Using systemd features to secure services - DevConf.CZ 2020
Speakers: Zbigniew Jędrzejewski-Szmek
Systemd provides a bunch of features which can be used to contain and secure services.
First, it performs setup like creating runtime directories and opening sockets, so the service doesn't need privileges.
Second, it makes it easy to run services as unprivileged users, removing a whole set of problems.
Third, it uses kernel features like mount and network namespaces, capabilities, resource limits, to constrain services.
Fourth, it implements additional filters using BPF (per-service firewalls, devices controller).
Fifth, it does resource cleanup after the service is done, removing the need for privileges again.
We could use this to vastly simplify services and to provide an additional level of security for system services.
More and more services in Fedora are making use of this, but the common case is still to run as root will full access to everything the service doesn't need. I'll talk about the features that are the most useful and how they can be used in practice.
[ https://sched.co/YOtS ]
--
Recordings of talks at DevConf are a community effort. Unfortunately not everything works perfectly every time. If you're interested in helping us improve, let us know.
Видео Using systemd features to secure services - DevConf.CZ 2020 канала DevConf
Systemd provides a bunch of features which can be used to contain and secure services.
First, it performs setup like creating runtime directories and opening sockets, so the service doesn't need privileges.
Second, it makes it easy to run services as unprivileged users, removing a whole set of problems.
Third, it uses kernel features like mount and network namespaces, capabilities, resource limits, to constrain services.
Fourth, it implements additional filters using BPF (per-service firewalls, devices controller).
Fifth, it does resource cleanup after the service is done, removing the need for privileges again.
We could use this to vastly simplify services and to provide an additional level of security for system services.
More and more services in Fedora are making use of this, but the common case is still to run as root will full access to everything the service doesn't need. I'll talk about the features that are the most useful and how they can be used in practice.
[ https://sched.co/YOtS ]
--
Recordings of talks at DevConf are a community effort. Unfortunately not everything works perfectly every time. If you're interested in helping us improve, let us know.
Видео Using systemd features to secure services - DevConf.CZ 2020 канала DevConf
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Managing Containers in Podman with Systemd Unit Files
Uplift your Linux systems programming skills with systemd and D-Bus Practical examples and best pra…
Systemd Is Hated By Many, But Does It Deserve It?
Building reactive microservices with MicroProfile - DevConf.CZ 2022
Keynote: Security Features in systemd, Lennart Poettering
10 Tips to Secure your Computer from Hackers and Viruses | Working From Home Tips
The s6 supervision suite A modern alternative to systemd
Tutorial: Introduction to the Embedded Boot Loader U-boot - Behan Webster, Converse in Code
Using systemd-nspawn for Lightweight Containers in Fedora 21
How To Use Lynis to Audit your Linux, macOS or BSD system |
WireGuard Overview
On systemd, Gentoo and Void Linux (Switching from Arch Linux?)
WireGuard: Next Generation Secure Network Tunnel![Scan for Vulnerabilities on Any Website Using Nikto [Tutorial]](https://i.ytimg.com/vi/K78YOmbuT48/default.jpg)
Scan for Vulnerabilities on Any Website Using Nikto [Tutorial]![Discover & Scan for Devices on a Network with ARP [Tutorial]](https://i.ytimg.com/vi/4xaWoZE8eik/default.jpg)
Discover & Scan for Devices on a Network with ARP [Tutorial]
Building initrd images from rpms - DevConf.CZ 2022![Gentoo - OpenRC vs Arch Linux - SystemD vs Void - Runit [Linux]](https://i.ytimg.com/vi/jTVVrmhpFV0/default.jpg)
Gentoo - OpenRC vs Arch Linux - SystemD vs Void - Runit [Linux]
How to Create and Execute New Service Units in SystemD - Shell Script
How To Setup WireGuard (Easy VPN)
The emergence of In-Vehicle OS - DevConf.CZ 2022