Hardening profiles for systemd
Introduction
Systemd has a range of security features to help securing services running on your system. That is the good part. The big challenge with so many features is that it is hard to find out which ones you could or should apply, without breaking a service. That is why we started working on hardening profiles.
The hardening profiles are pre-defined templates that are documented and tested against a default installation of a piece of software. System administrators then can use this as the foundation of their service and tune it slightly to their specific configuration.
Before you apply hardening profiles
While it sounds great that you can use predefined templates, there are risks:
- Something might stop working
- Small adjustments might be needed
- The profiles are as good as the feedback that you provide to improve them
So let’s share a disclaimer: you are responsible for testing and applying a profile, monitoring your service, take the right actions. These profiles are provided as-is, without any guarantees.
Troubleshooting tips
Is the profile not working correctly, giving errors, or does a service no longer start up? Have a look at how to troubleshooting a failed unit.
Feedback wanted!
So did you make a change? Send that feedback and share what you changed and why. With that feedback the profiles can be updated. Good to share: Did the profile not work right away, or do you have a special setup which required you to make an adjustment?
Nginx hardening profile
Harden the nginx configuration with the help of systemd sandboxing capabilities and restricting resources.