SysmonForLinux
SysmonForLinux copied to clipboard
Published
20 hours ago •
Sysinternals
Sysinternals
Hardened systemd config
As security tool, we want to ensure not adding more attack surface than what is prevented/detected.
From early testing, following is working on Ubuntu 18.04, 20.04 and Centos8 with few variations https://github.com/juju4/ansible-sysmon/blob/master/templates/systemd-hardening.conf.j2 (jinja2 template)
{{ ansible_managed | comment }}
#
# /etc/systemd/system/sysmon.service.d/hardening.conf
#
[Service]
# Hardening
# Warning! Test to your context
NoNewPrivileges=yes
PrivateTmp=true
ProtectHome=true
ProtectSystem=true
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 21 %}
ProtectProc=noaccess
{% endif %}
PrivateDevices=yes
DeviceAllow=
PrivateUsers=false
DynamicUser=false
UMask=077
# ReadWritePaths=
#InaccessiblePaths=/proc
{% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 7) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 18) %}
ProtectKernelTunables=true
ProtectKernelModules=yes
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 20) or
(ansible_os_family == 'RedHat' and ansible_distribution_major_version|int > 8 )
%}
ProtectKernelLogs=yes
ProtectHostname=yes
ProtectClock=yes
{% endif %}
ProtectControlGroups=true
LockPersonality=true
RestrictRealtime=true
RestrictNamespaces=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
PrivateNetwork=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK AF_PACKET
IPAccounting=yes
IPAddressAllow=localhost link-local multicast 10.0.0.0/8 192.168.0.0/16
# IPAddressDeny=
AmbientCapabilities=CAP_BPF CAP_PERFMON
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_DAC_READ_SEARCH
CapabilityBoundingSet=~CAP_SYS_RAWIO
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_DAC_* CAP_FOWNER CAP_IPC_OWNER
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_KILL
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST
CapabilityBoundingSet=~CAP_SYS_BOOT
CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
CapabilityBoundingSet=~CAP_SYS_CHROOT
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
CapabilityBoundingSet=~CAP_LEASE
CapabilityBoundingSet=~CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
# CapabilityBoundingSet=~CAP_SYS_ADMIN
# CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE
# CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
# CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
# CapabilityBoundingSet=~CAP_NET_RAW
# CapabilityBoundingSet=~CAP_IPC_LOCK
{% endif %}
{% if not (ansible_virtualization_type is defined and
(ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")
) and
not (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int < 8) %}
{% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 8) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 20) %}
SystemCallFilter=@system-service @debug @privileged
SystemCallFilter=~@mount @cpu-emulation @obsolete @resources @clock @swap @reboot @module
SystemCallArchitectures=native
# When system call is disallowed, return error code instead of killing process
SystemCallErrorNumber=EPERM
{% endif %}
{% endif %}
{% if sysmon_cgroups_restriction_enable|bool %}
CPUShares={{ sysmon_cgroups_cpushares | default('1024') }}
CPUQuota={{ sysmon_cgroups_cpuquota | default('10%') }}
MemoryLimit={{ sysmon_cgroups_memorylimit | default('1G') }}
{% endif %}
This is excellent. I will find time to examine it and then incorporate it - would you like to submit it as a PR?
