You are not logged in.

#1 2022-09-23 22:08:32

noob4lnx
Member
From: Gone_Deleted
Registered: 2022-09-23
Posts: 7

[SOLVED] Need help setting up systemd service hardening UFW firewall

Hi, I read the wiki (and other manpages) on hardening systemd files and succesfully brought down one of the scripts down to a 4.x level security ("OK" output in systemd-analyze security) but I can't find the right options for my ufw script.

I am an old timer pre systemd and learning about systemd. It would be great if someone would be able to give some examples of what flags to set for the script below to harden the systemd config:

[Unit]
Description=Run firewall script

[Service]
Type=simple
ExecStart=bash -c ". /etc/ufw-firewall.sh"


#
# Hardening
#
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#ProtectSystem=strict
#ProtectHome=true 

#ProtectClock=true
#ProtectProc=invisible
#ProtectKernelTunables=true
#ProtectKernelModules=true
#ProtectControlGroups=true
#ProtectKernelLogs=true
#ProtectHostname=true
#ProcSubset=pid

#PrivateUsers=true
#PrivateTmp=true

#PrivateIPC=true
#PrivateDevices=true
#MemorytDenyWriteExecute=true

#LockPersonality=true
#NoNewPrivileges=true

#RestrictAddressFamilies=AF_INET
#SystemCallFilter=write read openat close brk fstat lseek mmap mprotect munmap rt_sigaction rt_sigprocmask ioctl nanosleep select access execve getuid arch_prctl set_tid_address set_robust_list prlimit64 pread64 getrandom
#RestrictRealtime=true
#RestrictSUIDSGID=true
#RestrictNamespaces=true
#SystemCallArchitectures=native
#UMask=0077
#IPAddressDeny=any


[Install]
WantedBy=multi-user.target

As you see I already included hardened flags which are commented out. I can randomly try and see what works over multiple reboots but I prefer to have someone look at it with specific insight for what this script does.

This is the script called by the service file above:

# ufw firewall
ufw enable
ufw default allow outgoing
ufw default deny incoming

My specific question is: what to set for #CapabilityBoundingSet and #SystemCallFilter and which of the above flags are totally redundant for this type of usage?  My guess is ufw needs all kinds of netfilter access aswell as specific kernel IP stack operation access.

Any help is greatly appreciated. I am not a systemd fan but trying to learn and adapt as we move along this line into the future smile

Last edited by noob4lnx (2023-03-14 14:18:53)


deleted account

Offline

#2 2022-09-23 22:14:56

noob4lnx
Member
From: Gone_Deleted
Registered: 2022-09-23
Posts: 7

Re: [SOLVED] Need help setting up systemd service hardening UFW firewall

By the way - when I run systemd-analyze security, I see a lot of "UNSAFE" rated services by default but I understand the "hardening" is just relative in systemd and does not indicate any objective system hardening other than sandboxing an individual service. (and like DBUS needs a lot of "UNSAFE" access). Perhaps various websites talking about "hardening systemd" should rename it to "sandboxing systemd". This on a side note.

UNIT                                 EXPOSURE PREDICATE HAPPY
archlinux-keyring-wkd-sync.service        2.0 OK        ?
auditd.service                            8.7 EXPOSED   ?
dbus.service                              9.6 UNSAFE    ?
dm-event.service                          9.5 UNSAFE    ?
emergency.service                         9.5 UNSAFE    ?
getty@tty1.service                        9.6 UNSAFE    ?
rc-local.service                          2.5 OK        ?
rescue.service                            9.5 UNSAFE    ?
shadow.service                            9.6 UNSAFE    ?
systemd-ask-password-console.service      9.4 UNSAFE    ?
systemd-ask-password-wall.service         9.4 UNSAFE    ?
systemd-journald.service                  4.3 OK        ?
systemd-logind.service                    2.8 OK        ?
systemd-networkd.service                  2.6 OK        ?
systemd-resolved.service                  2.1 OK        ?
systemd-rfkill.service                    9.4 UNSAFE    ?
systemd-timesyncd.service                 2.1 OK        ?
systemd-udevd.service                     6.8 MEDIUM    ?
ufw.service                               9.6 UNSAFE    ?

I don't know why systemd needs those emoticons (they don't even render properly on various terminals). I haven't seen them in the past when using a systemd based Linux. But this is offtopic (I feel like I need to mention it though)

If there are tools to better evaluate systemd service files for security reasons I appreciate any links to websites, github, project etc

Thanks


deleted account

Offline

#3 2022-09-23 22:38:17

loqs
Member
Registered: 2014-03-06
Posts: 18,964

Re: [SOLVED] Need help setting up systemd service hardening UFW firewall

Are you using ufw from the Arch repositories?  As the systemd service is completely different and it is using a shell script that is also not supplied by the package.

Offline

#4 2022-09-24 18:48:12

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 13,572
Website

Re: [SOLVED] Need help setting up systemd service hardening UFW firewall

noob4lnx wrote:

Yes I am using ufw 0.36.1-1 installed with pacman.

I created an 3 line launcher script in /etc/ called using the systemd service file above.

I wonder if its feasible to sandbox this service using any of the commented out (or any other) hardening options in the same service file above.

noob4lnx, if you were wondering where your message went, you clicked 'report' rather than 'quote' or 'Post reply'. Only moderators and admins can see reports.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#5 2022-09-24 18:55:20

loqs
Member
Registered: 2014-03-06
Posts: 18,964

Re: [SOLVED] Need help setting up systemd service hardening UFW firewall

Please post the shell script you created.  Could you also explain why the default upstream shell script /usr/lib/ufw/ufw-init was not sufficient?

Offline

Board footer

Powered by FluxBB