Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[OPS-1161] Harden systemd service #129

Merged
merged 1 commit into from
Mar 18, 2024
Merged

[OPS-1161] Harden systemd service #129

merged 1 commit into from
Mar 18, 2024

Conversation

Sereja313
Copy link
Member

Problem: We want to harden the security of our systemd services.

Solution: Use the hardening profile defined in serokell.nix.

Description

Related issue(s)

Fixed #

✅ Checklist for your Pull Request

Related changes (conditional)

  • Tests

    • If I added new functionality, I added tests covering it.
    • If I fixed a bug, I added a regression test to prevent the bug from
      silently reappearing again.

  • Documentation

    • I checked whether I should update the docs and did so if necessary:

Stylistic guide (mandatory)

✓ Release Checklist

  • I updated the version number in package.yaml.
  • (After merging) I created a new entry in the releases page,
    with a summary of all user-facing changes.
    • I made sure a tag was created using the format vX.Y

@Sereja313
Copy link
Member Author

Depends on serokell/serokell.nix#158

@Sereja313 Sereja313 force-pushed the sereja/OPS-1161-harden-service branch from 330ebb4 to 8d7ec35 Compare March 5, 2024 10:46
@Sereja313 Sereja313 mentioned this pull request Mar 5, 2024
Merged
rvem
rvem reviewed Mar 8, 2024
View reviewed changes
module.nix Show resolved Hide resolved
rvem
rvem reviewed Mar 8, 2024
View reviewed changes
module.nix
User = "tzbot";
Group = "tzbot";
StateDirectory = "tzbot";
Restart = mkDefault "on-failure";
RestartSec = mkDefault 10;

SystemCallFilter = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know if there is an easy way to determine which syscalls are needed by a given service?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont think there is any easy way. You can use strace or https://github.com/synacktiv/shh (which didn't work for me) but you will still need to manually use the service. Which is practically the same as simply restricting syscalls and then using the service to see if anything is broken

@Sereja313
[OPS-1161] Harden systemd service
916dd45 
Problem: We want to harden the security of our systemd services.

Solution: Use the hardening profile defined in serokell.nix.
@Sereja313 Sereja313 force-pushed the sereja/OPS-1161-harden-service branch from 8d7ec35 to 916dd45 Compare March 18, 2024 14:39
@Sereja313 Sereja313 merged commit 9ce71ea into main Mar 18, 2024
4 checks passed
@Sereja313 Sereja313 deleted the sereja/OPS-1161-harden-service branch March 18, 2024 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rvem rvem rvem approved these changes

@krendelhoff2 krendelhoff2 Awaiting requested review from krendelhoff2

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Sereja313 @rvem