This is a hardening profile to help securing nginx by using systemd unit configuration. It’s goal is to restrict what nginx can do and make it harder for any possible vulnerability to be misused.
The rationale for the selected settings is based on the analysis as part of the article Hardening nginx with systemd security features.
Relevant FAQ: How to use systemctl edit to change a service?
Depending on external components such as PHP, temporary files may need to be made accessible. When possible, define an alternative directory and keep PrivateTmp enabled.
| Long option | Short option | What the option does |
|---|---|---|
| --catalog | -x | Show log lines with additional help or suggestions where available |
| --disk-usage | Show size of the archived and active journals | |
| --follow | -f | Track changes, like tail -f |
| --lines= | -n | Show X number of lines (most recent) |
| --output= | -o | Define what output format should be used for journal entries |
| --pager-end | -e | Go to the end of the pager output, so the last entries are visibible |
| --reverse | -r | Reverse output, newest on top |
| --since= | -S | Limit the data to a specific period (begin) |
| --unit | -u | Specify the unit when querying the logs or taking an action |
| --until= | -U | Limit the data to a specific period (end) |
| --vacuum-files | Trim journal logs by number | |
| --vacuum-size | Clear log entries from journal logs by specifying total size | |
| --vacuum-time | Clear log entries from journal logs by specifying time (age) | |
| --verify | Integrity check of the journals |
The size of the journals can displayed with --disk-usage, which may be useful when the file system is getting full.
# journalctl --disk-usage
Archived and active journals take up 160.0M in the file system.
To verify the integrity of the journals, use the --verify option.
# journalctl --verify
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000000001-00060ed90326924f.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000036b8-000611a51acdc7d0.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000004e2-00060ed9041f690a.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000014c26-000613a20f360102.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-0000000000014e03-000613d7a3bb17e3.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000003334-0006113d51794916.journal
There are many ways to query the journals. One of them is simply running journalctl and start scrolling. But there are better ways!
Show messages of today with the --since= option and define the period.
journalctl --since="today"
To shorten the period, we can tell it to show only very recent entries of fifteen minutes ago or newer.
journalctl --since="15 minutes ago"
We can also provide a range, with the combination of since and until.
journalctl --since="2024-02-01" --until="2024-04-01"
For troubleshooting it may help to increase the period, but include a unit name to strip out much of the unneeded entries.
journalctl --unit ssh.service --since="1 week ago"
Journalctl allows to query by priority. Here are the available levels:
| Priority level | Name |
|---|---|
| 0 | emerg |
| 1 | alert |
| 2 | crit |
| 3 | err |
| 4 | warning |
| 5 | notice |
| 6 | debug |
| 7 | info |
Use the short notation, but now include the unit name in the output, and limit messages to a priority (including the ones with lower number, meaning a higher priority).
journalctl -S "today" --output=with-unit --priority=err
Only show some levels (notice, debug, and info)
journalctl -p 5..7
When querying by facility, which are common with syslog, define the right value. To know the available facilities, use the ‘help’.
# journalctl --facility=help
Available facilities:
kern
user
mail
daemon
auth
syslog
lpr
news
uucp
cron
authpriv
ftp
12
13
14
15
local0
local1
local2
local3
local4
local5
local6
local7
Similar to the grep tool, there are a few options available to search in the journals. It shares the same name, but is an option instead.
journalctl --grep "[bB]lock"
Regular expressions are allowed, so be aware of case-sensitive filtering.
Want to search and not worry about lowercase and uppercase?
journalctl --case-sensitive=false --grep "block"
Show only the entries flagged with priority ERROR.
journalctl -p err
Or since last boot:
journalctl -b -p err
Journalctl allows to limit the output to a specific number of lines. To show the last 10 lines, which is equal to --lines=10, we can use -n.
journalctl -n
We can also combine it with a unit, and show only 5 lines.
journalctl -u ssh.service -n 5
Keep track of new additions, we can use the --follow option, similar to tail -f.
journalctl --follow
When the journal gets too big, decrease its size by performing a vacuum action.
journalctl --vacuum-size=256M
It is also possible to set a time period instead, like 4 weeks.
journalctl --vacuum-time=4w
Another possibility is defining the number of logs.
journalctl --vacuum-files=5
Did I miss something that really should be included in this cheat sheet? Let it know!
]]>The systemd unit setting ProtectControlGroups reduces write access to cgroup or Linux control groups. Information about cgroups are normally available under /sys/fs/cgroup. This setting may restrict a process from writing anything to this directory structure.
Before systemd 257, only boolean values (yes/no, true/false) were accepted. With systemd 257 private and strict where added.
For most services ProtectControlGroups can be turned on. Only container managers do require write access to the control groups structures.
[Service]
ProtectControlGroups=yes