From 152c6c05e252cabda860227fb88aaacc4dae6e2b Mon Sep 17 00:00:00 2001 From: mivirl <> Date: Sun, 26 May 2024 00:05:45 -0500 Subject: [PATCH] sandbox: Improve systemd template overrides Improved templates to make breakage less likely and rely less on newer systemd features to provide security. Tested with v239 as the earliest version, but should still work with earlier versions as well. Exposure levels from `systemd-analyze security` on v252 (scale is from 0-10 with lower being more secure) - nginx: 2.3 OK - apache2: 2.2 OK --- linux.sh | 2 +- profiles/apache2-override.conf | 198 +++++++++++++++++++-------------- profiles/generic-override.conf | 197 +++++++++++++++++++------------- profiles/httpd-override.conf | 93 ---------------- profiles/nginx-override.conf | 188 ++++++++++++++++++------------- 5 files changed, 343 insertions(+), 335 deletions(-) delete mode 100644 profiles/httpd-override.conf diff --git a/linux.sh b/linux.sh index 3beb312..b5fd00e 100755 --- a/linux.sh +++ b/linux.sh @@ -910,7 +910,7 @@ if [ "$configureapache" = "y" ]; then exampleconf="profiles/apache2-override.conf" apachesystemdconf="/etc/systemd/system/apache2.service.d/override.conf" elif [ "$DISTRO" = "fedora" ]; then - exampleconf="profiles/httpd-override.conf" + exampleconf="profiles/apache2-override.conf" apachesystemdconf="/etc/systemd/system/httpd.service.d/override.conf" fi diff --git a/profiles/apache2-override.conf b/profiles/apache2-override.conf index 6e361f6..dfefb13 100644 --- a/profiles/apache2-override.conf +++ b/profiles/apache2-override.conf @@ -1,108 +1,136 @@ [Service] -# See "man 5 systemd.exec" for documentation about all of these options +# ------------------------------------------------------------------------------ -# To see what files a service needs access to, try running: -# strace -f -o apache2.strace -e trace=file /usr/sbin/apache2 -# cut -d'"' -f2 apache2.strace | sort | uniq -c -# systemctl restart apache2 || { journalctl -xeu apache2; systemctl status apache2; } - -# Or uncomment these lines to see the debug logs in journalctl +## Uncomment to see what files/capabilities a service needs access to #SystemCallFilter=@debug -#BindReadOnlyPaths=/usr/bin/strace #ExecStart= -#ExecStart=/usr/bin/strace -f /usr/sbin/apache2 +#ExecStart=/usr/bin/strace --failed-only --follow-forks /usr/sbin/apache2 +## Needed because strace prevents signaling a successful start +#TimeoutStartSec=infinity + +# ------------------------------------------------------------------------------ # Restart service after 10 seconds if it fails for any reason -#Restart=on-failure -#RestartSec=10s +Restart=on-failure +RestartSec=10s -# Mount / as read-only -PrivateDevices=true -ProtectControlGroups=true -ProtectKernelTunables=true +# ------------------------------------------------------------------------------ + +# Make entire filesystem readonly unless overridden ProtectSystem=strict -# Limit executables that can be run (may need to add php,perl,etc) -TemporaryFileSystem=/bin -TemporaryFileSystem=/sbin -TemporaryFileSystem=/usr/bin -TemporaryFileSystem=/usr/sbin -BindReadOnlyPaths=-/usr/sbin/apache2 -BindReadOnlyPaths=-/usr/sbin/apache2ctl -BindReadOnlyPaths=-/usr/sbin/apachectl -# These are required for the apache2ctl script: -BindReadOnlyPaths=-/usr/bin/chmod -BindReadOnlyPaths=-/usr/bin/chown -BindReadOnlyPaths=-/usr/bin/id -BindReadOnlyPaths=-/usr/bin/mkdir -BindReadOnlyPaths=-/usr/bin/rmdir -BindReadOnlyPaths=-/usr/bin/mktemp -BindReadOnlyPaths=-/usr/bin/mv -BindReadOnlyPaths=-/usr/bin/rm -BindReadOnlyPaths=-/usr/bin/sh -CapabilityBoundingSet=CAP_CHOWN - -# Limited access to /etc -TemporaryFileSystem=/etc -BindReadOnlyPaths=-/etc/ca-certificates -BindReadOnlyPaths=-/etc/crypto-policies -BindReadOnlyPaths=-/etc/group -#BindReadOnlyPaths=-/etc/hostname -BindReadOnlyPaths=-/etc/apache2 -BindReadOnlyPaths=-/etc/modsecurity -BindReadOnlyPaths=-/etc/mime.types -BindReadOnlyPaths=-/etc/nsswitch.conf -BindReadOnlyPaths=-/etc/passwd -BindReadOnlyPaths=-/etc/pki -BindReadOnlyPaths=-/etc/ssl -TemporaryFileSystem=/etc/httpd/run/ - -# Allow access to web directories -BindReadOnlyPaths=/var/www - -# Allow logging -TemporaryFileSystem=/var -BindPaths=/var/log/apache2 - -# Give access to a lock directory -TemporaryFileSystem=/var/lock/apache2 - -# Prevent access to some paths -InaccessiblePaths=/boot -InaccessiblePaths=/media -InaccessiblePaths=/mnt -InaccessiblePaths=/usr/local - -# Prevent execution from temporary directories -PrivateTmp=true -NoExecPaths=/tmp /var/tmp +# Make paths read/write +# BindPaths format: +# BindPaths=/path/to/source +# BindPaths=-/path/to/maybe/existing/source +# BindPaths=/path/to/source:/path/to/destination -# Allow binding ports 80 and 443 -CapabilityBoundingSet=CAP_NET_BIND_SERVICE # Commonly causes issues because this limits the types of actions the service can take. Check "man 7 capabilities" for a list -SocketBindAllow=tcp:443 -SocketBindAllow=tcp:80 -SocketBindDeny=any -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -AmbientCapabilities= # Don't let child processes bind sockets +#BindPaths=-/service/writes/here +# Prevent access to sensitive paths +InaccessiblePaths=-/mnt -/media -/rw -/etc/crontab -/etc/cron.d -/etc/shadow \ + -/etc/sudoers -/etc/sudoers -/etc/ssh -/etc/security -/etc/pam.d -# Other protections +# Hide all files in these directories unless added (i.e. with BindPaths= or BindReadOnlyPaths=) +TemporaryFileSystem=/var/cache /var/log /var/lib -MemoryDenyWriteExecute=yes -NoNewPrivileges=true +BindReadOnlyPaths=-/dev/log -/run/systemd/journal/socket -/run/systemd/journal/stdout +BindReadOnlyPaths=-/run/dbus/system_bus_socket -ProtectClock=true +# Prevent executing files from unusual directories +NoExecPaths=/ +ExecPaths=-/bin -/sbin -/usr/bin -/usr/sbin -/lib -/lib64 -/usr/lib -/usr/lib64 -/usr/libexec + +# Likely to break things, maps all other users and groups to nobody +#PrivateUsers=true + +PrivateTmp=true +PrivateDevices=true ProtectHome=true -ProtectKernelLogs=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true ProtectKernelModules=true +ProtectControlGroups=true + +# (Needs v242 or later) +ProcSubset=pid +ProtectHostname=true + +# (Needs v245 or later) +ProtectClock=true + +# (Needs v247 or later) ProtectProc=invisible +# (Needs v250 or later) +ProtectKernelLogs=true + +# adds /var/cache/apache2 +CacheDirectory=apache2 +# adds /run/apache2 +RuntimeDirectory=apache2 +# adds /var/log/apache2 +LogsDirectory=apache2 +# adds /var/lib/apache2 +StateDirectory=apache2 +# adds /etc/apache2 +ConfigurationDirectory=apache2 +RuntimeDirectoryMode=0700 +LogsDirectoryMode=0750 +StateDirectoryMode=0700 +ConfigurationDirectoryMode=0700 + +RemoveIPC=true + +# Likely to break things +#NoNewPrivileges=true + +#CapabilityBoundingSet=CAP_BLOCK_SUSPEND # Service may establish wake locks +CapabilityBoundingSet=CAP_CHOWN # Service may change file ownership +#CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP # Service may change file access mode/capabilities unrestricted +#CapabilityBoundingSet=CAP_FOWNER CAP_IPC_OWNER # Service