Systemd Service Hardening
When was the last time you ran
systemd-analyze security
Homework
https://www.linuxjournal.com/content/systemd-service-strengthening https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
man systemd.unit
man systemd.directives
Tips and tricks:
Do not modify service files. Create a drop-in file with the
[section]
and whatever directives you want changed.
Homework
Run a google search for systemd drop-in
I find it more productive to have a boilerplate or skeleton file
for common type coding. Examples
$ ls -1 *skeleton*
bash_skeleton
install_skeleton
skeleton_changes
skeleton_sb_drop_in_changes
skeleton_service_changes
The skeleton files have has about 80% of the common code
for parsing command line, commands for arguments and usual
boilerplate code for the activity. You copy the skeleton file
to desired file name. change one or more variables, and then
start hacking away at the code to have it do whatever you like.
For example skeleton_sb_drop_in_changes.
I would
cp skeleton_sb_drop_in_changes mlocate_sb_drop_in_changes
edt mlocate_sb_drop_in_changes
and do a global change of drop_in to mlocate
code already exist to create/remove the drop-in file and
directory and all the directives with my desired settings.
Nothing left to do except delete/change desired directives for
the mlocate service.
Now I need a script to execute all the sandbox scripts.
cp skeleton_changes sb_drop_in_changes
and hack it to have
while read -r line ; do
$line "$_arg1"
done < <(ls -1 /local/bin/*_sb_drop_in_changes)
Then edit install_changes and add
/local/bin/sb_drop_in_changes
install_changes is the last command I run during a clean
install to get the last of the change not already made.
--- MBSE BBS v1.0.7.21 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)