diff --git a/DC-systemd-securing b/DC-systemd-securing
index 1e0595555..f7aa7a79a 100644
--- a/DC-systemd-securing
+++ b/DC-systemd-securing
@@ -4,9 +4,11 @@ SRC_DIR="articles"
IMG_SRC_DIR="images"
PROFCONDITION="suse-product"
-PROFOS="sles"
-#PROFCONDITION="suse-product;beta"
-#PROFCONDITION="community-project"
-
+## Profiling
+PROFOS="PRODUCT"
+PROFCONDITION="PRODUCTNUMBER"
+STRUCTID="STRUCTURE-ID"
+PROFARCH="x86_64;zseries;power;aarch64"
+DOCBOOK5_RNG_URI="urn:x-suse:rng:v2:geekodoc-flat"
STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns"
FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"
diff --git a/articles/systemd-securing.asm.xml b/articles/systemd-securing.asm.xml
index eabc9892f..1c091e09a 100644
--- a/articles/systemd-securing.asm.xml
+++ b/articles/systemd-securing.asm.xml
@@ -18,10 +18,14 @@
-->
-
+
+
+
-
+
+
+
@@ -42,7 +46,7 @@
-
+
&x86-64;
- &power;
+ &power;How to improve the overall exposure
- &productname;
+ &sles;
Securing &systemd; services
Securing &systemd; services
@@ -101,9 +105,9 @@
WHAT?
- &systemd; service files are most often used to operate one or more &systemd;
- services, such as starting, stopping or viewing the status of the service. Besides
- this, the service files can limit the privileges of the service they control.
+ &systemd; service files are a powerful tool for managing services in a Linux environment.
+ These service files are used to operate one or more &systemd; services such as starting,enabling,stopping or viewing the
+ status of the service. Additionally, the service files can limit the privileges of the service they control.
@@ -111,7 +115,7 @@
WHY?
- Using security options of &systemd; service files increases the security of the
+ Using the security options of &systemd; service files increases the security of the
service they control. This adds another security layer of the whole operating
system.
@@ -121,8 +125,7 @@
EFFORT
- It takes less than 15 minutes to understand how &systemd; can control the security
- level of &systemd; services.
+ 20 minutes of reading time.
@@ -132,12 +135,12 @@
- Good knowledge of the &systemd; environment
+ Basic understanding of Linux commands
- &rootuser; privileges
+ Basic understanding of Linux processes, daemons, and control groups
@@ -146,19 +149,18 @@
-
-
+
+
- Analyzing the security level
+ How to analyze the security of a &systemd; service
-
+
- Techniques of securing
+ For more information
-
-
+
diff --git a/concepts/systemd-securing.xml b/concepts/systemd-securing.xml
index 31ec4a133..60f13b16d 100644
--- a/concepts/systemd-securing.xml
+++ b/concepts/systemd-securing.xml
@@ -14,7 +14,8 @@
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:trans="http://docbook.org/ns/transclusion">
- Secure &systemd; services
+ Introduction to securing &systemd; services
+
Linux increases its security by separating privileges between individual components of the
@@ -30,23 +31,32 @@
them from certain privileges that normal users are allowed to use.
-
-
- How does securing services with &systemd; work?
-
- There are several methods to secure processes and applications that you can use
- simultaneously. For example, confining with &selnx; or &aa; is
- recommended. &systemd; can apply additional restrictions to local services by using
- technologies included in the kernel. These restrictions are activated by adding specific
- options to the &systemd; service definition and restarting the service.
-
-
+
- Benefits of securing services
+ Why is securing &systemd; services important?
Securing &systemd; services increases the security of the whole operating system and protects
- sensitive data contained on its file system.
+ sensitive data contained on its file system. With &systemd;, you can configure your system in many ways.
+ &systemd; runs as the first process on boot (PID1) which means that it has a lot of power on your Linux environment.
+ &systemd; can apply additional restrictions to local services by using technologies included in the kernel.
+ These restrictions are activated by adding specific options to the systemd service definition and restarting the service.
+ &systemd; has a command-line tool systemd-analyze security. This command analyses the services and checks
+ if the services are using its security options.
+
+
+ What is the <command>systemd-analyze security</command> command?
+
+ The command analyzes the security and sandboxing settings of the specified service units.
+ A detailed analysis of the security settings is executed and displayed.
+ If a service unit is not specified, all currently loaded, long-running service units are inspected and the results are displayed in a terse table.
+
+Upon checking the security settings, the command assigns a numeric value , also known as exposure level.
+ This value is dependent on how important a setting is. It then calculates an overall exposure level for the whole unit. This value ranges
+ from 0.0-10.0, which is an indicator of how exposed a service is security wise.
+ High exposure levels indicate that the service might benefit from additional security settings.
+ While low exposure levels indicate tight security restrictions.
+
diff --git a/glues/systemd-securing-more-info.xml b/glues/systemd-securing-more-info.xml
index b9bbd3f86..4be4932c4 100644
--- a/glues/systemd-securing-more-info.xml
+++ b/glues/systemd-securing-more-info.xml
@@ -18,39 +18,28 @@
- All security options are described in &systemd;'s man pages. Refer to man 5
- systemd.exec.
