HorlogeSkynet/systemd-hardene.d
1
0
Fork 0
mirror of https://github.com/HorlogeSkynet/systemd-hardene.d.git synced 2026-04-18 05:10:45 +02:00
Code Issues Activity
Files
master
systemd-hardene.d/README.md

3.1 KiB
Raw Permalink Blame History

systemd-hardene.d

A community-driven systemd security guide and collection of hardened service configurations

Motivation

Most of software developers/packagers don't propose any proper confinement (it's pretty time-consuming and usually situational, hard to come to a profile that could suit 100% of cases without breakage).

This project aims at :

  • rigorously listing systemd security-related options with their corresponding documentation (see systemd_service_hardening.md) for software developers and system administrators

  • providing a collection of "out-of-the-box" systemd service unit hardening configuration profiles for well-known services running in Linux environments (see collection/)

Requirements

  • systemd

Installation

For instance, hardening Gitea systemd service is easy as :

## 1. Clone this project
git clone https://github.com/HorlogeSkynet/systemd-hardene.d /usr/local/share/systemd-hardene.d

## 2. Prepare Gitea systemd service unit override directory tree
mkdir -p /usr/local/lib/systemd/system
ln -s /usr/local/share/systemd-hardene.d/collection/gitea.service.d /usr/local/lib/systemd/system

## 3. Reload systemd configuration and restart Gitea
systemctl daemon-reload
systemctl restart gitea.service

Frequently Asked Questions

I don't like your security profile and/or I've got a specific use-case which isn't covered, what should I do ?

Sure, this project cannot fit everyone needs. Service unit overrides are shipped as 00-hardened.conf, and one could easily extend it by creating another unit override which would be lexicographically-loaded afterwards (e.g. /etc/systemd/system/fixme.service.d/01-relaxed.conf). Simply run systemctl edit fixme.service and add your own override this way.

Do you support systemd user instances ?

You can try to set this service unit overrides collection to be sourced by systemd user instances, by replacing /usr/local/lib/systemd/system by /usr/local/lib/systemd/user during install steps. Please note that many security items only apply to system services and thus additional relaxed overrides may be required.

I use some security overrides for several years, can I contribute ?

Absolutely ! Simply open up a pull request including your profiles. Please try to honor existing service unit overrides style and format for project consistency :-)

Acknowledgments

Related Projects

View Git Blame Copy Permalink