From Fedora Project Wiki
No edit summary
No edit summary
Line 2: Line 2:
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->


= Enable systemd service hardening for default services =
= Enable systemd service hardening for default and high profile services =


{{Change_Proposal_Banner}}
{{Change_Proposal_Banner}}


== Summary ==
== Summary ==
Improve security of default services by enabling some of the high impact systemd service hardening knobs for all default services.
Improve security of default services by enabling some of the high impact systemd service hardening knobs for all default and high profile services.


== Owner ==
== Owner ==
Line 27: Line 27:
[[Category:SystemWideChange]]
[[Category:SystemWideChange]]


* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f<VERSION>/ Fedora Linux <VERSION>]
* Targeted release: Fedora 40
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 42: Line 42:
== Detailed Description ==
== Detailed Description ==
The specific toggles under consideration include the following
The specific toggles under consideration include the following
* PrivateTmp=true
* PrivateTmp=yes
* ProtectSystem=true
* ProtectSystem=yes/full/strict
* ProtectHome=true
* ProtectHome=yes
* PrivateDevices=true
* PrivateDevices=yes
* ProtectKernelTunables=true
* ProtectKernelTunables=yes
* ProtectControlGroups=true
* ProtectKernelModules=yes
* NoNewPrivileges=true
* ProtectControlGroups=yes
* NoNewPrivileges=yes


We will enable as many of these as feasible for the service but not every toggle is going to be applicable to every service. For example, ProtectHome wouldn't work for any of the systemd user services and ProtectSystem wouldn't work for system services that need to access configuration in /etc
We will enable as many of these as feasible for the services but not every toggle is going to be applicable to every service. For example, ProtectHome=yes wouldn't work for any of the systemd user services but ProtectHome=read-only might and PrivateNetwork can only be used for services that work locally.


== Feedback ==
== Feedback ==
Line 56: Line 57:


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the distribution?  Will the software we generate be improved? How will the process of creating Fedora releases be improved?
 
      Be sure to include the following areas if relevant:
      If this is a major capability update, what has changed?
          For example: This change introduces Python 5 that runs without the Global Interpreter Lock and is fully multithreaded.
      If this is a new functionality, what capabilities does it bring?
          For example: This change allows package upgrades to be performed automatically and rolled-back at will.
      Does this improve some specific package or set of packages?
          For example: This change modifies a package to use a different language stack that reduces install size by removing dependencies.
      Does this improve specific Spins or Editions?
          For example: This change modifies the default install of Fedora Workstation to be more in line with the base install of Fedora Server.
      Does this make the distribution more efficient?
          For example: This change replaces thousands of individual %post scriptlets in packages with one script that runs at the end.
      Is this an improvement to maintainer processes?
          For example: Gating Fedora packages on automatic QA tests will make rawhide more stable and allow changes to be implemented more smoothly.
      Is this an improvement targeted as specific contributors?
          For example: Ensuring that a minimal set of tools required for contribution to Fedora are installed by default eases the onboarding of new contributors.


Fedora services will get a significant security boost by default by avoiding or mitigatating security vulnerabilities in these services.
<!--
     When a Change has multiple benefits, it's better to list them all.
     When a Change has multiple benefits, it's better to list them all.


Line 129: Line 116:


== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by users, how will their experiences change as a result?
This should be a fully transparent change for users.  
 
This section partially overlaps with the Benefit to Fedora section above. This section should be primarily about the User Experience, written in a way that does not assume deep technical knowledge. More detailed technical description should be left for the Benefit to Fedora section.
 
Describe what Users will see or notice, for example:
  - Packages are compressed more efficiently, making downloads and upgrades faster by 10%.
  - Kerberos tickets can be renewed automatically. Users will now have to authenticate less and become more productive. Credential management improvements mean a user can start their work day with a single sign on and not have to pause for reauthentication during their entire day.
- Libreoffice is one of the most commonly installed applications on Fedora and it is now available by default to help users "hit the ground running".
- Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
-->


== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
None. We are merely enabling some long supported systemd features by default for default and high profile services.
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->




== Contingency Plan ==
== Contingency Plan ==


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism:  These settings can be enabled/disabled at a per service level. No wholesale reverts is necessary. If we don't finish the work for all the services, we can follow through in future releases.
* Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: N/A  
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Blocks release? No  
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->




== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
* https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html
* https://www.redhat.com/sysadmin/systemd-secure-services
* https://www.redhat.com/sysadmin/mastering-systemd
 


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 163: Line 139:


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are at https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this change, indicate them here.  A link to upstream documentation will often satisfy this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release.


Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze.  
systemd security hardening features are enabled for default services and following high profile services.
-->
 
* Postgres
* Apache Httpd
* Nginx
* MariaDB
....

Revision as of 02:00, 15 November 2023


Enable systemd service hardening for default and high profile services

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Improve security of default services by enabling some of the high impact systemd service hardening knobs for all default and high profile services.

Owner

-->


Current status

  • Targeted release: Fedora 40
  • Last updated: 2023-11-15
  • [<will be assigned by the Wrangler> devel thread]
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The specific toggles under consideration include the following

  • PrivateTmp=yes
  • ProtectSystem=yes/full/strict
  • ProtectHome=yes
  • PrivateDevices=yes
  • ProtectKernelTunables=yes
  • ProtectKernelModules=yes
  • ProtectControlGroups=yes
  • NoNewPrivileges=yes

We will enable as many of these as feasible for the services but not every toggle is going to be applicable to every service. For example, ProtectHome=yes wouldn't work for any of the systemd user services but ProtectHome=read-only might and PrivateNetwork can only be used for services that work locally.

Feedback

Benefit to Fedora

Fedora services will get a significant security boost by default by avoiding or mitigatating security vulnerabilities in these services.


Scope

  • Proposal owners:
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Community Initiatives:

Upgrade/compatibility impact

How To Test

User Experience

This should be a fully transparent change for users.

Dependencies

None. We are merely enabling some long supported systemd features by default for default and high profile services.


Contingency Plan

  • Contingency mechanism: These settings can be enabled/disabled at a per service level. No wholesale reverts is necessary. If we don't finish the work for all the services, we can follow through in future releases.
  • Contingency deadline: N/A
  • Blocks release? No


Documentation


N/A (not a System Wide Change)

Release Notes

systemd security hardening features are enabled for default services and following high profile services.

  • Postgres
  • Apache Httpd
  • Nginx
  • MariaDB

....