+ man 5 systemd.exec
- The list of currently defined kernel capabilities is available in man 7
- capabilities.
+ man 7 capabilities
- Enabling and disabling &systemd; services is described in
- .
+ Introduction to &systemd; basics
- Managing &systemd; targets with systemctl is described in
- .
+ Managing &systemd; services
-
-
-
- Sending termination signals to &systemd; services is described in
- .
-
-
+
- Starting and stopping &systemd; services is described in
- .
+ System and Service Manager
-
+
diff --git a/tasks/systemd-example-secure-service.xml b/tasks/systemd-example-secure-service.xml
new file mode 100644
index 000000000..6935d40f8
--- /dev/null
+++ b/tasks/systemd-example-secure-service.xml
@@ -0,0 +1,167 @@
+
+
+ %entities;
+]>
+
+
+ How to analyze the security of a &systemd; service?
+
+
+
+ Use the systemd-analyze security command to analyze the security settings of a &systemd; service.
+ The security option analyzes the security and the sandboxing settings of one or more specified services.
+
+
+
+
+
+
+ Create a &systemd; service in the /etc/systemd/system.
+
+ Reload the service files to include the new service:
+ &prompt.sudo; systemctl daemon-reload
+
+ Start,enable, and check the status of the service:
+&prompt.sudo; systemctl start SERVICE_NAME
+&prompt.sudo;systemctl enable SERVICE_NAME
+&prompt.sudo; systemctl status SERVICE_NAME
+
+
+ Analyze the security settings of the service:
+ &prompt.sudo; systemd-analyze security SERVICE_NAME
+ For example:
+&prompt.sudo; systemd-analyze security test.service
+NAME DESCRIPTION EXPOSURE
+✗ PrivateNetwork= Service has access to the host's network 0.5
+✗ User=/DynamicUser= Service runs as root user 0.4
+✗ DeviceAllow= Service has no device ACL
+...
+→ Overall exposure level for test.service: 9.6 UNSAFE 😨
+
+
+
+
+ How to improve the overall exposure
+ Use the command systemd-analyze security to analyze the security settings of a
+ &systemd; service. For example:
+
+NAME DESCRIPTION EXPOSURE
+✗ PrivateNetwork= Service has access to the host's network 0.5
+✗ User=/DynamicUser= Service runs as root user 0.4
+✗ DeviceAllow= Service has no device ACL 0.2
+...
+→ Overall exposure level for test.service: 9.6 UNSAFE 😨
+
+ If you get 9.6 UNSAFE, this is not good but you can use the following options to improve the rating.
+
+
+ NoNewPrivileges=yes
+
+
+ New privileges are not required.
+
+
+
+
+ PrivateTmp=yes
+
+
+ Private directory for temporary files. This option provides the service with a private /tmp isolated from
+ the host system's /tmp. The shared host /tmp
+ directory is a major source of security problems, such as symlink attacks and DoS
+ /tmp temporary files.
+
+
+
+
+ PrivateNetwork=yes
+
+
+ This option isolates the service and its processes from networking. This prevents
+ external network requests from reaching the protected service. Be aware that certain
+ services require the network to be operational.
+
+
+
+
+ InaccessibleDirectories=/home
+
+
+ This option makes the specified directories inaccessible to the service. This option
+ narrows the range of directories that can be read or modified by the service, for
+ example, to secure users' private files.
+
+
+
+
+ ReadOnlyDirectories=/var
+
+
+ This option makes the specified directories inaccessible for writing to the service. The
+ example configuration makes the whole tree below /var read-only.
+ This option prevents the service from damaging the system files.
+
+
+
+
+ CapabilityBoundingSet=CAP_CHOWN CAP_KILL
+
+
+ This option restricts the kernel capabilities that a service can retain. In the example
+ above, only the CAP_CHOWN and CAP_KILL capabilities
+ are retained by the service, and the service and any processes it creates cannot obtain
+ any other capabilities, not even via setuid binaries.
+
+
+ The <command>pscap</command> command tool
+
+ To easily identify which processes on your system retain which capabilities, use the
+ pscap command tool from the libcap-ng-utils package.
+
+
+
+
+ The ~ prefix inverts the meaning of the option—. Instead of
+ listing all capabilities that the service retains, you can list the ones it does not
+ retain:
+
+...
+[Service]
+CapabilityBoundingSet=~CAP_SYS_PTRACE
+...
+
+
+
+
+
+ LimitNPROC=1, LimitFSIZE=0
+
+
+ You can use resource limits to apply security limits on services.
+ Two of them can disable specific operating system features:
+ disables precess forking, while
+ disables creating non-empty files on the file system.
+
+
+
+
+ DeviceAllow=/dev/null rw
+
+
+ This option limits access to /dev/null, disallowing access to any
+ other device nodes.
+
+
+
+
+
+
+