Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

parsec.service hardening #569

Closed
ggardet opened this issue Dec 21, 2021 · 1 comment · Fixed by #572
Closed

parsec.service hardening #569

ggardet opened this issue Dec 21, 2021 · 1 comment · Fixed by #572
Labels
code health Issues concerning overall code quality, safety and best practice enhancement New feature or request security Issues related to the security and privacy of the service

Comments

@ggardet
Copy link

ggardet commented Dec 21, 2021

openSUSE is performing a Systemd hardening effort. See: https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
As part of this effort, they suggested this patch for the parsec.service file:

Index: parsec-0.8.0/systemd-daemon/parsec.service
===================================================================
--- parsec-0.8.0.orig/systemd-daemon/parsec.service
+++ parsec-0.8.0/systemd-daemon/parsec.service
@@ -3,6 +3,17 @@ Description=Parsec Service
 Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 WorkingDirectory=/home/parsec/
 ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml

I gave it a quick light try with few parsec-tool commands and I did not spot any failure.

What do you think about this?
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this issue Dec 21, 2021
@bmwiedemann
Update parsec to version 0.8.0 / rev 9 via SR 941864
5bde15d 
https://build.opensuse.org/request/show/941864
by user Guillaume_G + dimstar_suse
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
  * harden_parsec.service.patch
  Modified:
  * parsec.service
  * Upstream submission: parallaxsecond/parsec#569
@ionut-arm
Copy link
Member

Hey! Thanks for the suggestions, those options look helpful, I'll investigate a bit to see if there's anything else we could benefit from for Parsec in particular.

@ionut-arm ionut-arm added code health Issues concerning overall code quality, safety and best practice enhancement New feature or request security Issues related to the security and privacy of the service labels Jan 10, 2022
ionut-arm added a commit to ionut-arm/parsec that referenced this issue Jan 10, 2022
@ionut-arm
Add systemd hardening options
34ee501 
Add the options suggested by the openSUSE maintainers (see parallaxsecond#569 ) for
systemd hardening.

Signed-off-by: Ionut Mihalcea <ionut.mihalcea@arm.com>
@ionut-arm ionut-arm mentioned this issue Jan 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
code health Issues concerning overall code quality, safety and best practice enhancement New feature or request security Issues related to the security and privacy of the service
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add systemd hardening options ionut-arm/parsec
2 participants
@ggardet @ionut-arm