Hardening profiles for systemd

Introduction

Systemd has a range of security features to help securing services running on your system. That is the good part. The big challenge with so many features is that it is hard to find out which ones you could or should apply, without breaking a service. That is why we started working on hardening profiles.

The hardening profiles are predefined templates that are documented and tested against a default installation of a piece of software. System administrators then can use this as the foundation of their service and tune it slightly to their specific configuration.

Before you apply hardening profiles

While it sounds great that you can use predefined templates, there are risks:

  • Something might stop working
  • Small adjustments might be needed
  • The profiles are as good as the feedback that you provide to improve them

So let’s share a disclaimer: you are responsible for testing and applying a profile, monitoring your service, take the right actions. These profiles are provided as-is, without any guarantees.

Troubleshooting tips

Is the profile not working correctly, giving errors, or does a service no longer start up? Have a look at how to troubleshooting a failed unit.

Feedback wanted!

So did you make a change? Send that feedback and share what you changed and why. With that feedback the profiles can be updated. Good to share: Did the profile not work right away, or do you have a special setup which required you to make an adjustment?

Nginx hardening profile

Harden the nginx configuration with the help of this predefined profile that implements systemd sandboxing capabilities and restricting resources.

OpenSMTPD hardening profile

Tighten the already secure OpenSMTPD software on Linux by using this predefined profile that uses the systemd sandboxing options.