Hi, I appreciate all the excellent feedback so far. Thanks a lot!Fwiw, the current set of hardening features in rsyslog.service is available at
https://salsa.debian.org/debian/rsyslog/-/blob/debian/master/debian/rsyslog.service#L18 I will see, if I can incorporate some of the suggestions by mika. Am 16.10.23 um 18:49 schrieb Simon Richter:
Hi, On 10/17/23 01:24, Michael Prokop wrote:# Restrict access to the various process namespace types the Linux kernel providesRestrictNamespaces=trueThere is one plugin that uses namespaces. I wonder if it would make sense to split it out into a separate package, and have that package override the default configuration if it's installed.The capability set for rsyslog could be reduced quite a lot further if we could lobby the Linux kernel maintainers to add the open file limit (in CAP_SYS_ADMIN) and the socket buffer size limit (in CAP_NET_ADMIN) to CAP_SYS_RESOURCE), my expectation would be that these are the most common reasons these capabilities are set in other services as well.
Making CAP_SYS_ADMIN less powerful is something I would support, but unfortunately I won't be the one driving this change.
Could systemd be taught that certain capabilities are required depending on kernel version?
systemd upstream is very reluctant to kernel version checks (given that there exist a plethora of kernels with backported features). If there would be an API to query the actual functionality then maybe something like this would be possible.
Michael
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature