DAW/furt

Fork 0

systemd Service Hardening: Security-Optionen für Production #110

New issue

Closed

opened 2025-09-05 22:30:10 +02:00 by michael · 5 comments

michael commented

2025-09-05 22:30:10 +02:00

Owner

Purpose

Systemd-Service mit Security-Optionen für Production-Deployments härten.

Current State

Basis-systemd-Service funktional aber ohne Security-Hardening:

Standard systemd permissions
Full filesystem access
Keine process isolation

Proposed Security-Hardening

Filesystem-Protection

ProtectSystem=strict - Read-only filesystem
ReadWritePaths=/var/run /var/log/furt - Nur notwendige Pfade
ProtectHome=yes - Home-Verzeichnisse blockieren
PrivateTmp=yes - Isolierte /tmp

Process-Isolation

NoNewPrivileges=yes - Privilege escalation verhindern
RestrictSUIDSGID=yes - SUID/SGID Programme blockieren

Network-Hardening (optional)

RestrictAddressFamilies=AF_INET AF_INET6 - Nur IP-Protokolle
IPAddressDeny=any + IPAddressAllow=localhost - Local-only binding

Implementation

Erweiterte systemd-Service-Template in deployment/linux/furt-hardened.service

Testing-Plan

Standard-Service (current) vs Hardened-Service
Verify furt functionality with restrictions
Document any required filesystem exceptions

Priority

Medium - Security-Enhancement für Production, nicht für Basis-Funktionalität erforderlich

Dependencies

Issue #100 PID-File Service-Management (foundation)
Issue #102 Documentation updates (coordination)

## Purpose Systemd-Service mit Security-Optionen für Production-Deployments härten. ## Current State Basis-systemd-Service funktional aber ohne Security-Hardening: - Standard systemd permissions - Full filesystem access - Keine process isolation ## Proposed Security-Hardening ### Filesystem-Protection - `ProtectSystem=strict` - Read-only filesystem - `ReadWritePaths=/var/run /var/log/furt` - Nur notwendige Pfade - `ProtectHome=yes` - Home-Verzeichnisse blockieren - `PrivateTmp=yes` - Isolierte /tmp ### Process-Isolation - `NoNewPrivileges=yes` - Privilege escalation verhindern - `RestrictSUIDSGID=yes` - SUID/SGID Programme blockieren ### Network-Hardening (optional) - `RestrictAddressFamilies=AF_INET AF_INET6` - Nur IP-Protokolle - `IPAddressDeny=any` + `IPAddressAllow=localhost` - Local-only binding ## Implementation Erweiterte systemd-Service-Template in `deployment/linux/furt-hardened.service` ## Testing-Plan - Standard-Service (current) vs Hardened-Service - Verify furt functionality with restrictions - Document any required filesystem exceptions ## Priority Medium - Security-Enhancement für Production, nicht für Basis-Funktionalität erforderlich ## Dependencies - Issue #100 PID-File Service-Management (foundation) - Issue #102 Documentation updates (coordination)

michael added the

labels 2025-09-05 22:30:10 +02:00

michael referenced this issue

2025-09-05 22:30:44 +02:00

Service-Management: pexp-Pattern durch PID-File ersetzen #100

michael added this to the v0.1.2 - Gateway Basics milestone 2025-09-05 22:38:19 +02:00

michael referenced this issue from a commit

2025-09-07 18:43:39 +02:00

feat(deployment): add systemd security hardening

michael commented

2025-09-07 18:45:59 +02:00

Author

Owner

Issue-Scope Reduction

Nach Review reduziert auf pragmatische Security-Optionen:

Entfernt: SystemCallFilter, Capabilities, IPv6, Memory-Protection
Grund: Security-Theater vs. tatsächlicher Nutzen

Behalten: 6 sinnvolle Optionen:

ProtectSystem=strict
ReadWritePaths (nur was nötig)
ProtectHome=yes
NoNewPrivileges=yes
PrivateTmp=yes
RestrictAddressFamilies=AF_INET

Vorteil: Weniger Dokumentation, weniger Debugging, gleicher Security-Nutzen.

## Issue-Scope Reduction Nach Review reduziert auf **pragmatische Security-Optionen**: **Entfernt:** SystemCallFilter, Capabilities, IPv6, Memory-Protection **Grund:** Security-Theater vs. tatsächlicher Nutzen **Behalten:** 6 sinnvolle Optionen: - ProtectSystem=strict - ReadWritePaths (nur was nötig) - ProtectHome=yes - NoNewPrivileges=yes - PrivateTmp=yes - RestrictAddressFamilies=AF_INET **Vorteil:** Weniger Dokumentation, weniger Debugging, gleicher Security-Nutzen.

michael added

and removed

labels 2025-09-07 18:46:15 +02:00

michael commented

2025-09-07 19:10:36 +02:00

Author

Owner

Debian Testing: SUCCESS ✅

johann (Debian 12, systemd 247):

Service starts normally with all security options
API responds on localhost:7811
Memory usage: 812K (no performance impact)
No permission errors in logs

All 6 security features working:

ProtectSystem=strict ✅
ReadWritePaths ✅
ProtectHome=yes ✅
NoNewPrivileges=yes ✅
PrivateTmp=yes ✅
RestrictAddressFamilies=AF_INET ✅

Ready for klaus (Arch) testing.

