-autorelabel-mark.service
 
selinux-autorelabel.service
 
selinux-check-proper-disable.service
 
speech-dispatcherd.service
 
spice-vdagentd.service
 
spice-webdavd.service
 
sshd.service
 
ssh-host-keys-migration.service
 
sssd-autofs.service
 
sssd-kcm.service
 
sssd-nss.service
 
sssd-pac.service
 
sssd-pam.service
 
sssd.service
 
sssd-ssh.service
 
sssd-sudo.service
 
switcheroo-control.service
 
system-update-cleanup.service
 
tcsd.service
 
thermald.service
 
udisks2.service
 
unbound-anchor.service
 
upower.service
 
uresourced.service
 
usbmuxd.service
 
vboxclient.service
 
vboxservice.service
 
vgauthd.service
 
virtinterfaced.service
 
virtlockd.service
 
virtlogd.service
 
virtnetworkd.service
 
virtnodedevd.service
 
virtnwfilterd.service
 
virtproxyd.service
 
virtqemud.service
 
virtsecretd.service
 
virtstoraged.service
 
vmtoolsd.service
 
wpa_supplicant.service
 
zfs-fuse-scrub.service
 
zfs-fuse.service
 
zvbid.service`


== Feedback ==
== Feedback ==
Line 65: Line 503:
== Benefit to Fedora ==
== Benefit to Fedora ==


Fedora services will get a significant security boost by default by avoiding or mitigating any unknown security vulnerabilities in these services.
Fedora services will get a significant security boost by default by avoiding or mitigating any unknown security vulnerabilities in default system services.


== Scope ==
== Scope ==
Line 118: Line 556:
== Release Notes ==
== Release Notes ==


systemd security hardening features are enabled for default services and following high profile services.   
systemd security hardening features are enabled for default system services and following high profile services.   


* Postgres
* Postgres

Revision as of 03:14, 16 November 2023

Enable systemd service hardening features for default system services

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default system services.

Owner

  • Targeted release: Fedora 40
  • Last updated: 2023-11-16
  • [<will be assigned by the Wrangler> devel thread]
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

systemd provides a number of knobs that can harden security for services. We are selecting a few high level ones to enable by default.

  • PrivateTmp=yes
  • ProtectSystem=yes/full/strict
  • ProtectHome=yes/read-only
  • PrivateDevices=yes
  • ProtectKernelTunables=yes
  • ProtectKernelModules=yes
  • ProtectKernelLogs=yes
  • ProtectControlGroups=yes
  • NoNewPrivileges=yes
  • PrivateNetwork=yes

If we want to go further, we could consider:

  • LockPersonality=yes
  • ProtectHostname=yes
  • ProtectClock=yes
  • SystemCallArchitectures=native
  • RestrictSUIDSGID=yes
  • RemoveIPC=yes

We will enable as many of these as feasible for the services but not every knob is going to be applicable to every service. For example, ProtectHome=yes wouldn't work for any of the systemd user services, but ProtectHome=read-only by default is ok and PrivateNetwork=yes can only be used for services that work purely locally. We will aim to cover all the default system services as well as some of the most commonly used services such as Nginx or PostgreSQL. The goal is to have the services work as expected with the default functionality but to potentially require tweaking the settings if the configuration is changed by users. For instance, if we add ProtectHome=yes to Apache httpd.service and the user wishes to serve files out of their home directory, they may need to override the systemd setting to 'ProtectHome=read-only' to allow for the service to read from the user home directory in addition to changing the service specific configuration files to enable this feature. All of these settings need to be configured on a per service basis instead of global override to avoid impacting users on upgrades. For a Fedora 39 workstation, we have the following system services which should considered within the scope of the change (excluding systemd associated ones which already have a number of knobs on). We may also consider doing this for some of the high profile services including say Nginx and PostgreSQL permitting time considerations and other contributors joining this effort.

