Set up systemd sandboxing for every service #3

New Issue

Open

opened 2020-04-17 15:12:24 +00:00 by caskd · 2 comments

caskd commented 2020-04-17 15:12:24 +00:00

Owner

Copy Link

Included by default:

• Full
  • redis
  • hitch
  • varnish
  • tor
• Minimal
  • grafana
  • murmur (mumble)

Included but commented:

• haproxy

Not included:

• postgresql
• unbound
• telegraf
• influxdb
• gitea
• minecraft

Included by default: - Full - redis - hitch - varnish - tor - Minimal - grafana - murmur (mumble) Included but commented: - haproxy Not included: - postgresql - unbound - telegraf - influxdb - gitea - minecraft

caskd self-assigned this 2020-04-17 15:12:31 +00:00

caskd added this to the Deployment to production milestone 2020-04-17 15:22:22 +00:00

caskd commented 2020-04-30 15:37:47 +00:00

Author

Owner

Copy Link

A good template for starting off is this:

ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes
TemporaryFileSystem=/:ro
BindReadOnlyPaths=/etc
BindReadOnlyPaths=/usr
BindReadOnlyPaths=/lib
BindReadOnlyPaths=/lib64
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes

A good template for starting off is this: ``` ProtectSystem=strict PrivateUsers=true NoNewPrivileges=yes TemporaryFileSystem=/:ro BindReadOnlyPaths=/etc BindReadOnlyPaths=/usr BindReadOnlyPaths=/lib BindReadOnlyPaths=/lib64 ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes MemoryDenyWriteExecute=yes LockPersonality=yes PrivateTmp=yes PrivateDevices=yes ```

caskd commented 2020-05-10 13:12:08 +00:00

Author

Owner

Copy Link

Services ready:

• everything in the "Full" section
• darkhttpd (8e9736435e)
• murmur (385fda1e1b)
• gitea (283549c188)
• transmission (95fbf873af)
• haproxy (29497278df)
• influxdb (3d24de992d)
• grafana (806a6acd9d)
• telegraf (806a6acd9d)

Testing:

To do:

• postgres
• unbound
• minecraft
• pleroma
• inspircd

Cancelled:

• tor

**Services ready:** - everything in the "Full" section - darkhttpd (https://git.redxen.eu/RedXen/ansible-darkhttpd/commit/8e9736435e7270b843384be581f9844027d543a6) - murmur (https://git.redxen.eu/RedXen/ansible-murmur/commit/385fda1e1b093c0478865238b6778d5cee85a8e1) - gitea (https://git.redxen.eu/RedXen/ansible-gitea/commit/283549c188776183de14e8420bdf1924dd93a8fe) - transmission (https://git.redxen.eu/RedXen/ansible-systemd/commit/95fbf873af3121d145f8da64c3121132cd21ce4d) - haproxy (https://git.redxen.eu/RedXen/ansible-systemd/commit/29497278df95b21e81541cf1155e3e14505f1d89) - influxdb (https://git.redxen.eu/RedXen/ansible-systemd/commit/3d24de992db8a475159cb6cd80597bccb242bcf5) - grafana (https://git.redxen.eu/RedXen/ansible-systemd/commit/806a6acd9d1d09a8c3b26803fa5dbfb3bc2fdced) - telegraf (https://git.redxen.eu/RedXen/ansible-systemd/commit/806a6acd9d1d09a8c3b26803fa5dbfb3bc2fdced) **Testing:** **To do:** - postgres - unbound - minecraft - pleroma - inspircd **Cancelled:** - tor

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

master

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Deployment to production

Assignees

Clear assignees

No Assignees

caskd

1 Participants

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: RedXen/ansible#3

No description provided.