## Debian Testing: SUCCESS ✅ **johann (Debian 12, systemd 247):** - Service starts normally with all security options - API responds on localhost:7811 - Memory usage: 812K (no performance impact) - No permission errors in logs **All 6 security features working:** - ProtectSystem=strict ✅ - ReadWritePaths ✅ - ProtectHome=yes ✅ - NoNewPrivileges=yes ✅ - PrivateTmp=yes ✅ - RestrictAddressFamilies=AF_INET ✅ Ready for klaus (Arch) testing.

michael commented

2025-09-07 19:11:15 +02:00

Author

Owner

Multi-Distro Testing: COMPLETE ✅

Testing Results:

johann (Debian 12, systemd 247): ✅ All features working
klaus (Arch Linux, systemd ~256): ✅ All features working

Security hardening stable across:

Old systemd (247) and new systemd (256)
Debian/Ubuntu and Arch distributions
No performance impact (812K RAM usage)

Ready for production deployment.

Next Steps:

Implement security hardening
Test on Debian
Test on Arch
Document security options (brief explanation)
Merge to main

## Multi-Distro Testing: COMPLETE ✅ **Testing Results:** **johann (Debian 12, systemd 247):** ✅ All features working **klaus (Arch Linux, systemd ~256):** ✅ All features working **Security hardening stable across:** - Old systemd (247) and new systemd (256) - Debian/Ubuntu and Arch distributions - No performance impact (812K RAM usage) **Ready for production deployment.** **Next Steps:** - [x] Implement security hardening - [x] Test on Debian - [x] Test on Arch - [ ] Document security options (brief explanation) - [ ] Merge to main

michael commented

2025-09-07 19:12:31 +02:00

Author

Owner

Issue #110: systemd Service Hardening - Pragmatische Security-Optionen

State: open
Labels: effort/small, priority/medium, status/to-go, type/security
Milestone: v0.1.2 - Gateway Basics
Created: 2025-09-05T22:30:10+02:00
URL: #110

Description

Purpose

Systemd-Service mit pragmatischen Security-Optionen für Production-Deployments härten. Fokus auf das Nötige ohne Overhead.

Current State

Basis-systemd-Service funktional aber ohne Security-Hardening:

Standard systemd permissions
Full filesystem access
Keine process isolation

Proposed Security-Hardening (Minimal)

Filesystem-Protection

ProtectSystem=strict - Read-only filesystem
ReadWritePaths=/var/run/furt /var/log/furt - Nur notwendige Pfade
ProtectHome=yes - Home-Verzeichnisse blockieren

Process-Hardening

NoNewPrivileges=yes - Privilege escalation verhindern
PrivateTmp=yes - Isolierte /tmp

Network-Restriction

RestrictAddressFamilies=AF_INET - Nur IPv4 (was furt nutzt)

Implementation

6 zusätzliche Zeilen in deployment/linux/furt.service

Testing-Plan

Standard-Service vs Hardened-Service
Verify furt startet und läuft normal
Test API-Zugriff auf localhost:7811
Check log-writing nach /var/log/furt

Documentation

Kurze Erklärung jeder Option (Warum/Was)
Troubleshooting falls Permission-Probleme

Priority

Medium - Pragmatisches Security-Enhancement ohne Complexity-Overhead

Dependencies

Issue #100 PID-File Service-Management (foundation)

# Issue #110: systemd Service Hardening - Pragmatische Security-Optionen **State:** open **Labels:** effort/small, priority/medium, status/to-go, type/security **Milestone:** v0.1.2 - Gateway Basics **Created:** 2025-09-05T22:30:10+02:00 **URL:** https://smida.dragons-at-work.de/DAW/furt/issues/110 ## Description ## Purpose Systemd-Service mit **pragmatischen** Security-Optionen für Production-Deployments härten. Fokus auf das Nötige ohne Overhead. ## Current State Basis-systemd-Service funktional aber ohne Security-Hardening: - Standard systemd permissions - Full filesystem access - Keine process isolation ## Proposed Security-Hardening (Minimal) ### Filesystem-Protection - `ProtectSystem=strict` - Read-only filesystem - `ReadWritePaths=/var/run/furt /var/log/furt` - Nur notwendige Pfade - `ProtectHome=yes` - Home-Verzeichnisse blockieren ### Process-Hardening - `NoNewPrivileges=yes` - Privilege escalation verhindern - `PrivateTmp=yes` - Isolierte /tmp ### Network-Restriction - `RestrictAddressFamilies=AF_INET` - Nur IPv4 (was furt nutzt) ## Implementation 6 zusätzliche Zeilen in `deployment/linux/furt.service` ## Testing-Plan - Standard-Service vs Hardened-Service - Verify furt startet und läuft normal - Test API-Zugriff auf localhost:7811 - Check log-writing nach `/var/log/furt` ## Documentation - Kurze Erklärung jeder Option (Warum/Was) - Troubleshooting falls Permission-Probleme ## Priority Medium - Pragmatisches Security-Enhancement ohne Complexity-Overhead ## Dependencies - Issue #100 PID-File Service-Management (foundation)

michael commented

2025-09-07 19:13:07 +02:00

Author

Owner

Issue Complete - Ready for Merge

Implementation: 6 security lines in furt.service
Testing: Debian + Arch successful
Documentation: Included in issue description
Performance: No impact (812K RAM)

All requirements fulfilled.

## Issue Complete - Ready for Merge **Implementation:** 6 security lines in furt.service **Testing:** Debian + Arch successful **Documentation:** Included in issue description **Performance:** No impact (812K RAM) All requirements fulfilled.

michael closed this issue

2025-09-07 19:13:07 +02:00

michael referenced this issue from a commit

2025-09-07 19:15:02 +02:00

feat(security): systemd service hardening implementation