[Pkg-dns-devel] Bug#863841: Enable systemd hardening options for named
Ludovic Gasc
gmludo at gmail.com
Thu Feb 1 08:44:07 UTC 2018
Hi,
On Mon, 29 Jan 2018 11:18:47 -0500 Simon Deziel <simon at sdeziel.info> wrote:
> SystemCallArchitectures=native
> # note: AF_NETLINK is needed for getifaddrs(3)
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
I'm also working to increase the security of bind via systemd without MAC
enabled, I have integrated your suggestions.
FYI, I have discussed about this on bind mailing-list to validate the unit
file, the complete discussion:
https://lists.isc.org/pipermail/bind-users/2018-January/099437.html
Below, the actual unit file, I'm using on our production.
If you have extra suggestions, I'm interested in.
How I could send a merge request ?
I have found the file in Git:
https://anonscm.debian.org/git/pkg-dns/bind9.git/tree/debian/bind9.service
I send a patch on the Debian-DNS mailing-list ?
Regards
[Unit]
After=network-online.target
[Service]
Type=simple
TimeoutSec=25
Restart=always
RestartSec=1
User=bind
Group=bind
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex
clock_adjtime delete_module fanotify_init finit_module get_mempolicy
init_module io_destroy io_getevents iopl ioperm io_setup io_submit
io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages
open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace
remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
LimitCORE=infinity
LimitNOFILE=65535
NoNewPrivileges=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
RestrictRealtime=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
ReadOnlyPaths=/sys
InaccessiblePaths=/home
InaccessiblePaths=/opt
InaccessiblePaths=/root
ReadWritePaths=/run/named
ReadWritePaths=/var/cache/bind
ReadWritePaths=/var/lib/bind
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20180201/597545e6/attachment-0001.html>
More information about the pkg-dns-devel
mailing list