2
I am writing a systemd service file for fai-monitor (8). This daemon listens on a single port, receives TCP connections, and writes a single log file with interesting information.
To reduce the attack surface on the system, the service should be run with the least privileges possible. Following the advice on options for hardening systemd service units, I came up with this service file:
[Unit]
Description=FAI Monitor Daemon
[Service]
Type=simple
ExecStart=/usr/sbin/fai-monitor -l /run/fai-monitor/fai-monitor.log
DynamicUser=true
RuntimeDirectory=fai-monitor
RuntimeDirectoryMode=755
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
PrivateUsers=true
ProtectHome=true
ProtectSystem=strict
PrivateDevices=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictRealtime=true
TasksMax=16
MemoryHigh=10M
SystemCallFilter=~@mount @debug @privileged
While this seems to be quite restrictive, the service file is relatively verbose.
Are there any other means to restrict a service to the least possible set of privileges? In particular, something like RestrictEverything=true
would be interesting with subsequent whitelisting of allowed ressources.