Hi, I intend to lock down rsyslog.service in Debian in one of the next uploads using the following systemd directives PrivateTmp=yes https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp= PrivateDevices=yes https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices= ProtectHome=yes https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome= ProtectSystem=full https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= ProtectKernelTunables=yes https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables= ProtectKernelModules=yes https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules= ProtectClock=yes https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock= SystemCallFilter=@system-service https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter= CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_SYSLOG https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet= The full rsyslog.service looks like this, in case you want to test it: ``` [Unit] Description=System Logging Service Requires=syslog.socket Documentation=man:rsyslogd(8) Documentation=man:rsyslog.conf(5) Documentation=https://www.rsyslog.com/doc/ [Service] Type=notify ExecStart=/usr/sbin/rsyslogd -n -iNONE StandardOutput=null Restart=on-failure # Increase the default a bit in order to allow many simultaneous # files to be monitored, we might need a lot of fds. LimitNOFILE=16384 PrivateTmp=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=full ProtectKernelTunables=yes ProtectKernelModules=yes ProtectClock=yes SystemCallFilter=@system-service CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_SYSLOG [Install] WantedBy=multi-user.target Alias=syslog.service ``` While the attempt is to secure the default configuration of rsyslog, I do not want to restrict it so much that it becomes unusable. If you think, that one of those directives could cause issues with commonly used setups, please let me know, so I can adjust the configuration. Looking forward to your feedback. Michael
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature