Securing services with systemd (#93)

* Basic files layout

* Added intro  to systemd-analyze security

DC-concept-securing-with-systemd

@@ -0,0 +1,12 @@
+# This file originates from the project https://github.com/openSUSE/doc-kit
+# This file can be edited downstream.
+
+MAIN="concept-securing-with-systemd.xml"
+ROOTID="concept-securing-with-systemd"
+
+PROFCONDITION="suse-product"
+#PROFCONDITION="suse-product;beta"
+#PROFCONDITION="community-project"
+
+STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns"
+FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"

xml/concept-securing-with-systemd.xml

@@ -0,0 +1,275 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file originates from the project https://github.com/openSUSE/doc-kit -->
+<!-- This file can be edited downstream. -->
+<?xml-stylesheet href="urn:x-suse:xslt:profiling:docbook51-profile.xsl"
+ type="text/xml"
+ title="Profiling step"?>
+<!DOCTYPE article
+[
+  <!ENTITY % entities SYSTEM "generic-entities.ent">
+    %entities;
+]>
+<article xml:id="concept-securing-with-systemd" xml:lang="en"
+ role="concept"
+ xmlns="http://docbook.org/ns/docbook" version="5.1"
+ xmlns:its="http://www.w3.org/2005/11/its"
+ xmlns:xi="http://www.w3.org/2001/XInclude"
+ xmlns:xlink="http://www.w3.org/1999/xlink">
+  <info>
+    <title>Securing services with &systemd;</title>
+    <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
+      <dm:bugtracker>
+        <dm:url>https://bugzilla.suse.com/enter_bug.cgi</dm:url>
+        <dm:component>Smart Docs</dm:component>
+        <dm:product>Documentation</dm:product>
+        <dm:assignee>[email protected]</dm:assignee>
+      </dm:bugtracker>
+      <dm:translation>no</dm:translation>
+    </dm:docmanager>
+  </info>
+  <section xml:id="environment-securing-with-systemd">
+    <!--to create unique section IDs, amend the TOPIC-ID (without prefix)-->
+    <!--example: environment-time-synchronization-ntp-->
+    <title>Environment</title>
+    <para>
+      This document applies to the following products and product versions:
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          &sles;&nbsp;15&nbsp;SP4, 15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1,
+          15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          &sles4sap;&nbsp;15&nbsp;SP4, 15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1,
+          15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          &sleha;&nbsp;15&nbsp;SP4, 15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1,
+          15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          &slehpc;&nbsp;15&nbsp;SP4, 15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1,
+          15&nbsp;GA
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          &sled;&nbsp;15&nbsp;SP4, 15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1,
+          15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          &slert;&nbsp;15&nbsp;SP4, 15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1,
+          15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="what-is-securing-with-systemd">
+    <title>Why secure services?</title>
+    <para>
+      Linux increases its security by separating privileges between individual
+      components of the operating system. System services already have a
+      default level of security. For example, their processes run under their
+      own user ID which limits changes they can perform on the system.
+    </para>
+    <para>
+      The default level of privilege separation provides only a basic
+      protection. Services can still perform as much changes as normal local
+      users, though not as much as &rootuser;. Higher level of system security
+      requires limiting what services can perform and prevent them from certain
+      privileges that normal users are allowed to use.
+    </para>
+  </section>
+  <section xml:id="how-it-works-securing-with-systemd">
+    <title>How does securing services with &systemd; work?</title>
+    <para>
+      There are several methods to secure processes and applications that you
+      can use simultaneously. For example, confining with &selnx; or &aa; is
+      recommended. &systemd; can apply additional restrictions to local
+      services by using technologies included in the kernel. These restrictions
+      are activated by adding specific options to the &systemd; service
+      definition and restarting the service.
+    </para>
+  </section>
+  <section xml:id="benefits-securing-with-systemd">
+    <title>Benefits of securing services</title>
+    <para>
+      The main benefit of securing &systemd; services is an increased security
+      of the whole operating system and protection of sensitive data contained
+      on its file system.
+    </para>
+  </section>
+  <section xml:id="systemd-analyze-security">
+    <title>Analyzing the security of service units</title>
+    <para>
+      Use the <command>systemd-analyze security</command> command to analyze
+      security settings of specified &systemd; service units. If unit names are
+      not specified, the command inspects security settings of all currently
+      loaded service units. The command calculates an overall <quote>exposure
+      level</quote> which is an estimation in the range 0.0 to 10.0 indicating
+      how exposed a service is security-wise. High values indicate little loose
+      security provisions, while low exposure levels indicate tight security
+      restrictions.
+    </para>
+<screen>&prompt.user;<command>systemd-analyze security systemd-logind.service</command>
+  NAME                DESCRIPTION                              EXPOSURE
