ProHoster > Blog > internet nhau > Fedora 40 inoronga kugonesa system service yekuzviparadzanisa nevamwe

Fedora 40 inoronga kugonesa system service yekuzviparadzanisa nevamwe

Kuburitswa kweFedora 40 kunoratidza kugonesa zvigadziriso zvekuzviparadzanisa nevamwe kune systemd system masevhisi anogoneswa nekukasira, pamwe nemasevhisi ane mishoni-akakosha maapplication akadai sePostgreSQL, Apache httpd, Nginx, uye MariaDB. Zvinotarisirwa kuti shanduko yacho ichawedzera zvakanyanya kuchengetedzeka kwekugovera mukugadziriswa kweiyo default uye ichaita kuti zvibvirire kuvharira kusazivikanwa kusagadzikana mumasevhisi ehurongwa. Chikumbiro ichi hachisati chatariswa neFESCo (Fedora Engineering Steering Committee), iyo inobata chikamu chehunyanzvi chekusimudzira kugovera kweFedora. Chikumbiro chinogona kurambwa panguva yekuongorora nharaunda.

Zvirongwa zvinokurudzirwa kugonesa:

  • PrivateTmp = hongu - inopa madhairekitori akasiyana ane mafaira enguva pfupi.
  • DziviriraSystem = hongu / yakazara / yakasimba - isa iyo faira sisitimu mukuverenga-chete modhi (mu "yakazara" modhi - / etc/, mune yakasimba mode - ese mafaera masisitimu kunze kwe / dev /, / proc/ uye / sys/).
  • ProtectHome=hongu-inoramba kuwana madhairekitori emushandisi epamba.
  • PrivateDevices = hongu - kusiya mukana chete ku / dev / null, / dev / zero uye / dev / zvisina kujairika
  • ProtectKernelTunables=hongu - kuverenga-chete kuwana ku /proc/sys/, /sys/, /proc/acpi, /proc/fs, /proc/irq, nezvimwe.
  • ProtectKernelModules=hongu - rambidza kurodha kernel modules.
  • ProtectKernelLogs=hongu - inorambidza kupinda kune buffer ine kernel logs.
  • ProtectControlGroups = hongu - kuverenga-chete kuwana ku / sys/fs/boka/
  • NoNewPrivileges=hongu - inorambidza kukwidziridzwa kweropafadzo kuburikidza nesetuid, setgid uye kugona mireza.
  • PrivateNetwork=hongu - kuiswa mune imwe nzvimbo yezita retiweki stack.
  • ProtectClock=hongu- rambidza kuchinja nguva.
  • ProtectHostname=hongu - inorambidza kuchinja zita remuenzi.
  • ProtectProc=invisible - kuvanza maitiro evamwe vanhu mu/proc.
  • Mushandisi= - shandura mushandisi

Uyezve, unogona kufunga kugonesa zvinotevera marongero:

  • CapabilityBoundingSet=
  • DevicePolicy=yakavharwa
  • KeyringMode=yakavanzika
  • LockPersonality=hongu
  • MemoryDenyWriteExecute=hongu
  • PrivateUsers=hongu
  • BvisaIPC=hongu
  • RestrictAddressFamilies=
  • RestrictNamespaces=hongu
  • RestrictRealtime=hongu
  • RestrictSUIDSGID=hongu
  • SystemCallFilter=
  • SystemCallArchitectures=native

Source: opennet.ru

Voeg