TT#76552 Harden ngcp-mediator service

ngcp-mediator service state BEFORE this change:

| $ systemd-analyze security ngcp-mediator | tail -1
| → Overall exposure level for ngcp-mediator.service: 9.5 UNSAFE 😨

ngcp-mediator service state AFTER this change:

| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
|   NAME                                                        DESCRIPTION                                                             EXPOSURE
| ✗ PrivateNetwork=                                             Service has access to the host's network                                     0.5
| ✗ User=/DynamicUser=                                          Service runs as root user                                                    0.4
| ✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                        0.3
| ✗ RestrictAddressFamilies=~…                                  Service may allocate exotic sockets                                          0.3
| ✗ DeviceAllow=                                                Service has a device ACL with some special devices                           0.1
| ✗ IPAddressDeny=                                              Service defines IP address whitelits with only localhost entries             0.1
| ✗ RestrictAddressFamilies=~AF_PACKET                          Service may allocate packet sockets                                          0.2
| ✗ SystemCallFilter=~@privileged                               System call whitelist defined for service, and @privileged is included       0.2
| ✗ RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                         0.1
| ✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                0.1
|   SupplementaryGroups=                                        Service runs as root, option does not matter
|   RemoveIPC=                                                  Service runs as root, option does not apply
| ✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                           0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.0 OK 🙂

Change-Id: If33c303b9df465393f15c0b685d1aab54a465df6
mr9.3.1
Michael Prokop 6 years ago
parent 353093d704
commit 29cf8436b8

@ -10,6 +10,84 @@ Wants=redis-server.service
Type=notify
ExecStart=/usr/bin/ngcp-mediator
# Service cannot create writable executable memory mappings that are writable and executable at the same time
MemoryDenyWriteExecute=true
# Service cannot modify the control group file system (via /sys/fs/cgroup)
ProtectControlGroups=true
# Service cannot load or read kernel modules
ProtectKernelModules=true
# Service cannot alter kernel tunables (/proc + /sys)
ProtectKernelTunables=true
# Service may execute system calls only with native ABI
SystemCallArchitectures=native
# Limit set of capabilities
CapabilityBoundingSet=
# Service process does not receive ambient capabilities
AmbientCapabilities=
# Service has no access to other software's temporary files
PrivateTmp=true
# Service has no access to hardware devices
PrivateDevices=true
# Service has no access to home directories
ProtectHome=true
# Service has strict read-only access to the OS file hierarchy
ProtectSystem=strict
# Limit write access
ReadWritePaths=/run/
ReadWritePaths=/var/log/ngcp/
# Service cannot change ABI personality
LockPersonality=true
# Turn off acquisition of new privileges system-wide
NoNewPrivileges=true
# Service has own user namespace, only root, nobody, and the uid/gid under which the service is running are mapped
PrivateUsers=true
# Service user cannot leave SysV IPC objects around
# NOTE: service runs as root, so option does not matter
RemoveIPC=true
# Restrict access to the various process namespace types the Linux kernel provides
RestrictNamespaces=true
# Service may not acquire realtime scheduling
RestrictRealtime=true
# Files created by service are accessible only by service's own user by default
UMask=0077
# NOTE: Service needs access to the host's network, to e.g. access redis DB
PrivateNetwork=false
# Control access to specific device nodes by the executed processes
DevicePolicy=strict
DeviceAllow=/dev/null rw
# Block all IP address ranges
# NOTE: allow access from localhost
IPAddressAllow=localhost
IPAddressDeny=any
# Maximum number of bytes of memory that may be locked into RAM
LimitMEMLOCK=0
# Restrict system calls that are allowed to be executed
SystemCallFilter=@system-service
SystemCallFilter=~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap memfd_create mincore mlock mlockall personality
[Install]
WantedBy=multi-user.target
Alias=mediator.service

Loading…
Cancel
Save