+✗ PrivateNetwork=     Service has access to the host's network      0.5
+✗ User=/DynamicUser=  Service runs as root user                     0.4
+✗ DeviceAllow=        Service has no device ACL                     0.2
+✓ IPAddressDeny=      Service blocks all IP address ranges
+...
+→ Overall exposure level for systemd-logind.service: 4.1 OK 🙂</screen>
+  </section>
+  <section>
+    <title>Techniques of securing &systemd; services</title>
+    <para>
+      This section introduces commonly used techniques that &systemd; offers to
+      protect services. To apply the changes, add the required option to the
+      service definition file and restart the specific service.
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>PrivateNetwork=yes</term>
+        <listitem>
+          <para>
+            This option isolates the service and its processes from networking.
+            Note that some services require the network to be operational.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PrivateTmp=yes</term>
+        <listitem>
+          <para>
+            This option provides the service with a private
+            <filename>/tmp</filename> isolated from the host system's
+            <filename>/tmp</filename> because it has been a major source of
+            security problems, such as symlink attacks and DoS vulnerabilities
+            due to guessable <filename>/tmp</filename> temporary files.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>InaccessibleDirectories=/home</term>
+        <listitem>
+          <para>
+            This option makes the specified directories inaccessible to the
+            service.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>ReadOnlyDirectories=/var</term>
+        <listitem>
+          <para>
+            This option makes the specified directories inaccessible for
+            writing to the service. The example configuration makes the whole
+            tree below <filename>/var</filename> read-only.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>CapabilityBoundingSet=CAP_CHOWN CAP_KILL</term>
+        <listitem>
+          <para>
+            This option limits which kernel capabilities a service retains. In
+            the example above, only the <literal>CAP_CHOWN</literal> and
+            <literal>CAP_KILL</literal> capabilities are retained by the
+            service, and the service and any processes it creates cannot obtain
+            any other capabilities, not even via setuid binaries.
+          </para>
+          <tip>
+            <para>
+              To easily identify which processes on your system retain which
+              capabilities, use the <command>pscap</command> tool from the
+              <package>libcap-ng-utils</package> package.
+            </para>
+          </tip>
+          <tip>
+            <para>
+              The <literal>~</literal> prefix inverts the meaning of the
+              option&mdash;instead of listing all capabilities that the service
+              retains, you may list the ones it does not retain:
+            </para>
+<screen>...
+      [Service]
+      CapabilityBoundingSet=~CAP_SYS_PTRACE
+      ...</screen>
+          </tip>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>LimitNPROC=1, LimitFSIZE=0</term>
+        <listitem>
+          <para>
+            You can use <emphasis>resource limits</emphasis> to apply security
+            limits on services. Two of them can disable specific operating
+            system features: <option>RLIMIT_NPROC=1</option> disables precess
+            forking, while <option>RLIMIT_FSIZE=0</option> disables creating
+            non-empty files on the file system.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>DeviceAllow=/dev/null rw</term>
+        <listitem>
+          <para>
+            This option limits access to <filename>/dev/null</filename>,
+            disallowing access to any other device nodes.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </section>
+  <section xml:id="related-securing-with-systemd">
+    <title>Related topics</title>
+    <itemizedlist>
+      <listitem>
+        <para>
+          All security options are described in &systemd;'s man pages. Refer to
+          <command>man 5 systemd.exec</command>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The list of currently defined kernel capabilities is available in
+          <command>man 7 capabilities</command>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Enabling and disabling &systemd; services is described in
+          <link xlink:href="https://documentation.suse.com/smart/linux/html/reference-systemctl-enable-disable-services/reference-systemctl-enable-disable-services.html"/>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Managing &systemd; targets with <command>systemctl</command> is
+          described in
+          <link xlink:href="https://documentation.suse.com/smart/linux/html/reference-managing-systemd-targets-systemctl/reference-systemctl-managing-targets.html"/>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Sending termination signals to &systemd; services is described in
+          <link xlink:href="https://documentation.suse.com/smart/linux/html/task-send-termination-signals-systemd/task-send-termination-signals-systemd.html"/>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Starting and stopping &systemd; services is described in
+          <link xlink:href="https://documentation.suse.com/smart/linux/html/reference-systemctl-start-stop-services/reference-systemctl-start-stop-services.html"/>.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+</article>