[RFC] locking down rsyslog.service

To: Debian Development <debian-devel@lists.debian.org>
Subject: [RFC] locking down rsyslog.service
From: Michael Biebl <biebl@debian.org>
Date: Tue, 10 Oct 2023 20:22:26 +0200
Message-id: <[🔎] 5b8392a7-8c83-42c4-8020-aafbae94331a@debian.org>

Hi,


I intend to lock down rsyslog.service in Debian in one of the next
uploads using the following systemd directives

PrivateTmp=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=

PrivateDevices=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=

ProtectHome=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=

ProtectSystem=full
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=

ProtectKernelTunables=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=

ProtectKernelModules=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=

ProtectClock=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=

SystemCallFilter=@system-service
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=

CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_SYSLOG
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=

The full rsyslog.service looks like this, in case you want to test it:
```
[Unit]
Description=System Logging Service
Requires=syslog.socket
Documentation=man:rsyslogd(8)
Documentation=man:rsyslog.conf(5)
Documentation=https://www.rsyslog.com/doc/

[Service]
Type=notify
ExecStart=/usr/sbin/rsyslogd -n -iNONE
StandardOutput=null
Restart=on-failure

# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
LimitNOFILE=16384

PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectClock=yes
SystemCallFilter=@system-service
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_SYSLOG

[Install]
WantedBy=multi-user.target
Alias=syslog.service
```

While the attempt is to secure the default configuration of rsyslog, I
do not want to restrict it so much that it becomes unusable.
If you think, that one of those directives could cause issues with
commonly used setups, please let me know, so I can adjust the
configuration.

Looking forward to your feedback.

Michael

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: [RFC] locking down rsyslog.service
  - From: Simon Richter <sjr@debian.org>
- Re: [RFC] locking down rsyslog.service
  - From: Sam Morris <sam@robots.org.uk>
- Re: [RFC] locking down rsyslog.service
  - From: Robert Edmonds <edmonds@debian.org>
- Re: [RFC] locking down rsyslog.service
  - From: Michael Prokop <mika@debian.org>

Prev by Date: Bug#1053758: ITP: libspelling -- Spellcheck library for GTK4
Next by Date: Re: [RFC] locking down rsyslog.service
Previous by thread: Bug#1053758: ITP: libspelling -- Spellcheck library for GTK4
Next by thread: Re: [RFC] locking down rsyslog.service
Index(es):
- Date
- Thread