abrtd.service

abrt-journal-core.service

abrt-oops.service

abrt-pstoreoops.service

abrt-vmcore.service

abrt-xorg.service

accounts-daemon.service

alsa-restore.service

alsa-state.service

anaconda-direct.service

anaconda-fips.service

anaconda-nm-config.service

anaconda-nm-disable-autocons.service

anaconda-noshell.service

anaconda-pre.service

anaconda.service

anaconda-sshd.service

arp-ethers.service

auditd.service

auth-rpcgss-module.service

avahi-daemon.service

blivet.service

blk-availability.service

bluetooth.service

bolt.service

brltty.service

canberra-system-bootup.service

canberra-system-shutdown-reboot.service

canberra-system-shutdown.service

chronyd-restricted.service

chronyd.service

chrony-wait.service

colord.service

console-getty.service

cups-browsed.service

cups.service

dbus-broker.service

dbus-daemon.service

dbus-org.freedesktop.hostname1.service

dbus-org.freedesktop.import1.service

dbus-org.freedesktop.locale1.service

dbus-org.freedesktop.login1.service

dbus-org.freedesktop.machine1.service

dbus-org.freedesktop.portable1.service

dbus-org.freedesktop.timedate1.service

debug-shell.service

dm-event.service

dnf-makecache.service

dnf-system-upgrade-cleanup.service

dnf-system-upgrade.service

dnsmasq.service

dracut-cmdline.service

dracut-initqueue.service

dracut-mount.service

dracut-pre-mount.service

dracut-pre-pivot.service

dracut-pre-trigger.service

dracut-pre-udev.service

dracut-shutdown-onfailure.service

dracut-shutdown.service

emergency.service

fedora-third-party-refresh.service

firewalld.service

flatpak-add-fedora-repos.service

flatpak-system-helper.service

fprintd.service

fsidd.service

fstrim.service

fwupd-offline-update.service

fwupd-refresh.service

fwupd.service

gdm.service

geoclue.service

grub-boot-indeterminate.service

gssproxy.service

htcacheclean.service

httpd.service

httpd.service.d

hypervfcopyd.service

hypervkvpd.service

hypervvssd.service

iio-sensor-proxy.service

import-state.service

initrd-cleanup.service

initrd-parse-etc.service

initrd-switch-root.service

initrd-udevadm-cleanup-db.service

instperf.service

ipp-usb.service

iscsid.service

iscsi-init.service

iscsi-onboot.service

iscsi.service

iscsi-shutdown.service

iscsi-starter.service

iscsiuio.service

kdump.service

kmod-static-nodes.service

ldconfig.service

libvirtd.service

libvirt-guests.service

livesys-late.service

livesys.service

loadmodules.service

logrotate.service

low-memory-monitor.service

lvm2-lvmdbusd.service

lvm2-lvmpolld.service

lvm2-monitor.service

man-db-cache-update.service

man-db-restart-cache-update.service

mcelog.service

mdcheck_continue.service

mdcheck_start.service

mdmonitor-oneshot.service

mdmonitor.service

ModemManager.service

ndctl-monitor.service

netavark-dhcp-proxy.service

NetworkManager-dispatcher.service

NetworkManager.service

NetworkManager-wait-online.service

nfs-blkmap.service

nfsdcld.service

nfs-idmapd.service

nfs-mountd.service

nfs-server.service

nfs-utils.service

nftables.service

nis-domainname.service

nm-priv-helper.service

numad.service

nvmefc-boot-connections.service

nvmf-autoconnect.service

ostree-boot-complete.service

ostree-finalize-staged-hold.service

ostree-finalize-staged.service

ostree-prepare-root.service

ostree-remount.service

packagekit-offline-update.service

packagekit.service

pam_namespace.service

pcscd.service

plocate-updatedb.service

plymouth-halt.service

plymouth-kexec.service

plymouth-poweroff.service

plymouth-quit.service

plymouth-quit-wait.service

plymouth-read-write.service

plymouth-reboot.service

plymouth-start.service

plymouth-switch-root-initramfs.service

plymouth-switch-root.service

podman-auto-update.service

podman-clean-transient.service

podman-restart.service

podman.service

polkit.service

power-profiles-daemon.service

psacct.service

qemu-guest-agent.service

qemu-pr-helper.service

quotaon.service

raid-check.service

rc-local.service

realmd.service

rescue.service

rpcbind.service

rpc-gssd.service

rpc-statd-notify.service

rpc-statd.service

rpmdb-migrate.service

rpmdb-rebuild.service

rtkit-daemon.service

saslauthd.service

selinux-autorelabel-mark.service

selinux-autorelabel.service

selinux-check-proper-disable.service

