TT#110904 TT#76552 Fix systemd hardening for carrier environments

In carrier environments we have foreign DB hosts
configured in /etc/ngcp-mediator/ngcp-mediator.conf,
therefore we can't easily apply IP address filtering.

JFTR, new and current systemd hardening state for ngcp-mediator:

| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
|   NAME                               DESCRIPTION                        EXPOSURE
| ✗ PrivateNetwork=                    Service has access to the host's …      0.5
| ✗ User=/DynamicUser=                 Service runs as root user               0.4
| ✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc…      0.3
| ✗ RestrictAddressFamilies=~…         Service may allocate exotic socke…      0.3
| ✗ DeviceAllow=                       Service has a device ACL with som…      0.1
| ✗ IPAddressDeny=                     Service does not define an IP add…      0.2
| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet socke…      0.2
| ✗ SystemCallFilter=~@privileged      System call whitelist defined for…      0.2
| ✗ RestrictAddressFamilies=~AF_NETLI… Service may allocate netlink sock…      0.1
| ✗ RootDirectory=/RootImage=          Service runs within the host's ro…      0.1
|   SupplementaryGroups=               Service runs as root, option does…
|   RemoveIPC=                         Service runs as root, option does…
| ✗ RestrictAddressFamilies=~AF_UNIX   Service may allocate local sockets      0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.1 OK 🙂

Change-Id: I0e7c474eddd5d4d4c77b9bda157448294ed0a5c4
mr9.3.1
Michael Prokop 5 years ago
parent 29cf8436b8
commit fa565ef32c

@ -76,11 +76,6 @@ PrivateNetwork=false
DevicePolicy=strict
DeviceAllow=/dev/null rw
# Block all IP address ranges
# NOTE: allow access from localhost
IPAddressAllow=localhost
IPAddressDeny=any
# Maximum number of bytes of memory that may be locked into RAM
LimitMEMLOCK=0

Loading…
Cancel
Save