ProHoster > Blog > internet news > Fedora 40 plans to enable system service isolation

Fedora 40 plans to enable system service isolation

The Fedora 40 release suggests enabling isolation settings for systemd system services that are enabled by default, as well as services with mission-critical applications such as PostgreSQL, Apache httpd, Nginx, and MariaDB. It is expected that the change will significantly increase the security of the distribution in the default configuration and will make it possible to block unknown vulnerabilities in system services. The proposal has not yet been considered by the FESCo (Fedora Engineering Steering Committee), which is responsible for the technical part of the development of the Fedora distribution. A proposal may also be rejected during the community review process.

Recommended settings to enable:

  • PrivateTmp=yes - providing separate directories with temporary files.
  • ProtectSystem=yes/full/strict β€” mount the file system in read-only mode (in β€œfull” mode - /etc/, in strict mode - all file systems except /dev/, /proc/ and /sys/).
  • ProtectHome=yesβ€”denies access to user home directories.
  • PrivateDevices=yes - leaving access only to /dev/null, /dev/zero and /dev/random
  • ProtectKernelTunables=yes - read-only access to /proc/sys/, /sys/, /proc/acpi, /proc/fs, /proc/irq, etc.
  • ProtectKernelModules=yes - prohibit loading kernel modules.
  • ProtectKernelLogs=yes - prohibits access to the buffer with kernel logs.
  • ProtectControlGroups=yes - read-only access to /sys/fs/cgroup/
  • NoNewPrivileges=yes - prohibiting elevation of privileges through the setuid, setgid and capabilities flags.
  • PrivateNetwork=yes - placement in a separate namespace of the network stack.
  • ProtectClock=yesβ€”prohibit changing the time.
  • ProtectHostname=yes - prohibits changing the host name.
  • ProtectProc=invisible - hiding other people's processes in /proc.
  • User= - change user

Additionally, you may consider enabling the following settings:

  • CapabilityBoundingSet=
  • DevicePolicy=closed
  • KeyringMode=private
  • LockPersonality=yes
  • MemoryDenyWriteExecute=yes
  • PrivateUsers=yes
  • RemoveIPC=yes
  • RestrictAddressFamilies=
  • RestrictNamespaces=yes
  • RestrictRealtime=yes
  • RestrictSUIDSGID=yes
  • SystemCallFilter=
  • SystemCallArchitectures=native

Source: opennet.ru

Add a comment