
Systemd service sandboxing and security hardening 101 - signa11
https://www.ctrl.blog/entry/systemd-service-hardening.html
======
atonse
Didn’t know about this. This is the sort of stuff why I like systemd so much.

So many useful tools possible by doing things in a declarative way.

------
shrubble
"The exposure score is entirely based on a service’s utilization of security
features provided by systemd. It doesn’t consider security features built-in
to the program or enforced by access control policies like Security-Enhanced
Linux (SELinux) or AppArmor. Nor does the score in any way evaluate the risk
factors of a program or its configuration."

So an SSH config with PermitRootLogin Yes with passwords allowed, with an
unpatched vulnerability, but that uses systemd, will be marked as _safer_ than
a locked down SSH config that is kept updated but which doesn't use any
systemd features.

Is that an accurate statement?

~~~
codys
The article is about a tool to examine the declarative service configuration
provided by systemd. It does not examine services for "unpatched
vulnerabilities". Nor does it examine ssh configuration options. It only
examines declared sand boxing config in systemd unit files.

If you want a vulnerability scanner and generalize config analysis tool, this
isn't it.