may override UNIX file/IPC permission checks +#CapabilityBoundingSet=CAP_IPC_LOCK # Service may lock memory into RAM +#CapabilityBoundingSet=CAP_KILL # Service may send UNIX signals to arbitrary processes +#CapabilityBoundingSet=CAP_LEASE # Service may create file leases +#CapabilityBoundingSet=CAP_LINUX_IMMUTABLE # Service may mark files immutable +#CapabilityBoundingSet=CAP_MKNOD # Service may create device nodes +#CapabilityBoundingSet=CAP_NET_ADMIN # Service has network configuration privileges +CapabilityBoundingSet=CAP_NET_BIND_SERVICE # Service can bind ports +#CapabilityBoundingSet=CAP_NET_BROADCAST CAP_NET_RAW # Service has elevated networking privileges +#CapabilityBoundingSet=CAP_RAWIO # Service has raw I/O access +#CapabilityBoundingSet=CAP_SETUID CAP_SETGID # Service may change UID/GID identities +#CapabilityBoundingSet=CAP_SETPCAP # Service may change UID/GID capabilities +#CapabilityBoundingSet=CAP_SYS_ADMIN # Service has administrator privileges +#CapabilityBoundingSet=CAP_SYS_BOOT # Service may issue reboot() +#CapabilityBoundingSet=CAP_SYS_CHROOT # Service may issue chroot() +#CapabilityBoundingSet=CAP_SYSLOG # Service has access to kernel logging +#CapabilityBoundingSet=CAP_SYS_MODULE # Service may load kernel modules +#CapabilityBoundingSet=CAP_SYS_NICE CAP_SYS_RESOURCE # Service has privileges to change resource use parameters +#CapabilityBoundingSet=CAP_SYS_PACCT # Service may use acct() +#CapabilityBoundingSet=CAP_SYS_PTRACE # Service has ptrace() debugging abilities +#CapabilityBoundingSet=CAP_SYS_TIME # Service processes may change the system clock +#CapabilityBoundingSet=CAP_SYS_TTY_CONFIG # Service may issue vhangup() +#CapabilityBoundingSet=CAP_WAKE_ALARM # Service may program timers that wake up the system + +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + +# (Needs v249 or later) Restrict ports the service can listen on +SocketBindAllow=tcp:80 +SocketBindAllow=tcp:443 +SocketBindDeny=any + +LockPersonality=true +RestrictRealtime=true RestrictNamespaces=true RestrictSUIDSGID=true -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@resources +# Risk of breaking JIT compilers (such as java) or dynamic code +MemoryDenyWriteExecute=true -LockPersonality=yes +SystemCallFilter=@system-service +SystemCallFilter=~@mount @reboot @raw-io @clock @module @reboot @obsolete \ + @cpu-emulation @memlock @resources +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native diff --git a/profiles/generic-override.conf b/profiles/generic-override.conf index 7d8756a..934b040 100644 --- a/profiles/generic-override.conf +++ b/profiles/generic-override.conf @@ -2,92 +2,135 @@ # ------------------------------------------------------------------------------ -# See "man 5 systemd.exec" for documentation about all of these options -# Also see -# - https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html -# - https://www.sherbers.de/use-temporaryfilesystem-to-hide-files-or-directories-from-systemd-services/ - -# To see what files a service needs access to, try running: -# strace -f -o generic_service.strace -e trace=file generic_service -# cut -d'"' -f2 generic_service.strace | sort -u - -# Or see the access in journalctl by prepending "/usr/bin/strace -e trace=%%file" to the ExecStart line +## Uncomment to see what files/capabilities a service needs access to +#SystemCallFilter=@debug #ExecStart= -#ExecStart=/usr/bin/strace /usr/sbin/generic_service - -# Uncomment lines as needed, then restart the service and make sure everything still works +#ExecStart=/usr/bin/strace --failed-only --follow-forks /usr/sbin/generic_service +## Needed because strace prevents signaling a successful start +#TimeoutStartSec=infinity # ------------------------------------------------------------------------------ # Restart service after 10 seconds if it fails for any reason -#Restart=on-failure -#RestartSec=10s - -# Mount / as read-only -#PrivateDevices=true -#ProtectControlGroups=true -#ProtectKernelTunables=true -#ProtectSystem=strict - -# Only show files that have been explicitly bound with BindPaths or BindReadOnlyPaths -#TemporaryFileSystem=/ - -# Limit executables that can be run (may need to add php,perl,etc) -#TemporaryFileSystem=/bin -#TemporaryFileSystem=/sbin -#TemporaryFileSystem=/usr/bin -#TemporaryFileSystem=/usr/sbin -#BindReadOnlyPaths=/usr/sbin/generic_service - -# Usually necessary for services to start -#BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /usr/share/common-licenses/ /etc/ssl/certs/ /etc/alternatives/ -#BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify - -# Limited access to /etc -#TemporaryFileSystem=/etc -#BindReadOnlyPaths=-/etc/generic_service_dir - -# Allow logging -#TemporaryFileSystem=/var -#BindPaths=/var/log/generic_service_dir - -# Prevent access to some paths -#InaccessiblePaths=/boot -#InaccessiblePaths=/media -#InaccessiblePaths=/mnt - -# Prevent execution from temporary directories -#PrivateTmp=true -#NoExecPaths=/tmp /var/tmp - -# Allow binding some ports -#CapabilityBoundingSet=CAP_NET_BIND_SERVICE # Commonly causes issues because this limits the types of actions the service can take. Check "man 7 capabilities" for a list -#SocketBindAllow=tcp:1337 -#SocketBindDeny=any -#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX - +Restart=on-failure +RestartSec=10s -# Other protections - -# May need to change system calls -#SystemCallArchitectures=native -#SystemCallFilter=@system-service -#SystemCallFilter=~@resources +# ------------------------------------------------------------------------------ -#MemoryDenyWriteExecute=yes +# Make entire filesystem readonly unless overridden +ProtectSystem=strict + +# Make paths read/write +# BindPaths format: +# BindPaths=/path/to/source +# BindPaths=-/path/to/maybe/existing/source +# BindPaths=/path/to/source:/path/to/destination + +#BindPaths=-/service/writes/here + +# Prevent access to sensitive paths +InaccessiblePaths=-/mnt -/media -/rw -/etc/crontab -/etc/cron.d -/etc/shadow \ + -/etc/sudoers -/etc/sudoers -/etc/ssh -/etc/security -/etc/pam.d \ + -/etc/passwd -/etc/group + +# Hide all files in these directories unless added (i.e. with BindPaths= or BindReadOnlyPaths=) +TemporaryFileSystem=/var/cache /var/log /var/lib + +BindReadOnlyPaths=-/dev/log -/run/systemd/journal/socket -/run/systemd/journal/stdout +BindReadOnlyPaths=-/run/dbus/system_bus_socket + +# Prevent executing files from unusual directories +NoExecPaths=/ +ExecPaths=-/bin -/sbin -/usr/bin -/usr/sbin -/lib -/lib64 -/usr/lib -/usr/lib64 -/usr/libexec + +# Likely to break things, maps all other users and groups to nobody +#PrivateUsers=true + +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true + +# (Needs v242 or later) +ProcSubset=pid +ProtectHostname=true + +# (Needs v245 or later) +ProtectClock=true + +# (Needs v247 or later) +ProtectProc=invisible + +# (Needs v250 or later) +ProtectKernelLogs=true + +# adds /var/cache/generic_service +CacheDirectory=generic_service +# adds /run/generic_service +RuntimeDirectory=generic_service +# adds /var/log/generic_service +LogsDirectory=generic_service +# adds /var/lib/generic_service +StateDirectory=generic_service +# adds /etc/generic_service +ConfigurationDirectory=generic_service +RuntimeDirectoryMode=0700 +LogsDirectoryMode=0750 +StateDirectoryMode=0700 +ConfigurationDirectoryMode=0700 + +RemoveIPC=true + +# Likely to break things #NoNewPrivileges=true -#ProtectClock=true -#ProtectHome=true -#ProtectKernelLogs=true -#ProtectKernelModules=true -#ProtectProc=invisible - -#RestrictNamespaces=true -#RestrictSUIDSGID=true +#CapabilityBoundingSet=CAP_BLOCK_SUSPEND # Service may establish wake locks +#CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP # Service may change file ownership/access mode/capabilities unrestricted +#CapabilityBoundingSet=CAP_FOWNER CAP_IPC_OWNER # Service may override UNIX file/IPC permission checks +#CapabilityBoundingSet=CAP_IPC_LOCK # Service may lock memory into RAM +#CapabilityBoundingSet=CAP_KILL # Service may send UNIX signals to arbitrary processes +#CapabilityBoundingSet=CAP_LEASE # Service may create file leases +#CapabilityBoundingSet=CAP_LINUX_IMMUTABLE # Service may mark files immutable +#CapabilityBoundingSet=CAP_MKNOD # Service may create device nodes +#CapabilityBoundingSet=CAP_NET_ADMIN # Service has network configuration privileges +CapabilityBoundingSet=CAP_NET_BIND_SERVICE # Service can bind ports +#CapabilityBoundingSet=CAP_NET_BROADCAST CAP_NET_RAW # Service has elevated networking privileges +#CapabilityBoundingSet=CAP_RAWIO # Service has raw I/O access +#CapabilityBoundingSet=CAP_SETUID CAP_SETGID # Service may change UID/GID identities +#CapabilityBoundingSet=CAP_SETPCAP # Service may change UID/GID capabilities +#CapabilityBoundingSet=CAP_SYS_ADMIN # Service has administrator privileges +#CapabilityBoundingSet=CAP_SYS_BOOT # Service may issue reboot() +#CapabilityBoundingSet=CAP_SYS_CHROOT # Service may issue chroot() +#CapabilityBoundingSet=CAP_SYSLOG # Service has access to kernel logging +#CapabilityBoundingSet=CAP_SYS_MODULE # Service may load kernel modules +#CapabilityBoundingSet=CAP_SYS_NICE CAP_SYS_RESOURCE # Service has privileges to change resource use parameters +#CapabilityBoundingSet=CAP_SYS_PACCT # Service may use acct() +#CapabilityBoundingSet=CAP_SYS_PTRACE # Service has ptrace() debugging abilities +#CapabilityBoundingSet=CAP_SYS_TIME # Service processes may change the system clock +#CapabilityBoundingSet=CAP_SYS_TTY_CONFIG # Service may issue vhangup() +#CapabilityBoundingSet=CAP_WAKE_ALARM # Service may program timers that wake up the system + +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + +# (Needs v249 or later) Restrict ports the service can listen on +#SocketBindAllow=tcp:80 +#SocketBindAllow=tcp:443 +#SocketBindDeny=any +LockPersonality=true +RestrictRealtime=true +RestrictNamespaces=true +RestrictSUIDSGID=true -#LockPersonality=yes +# Risk of breaking JIT compilers (such as java) or dynamic code +MemoryDenyWriteExecute=true -# End of generic_service override -# ------------------------------------------------------------------------------ +SystemCallFilter=@system-service +SystemCallFilter=~@mount @reboot @raw-io @clock @module @reboot @obsolete \ + @cpu-emulation @memlock @resources +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native diff --git a/profiles/httpd-override.conf b/profiles/httpd-override.conf deleted file mode 100644 index 3b14938..0000000 --- a/profiles/httpd-override.conf +++ /dev/null @@ -1,93 +0,0 @@ -[Service] - -# See "man 5 systemd.exec" for documentation about all of these options - -# To see what files a service needs access to, try running: -# strace -f -o httpd.strace -e trace=file /usr/sbin/httpd -# cut -d'"' -f2 httpd.strace | sort | uniq -c -# systemctl restart httpd || { journalctl -xeu httpd; systemctl status httpd; } - -# Or uncomment these lines to see the debug logs in journalctl -#SystemCallFilter=@debug -#BindReadOnlyPaths=/usr/bin/strace -#ExecStart= -#ExecStart=/usr/bin/strace -f /usr/sbin/httpd - -# Restart service after 10 seconds if it fails for any reason -#Restart=on-failure -#RestartSec=10s - -# Mount / as read-only -PrivateDevices=true -ProtectControlGroups=true -ProtectKernelTunables=true -ProtectSystem=strict - -# Limit executables that can be run (may need to add php,perl,etc) -TemporaryFileSystem=/bin -TemporaryFileSystem=/sbin -TemporaryFileSystem=/usr/bin -TemporaryFileSystem=/usr/sbin -BindReadOnlyPaths=-/usr/sbin/httpd -BindReadOnlyPaths=-/usr/sbin/suexec - -# Limited access to /etc -TemporaryFileSystem=/etc -BindReadOnlyPaths=-/etc/ca-certificates -BindReadOnlyPaths=-/etc/crypto-policies -BindReadOnlyPaths=-/etc/group -#BindReadOnlyPaths=-/etc/hostname -BindReadOnlyPaths=-/etc/httpd -BindReadOnlyPaths=-/etc/mime.types -BindReadOnlyPaths=-/etc/nsswitch.conf -BindReadOnlyPaths=-/etc/passwd -BindReadOnlyPaths=-/etc/pki -BindReadOnlyPaths=-/etc/ssl -TemporaryFileSystem=/etc/httpd/run/ # Can cause issues. Try commenting out or replacing with BindPaths=-/etc/httpd/run/ - -# Allow access to web directories -BindReadOnlyPaths=/var/www - -# Allow logging -TemporaryFileSystem=/var -BindPaths=/var/log/httpd - -# Prevent access to some paths -InaccessiblePaths=/boot -InaccessiblePaths=/media -InaccessiblePaths=/mnt -InaccessiblePaths=/run/media -InaccessiblePaths=/usr/local - -# Prevent execution from temporary directories -PrivateTmp=true -NoExecPaths=/tmp /var/tmp - -# Allow binding ports 80 and 443 -CapabilityBoundingSet=CAP_NET_BIND_SERVICE # Commonly causes issues because this limits the types of actions the service can take. Check "man 7 capabilities" for a list -SocketBindAllow=tcp:443 -SocketBindAllow=tcp:80 -SocketBindDeny=any -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -AmbientCapabilities= # Don't let child processes bind sockets - - -# Other protections - -MemoryDenyWriteExecute=yes -#NoNewPrivileges=true # This is useful, but may cause the service to fail to start - -ProtectClock=true -ProtectHome=true -ProtectKernelLogs=true -ProtectKernelModules=true -ProtectProc=invisible - -RestrictNamespaces=true -RestrictSUIDSGID=true - -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@resources - -LockPersonality=yes diff --git a/profiles/nginx-override.conf b/profiles/nginx-override.conf index 8094b8f..28d209f 100644 --- a/profiles/nginx-override.conf +++ b/profiles/nginx-override.conf @@ -1,105 +1,135 @@ [Service] -# See "man 5 systemd.exec" for documentation about all of these options +# ------------------------------------------------------------------------------ -# To see what files a service needs access to, try running: -# strace -f -o nginx.strace -e trace=file /usr/sbin/nginx -# cut -d'"' -f2 nginx.strace | sort | uniq -c -# systemctl restart nginx || { journalctl -xeu nginx; systemctl status nginx; } - -# Or uncomment these lines to see the debug logs in journalctl +## Uncomment to see what files/capabilities a service needs access to #SystemCallFilter=@debug -#BindReadOnlyPaths=/usr/bin/strace #ExecStart= -#ExecStart=/usr/bin/strace -f /usr/sbin/nginx +#ExecStart=/usr/bin/strace --failed-only --follow-forks /usr/sbin/nginx +## Needed because strace prevents signaling a successful start +#TimeoutStartSec=infinity + +# ------------------------------------------------------------------------------ # Restart service after 10 seconds if it fails for any reason -#Restart=on-failure -#RestartSec=10s +Restart=on-failure +RestartSec=10s -## Mount / as read-only -PrivateDevices=true -ProtectControlGroups=true -ProtectKernelTunables=true +# ------------------------------------------------------------------------------ + +# Make entire filesystem readonly unless overridden ProtectSystem=strict -ProtectHome=tmpfs +# Make paths read/write +# BindPaths format: +# BindPaths=/path/to/source +# BindPaths=-/path/to/maybe/existing/source +# BindPaths=/path/to/source:/path/to/destination -# Allow access to web directories -#BindReadOnlyPaths=/var/www -BindReadOnlyPaths=/usr +#BindPaths=-/service/writes/here -# Limit executables that can be run (may need to add php,perl,etc) -TemporaryFileSystem=/bin -TemporaryFileSystem=/sbin -TemporaryFileSystem=/usr/bin -TemporaryFileSystem=/usr/sbin -BindReadOnlyPaths=/usr/sbin/nginx -BindReadOnlyPaths=/usr/bin/rm +# Prevent access to sensitive paths +InaccessiblePaths=-/mnt -/media -/rw -/etc/crontab -/etc/cron.d -/etc/shadow \ + -/etc/sudoers -/etc/sudoers -/etc/ssh -/etc/security -/etc/pam.d -# Commonly needed for services to start -BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /etc/ssl/certs/ /etc/alternatives/ -#BindReadOnlyPaths=/etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/bindresvport.blacklist -#BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify +# Hide all files in these directories unless added (i.e. with BindPaths= or BindReadOnlyPaths=) +TemporaryFileSystem=/var/cache /var/log /var/lib + +BindReadOnlyPaths=-/dev/log -/run/systemd/journal/socket -/run/systemd/journal/stdout +BindReadOnlyPaths=-/run/dbus/system_bus_socket + +# Prevent executing files from unusual directories +NoExecPaths=/ +ExecPaths=-/bin -/sbin -/usr/bin -/usr/sbin -/lib -/lib64 -/usr/lib -/usr/lib64 -/usr/libexec + +# Likely to break things, maps all other users and groups to nobody +#PrivateUsers=true -# Allow access to {/var/cache,/etc,/var/log,/run,/var/lib}/nginx -CacheDirectory=nginx -ConfigurationDirectory=nginx -LogsDirectory=nginx -RuntimeDirectory=nginx -StateDirectory=nginx -TemporaryFileSystem=/var/lib/nginx/tmp -BindReadOnlyPaths=/usr/share/nginx - -# Limited access to /etc -TemporaryFileSystem=/etc -BindReadOnlyPaths=-/etc/group -BindReadOnlyPaths=-/etc/localtime -BindReadOnlyPaths=-/etc/nsswitch.conf -BindReadOnlyPaths=-/etc/passwd -BindReadOnlyPaths=-/etc/pki/ -BindReadOnlyPaths=-/etc/ssl/ -BindReadOnlyPaths=-/etc/selinux/config -BindReadOnlyPaths=-/etc/system-fips -BindReadOnlyPaths=-/etc/crypto-policies - -# Prevent access to most things in /var -TemporaryFileSystem=/var - -# Prevent access to some paths -InaccessiblePaths=/boot -InaccessiblePaths=/media -InaccessiblePaths=/mnt - -# Prevent execution from temporary directories PrivateTmp=true -NoExecPaths=/tmp /var/tmp +PrivateDevices=true +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true -# Allow binding ports -AmbientCapabilities=CAP_NET_BIND_SERVICE -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_SETGID CAP_SETUID # Commonly causes issues because this limits the types of actions the service can take. Check "man 7 capabilities" for a list -SocketBindAllow=tcp:80 tcp:443 -SocketBindDeny=any -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +# (Needs v242 or