speech-dispatcherd.service

spice-vdagentd.service

spice-webdavd.service

sshd.service

ssh-host-keys-migration.service

sssd-autofs.service

sssd-kcm.service

sssd-nss.service

sssd-pac.service

sssd-pam.service

sssd.service

sssd-ssh.service

sssd-sudo.service

switcheroo-control.service

system-update-cleanup.service

tcsd.service

thermald.service

udisks2.service

unbound-anchor.service

upower.service

uresourced.service

usbmuxd.service

vboxclient.service

vboxservice.service

vgauthd.service

virtinterfaced.service

virtlockd.service

virtlogd.service

virtnetworkd.service

virtnodedevd.service

virtnwfilterd.service

virtproxyd.service

virtqemud.service

virtsecretd.service

virtstoraged.service

vmtoolsd.service

wpa_supplicant.service

zfs-fuse-scrub.service

zfs-fuse.service

zvbid.service

Feedback

Benefit to Fedora

Fedora services will get a significant security boost by default by avoiding or mitigating any unknown security vulnerabilities in default system services.

Scope

  • Proposal owners: Individual per service pull requests to enable various security features as applicable.
  • Other developers: Review PRs as needed
  • Release engineering: https://pagure.io/releng/issue/11785
  • Policies and guidelines:

Packaging guidelines will have to be modified to add recommendations to use more of the systemd security features by default. In particular, we should add a security settings section in https://fedoraproject.org/wiki/Packaging:Systemd. Sample text:

Systemd services included in Fedora are recommended to use as many of the following security settings as applicable while maintaining the default functionality of the service.

  • PrivateTmp=yes
  • ProtectSystem=yes/full/strict
  • ProtectHome=yes
  • PrivateDevices=yes
  • ProtectKernelTunables=yes
  • ProtectKernelModules=yes
  • ProtectKernelLogs=yes
  • ProtectControlGroups=yes
  • NoNewPrivileges=yes
  • PrivateNetwork=yes

The full list of sandboxing features are available in https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing. Note that if you are submitting changes to upstream as recommended, systemd will warn and ignore any of these features it doesn't support. So it should be safe for upstream to enable as many of these features as applicable and not worry about distribution support for ones using older versions of systemd.

  • Trademark approval: N/A

Upgrade/compatibility impact

Packages will automatically get additional security features enabled by default transparently.

How To Test

You can use tools like systemd-analyze security and systemctl cat to verify that specific security features are enabled by default. Default services with the default features should have no adverse impact and users shouldn't have to do anything beyond using the software as intended and report any regressions. High profile services not installed by default that gain these security features would benefit from more targeting testing to spot any unintended consequences especially for niche or advanced functionality.

User Experience

This should be a fully transparent change for users.

Dependencies

None. We are merely enabling some long supported systemd features by default for default and high profile services.

Contingency Plan

  • Contingency mechanism: These settings can be enabled/disabled at a per service level. No wholesale reverts is necessary. If we don't finish the work for all the services, we can follow up in future releases.
  • Contingency deadline: N/A
  • Blocks release? No


Documentation

Release Notes

systemd security hardening features are enabled for default system services and following high profile services.

  • Postgres
  • Apache Httpd
  • Nginx
  • MariaDB

....

If you wish to turn off any particular settings, you can follow the standard systemd method of overriding the config. For example,


$ cat /etc/systemd/system/httpd.service.d/override.conf

[Service]

ProtectHome=no

$ sudo systemctl daemon-reload

$ sudo systemctl restart httpd.service


$ systemctl status httpd.service

● httpd.service - The Apache HTTP Server

    Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Drop-In: /etc/systemd/system/httpd.service.d
            └─override.conf
    Active: active (running) since Mon 2023-11-15 18:29:25 EST; 3min 30s ago