[Pkg-dns-devel] Bug#863841: Bug#863841: Enable systemd hardening options for named

Ondřej Surý ondrej at sury.org
Thu Feb 1 15:06:34 UTC 2018 

Here:

https://salsa.debian.org/dns-team/bind9.git (and future https://salsa.debian.org/dns-team/bind.git), you'll probably need an guest account that could be created here: https://signup.salsa.debian.org/

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>

On Thu, Feb 1, 2018, at 09:44, Ludovic Gasc wrote:
> Hi,
> 
> On Mon, 29 Jan 2018 11:18:47 -0500 Simon Deziel <simon at sdeziel.info> wrote:
> > SystemCallArchitectures=native
> > # note: AF_NETLINK is needed for getifaddrs(3)
> > RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
> 
> I'm also working to increase the security of bind via systemd without MAC
> enabled, I have integrated your suggestions.
> FYI, I have discussed about this on bind mailing-list to validate the unit
> file, the complete discussion:
> https://lists.isc.org/pipermail/bind-users/2018-January/099437.html
> 
> Below, the actual unit file, I'm using on our production.
> If you have extra suggestions, I'm interested in.
> 
> How I could send a merge request ?
> I have found the file in Git:
> https://anonscm.debian.org/git/pkg-dns/bind9.git/tree/debian/bind9.service
> I send a patch on the Debian-DNS mailing-list ?
> 
> Regards
> 
> [Unit]
> After=network-online.target
> 
> [Service]
> Type=simple
> TimeoutSec=25
> Restart=always
> RestartSec=1
> User=bind
> Group=bind
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
> AmbientCapabilities=CAP_NET_BIND_SERVICE
> SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex
> clock_adjtime delete_module fanotify_init finit_module get_mempolicy
> init_module io_destroy io_getevents iopl ioperm io_setup io_submit
> io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages
> open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace
> remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
> LimitCORE=infinity
> LimitNOFILE=65535
> NoNewPrivileges=true
> SystemCallArchitectures=native
> MemoryDenyWriteExecute=true
> RestrictRealtime=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectHome=true
> ProtectSystem=strict
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectControlGroups=true
> ReadOnlyPaths=/sys
> InaccessiblePaths=/home
> InaccessiblePaths=/opt
> InaccessiblePaths=/root
> ReadWritePaths=/run/named
> ReadWritePaths=/var/cache/bind
> ReadWritePaths=/var/lib/bind
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel

More information about the pkg-dns-devel mailing list