later) +ProcSubset=pid +ProtectHostname=true +# (Needs v245 or later) +ProtectClock=true -# Other protections +# (Needs v247 or later) +ProtectProc=invisible -# May need to change system calls -SystemCallArchitectures=native -SystemCallFilter=@system-service @chown -SystemCallFilter=~@resources +# (Needs v250 or later) +ProtectKernelLogs=true + +# adds /var/cache/nginx +CacheDirectory=nginx +# adds /run/nginx +RuntimeDirectory=nginx +# adds /var/log/nginx +LogsDirectory=nginx +# adds /var/lib/nginx +StateDirectory=nginx +# adds /etc/nginx +ConfigurationDirectory=nginx +RuntimeDirectoryMode=0700 +LogsDirectoryMode=0750 +StateDirectoryMode=0700 +ConfigurationDirectoryMode=0700 + +RemoveIPC=true -MemoryDenyWriteExecute=yes +# Likely to break things #NoNewPrivileges=true -ProtectClock=true -ProtectHome=true -ProtectKernelLogs=true -ProtectKernelModules=true -ProtectProc=invisible +#CapabilityBoundingSet=CAP_BLOCK_SUSPEND # Service may establish wake locks +#CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP # Service may change file ownership/access mode/capabilities unrestricted +#CapabilityBoundingSet=CAP_FOWNER CAP_IPC_OWNER # Service may override UNIX file/IPC permission checks +#CapabilityBoundingSet=CAP_IPC_LOCK # Service may lock memory into RAM +#CapabilityBoundingSet=CAP_KILL # Service may send UNIX signals to arbitrary processes +#CapabilityBoundingSet=CAP_LEASE # Service may create file leases +#CapabilityBoundingSet=CAP_LINUX_IMMUTABLE # Service may mark files immutable +#CapabilityBoundingSet=CAP_MKNOD # Service may create device nodes +#CapabilityBoundingSet=CAP_NET_ADMIN # Service has network configuration privileges +CapabilityBoundingSet=CAP_NET_BIND_SERVICE # Service can bind ports +#CapabilityBoundingSet=CAP_NET_BROADCAST CAP_NET_RAW # Service has elevated networking privileges +#CapabilityBoundingSet=CAP_RAWIO # Service has raw I/O access +CapabilityBoundingSet=CAP_SETUID CAP_SETGID # Service may change UID/GID identities +#CapabilityBoundingSet=CAP_SETPCAP # Service may change UID/GID capabilities +#CapabilityBoundingSet=CAP_SYS_ADMIN # Service has administrator privileges +#CapabilityBoundingSet=CAP_SYS_BOOT # Service may issue reboot() +#CapabilityBoundingSet=CAP_SYS_CHROOT # Service may issue chroot() +#CapabilityBoundingSet=CAP_SYSLOG # Service has access to kernel logging +#CapabilityBoundingSet=CAP_SYS_MODULE # Service may load kernel modules +#CapabilityBoundingSet=CAP_SYS_NICE CAP_SYS_RESOURCE # Service has privileges to change resource use parameters +#CapabilityBoundingSet=CAP_SYS_PACCT # Service may use acct() +#CapabilityBoundingSet=CAP_SYS_PTRACE # Service has ptrace() debugging abilities +#CapabilityBoundingSet=CAP_SYS_TIME # Service processes may change the system clock +#CapabilityBoundingSet=CAP_SYS_TTY_CONFIG # Service may issue vhangup() +#CapabilityBoundingSet=CAP_WAKE_ALARM # Service may program timers that wake up the system + +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + +# (Needs v249 or later) Restrict ports the service can listen on +SocketBindAllow=tcp:80 +SocketBindAllow=tcp:443 +SocketBindDeny=any +LockPersonality=true +RestrictRealtime=true RestrictNamespaces=true RestrictSUIDSGID=true -LockPersonality=yes +# Risk of breaking JIT compilers (such as java) or dynamic code +MemoryDenyWriteExecute=true + +SystemCallFilter=@system-service +SystemCallFilter=~@mount @reboot @raw-io @clock @module @reboot @obsolete \ + @cpu-emulation @memlock @resources +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native -- 2.39.5