[pkg-bacula-devel] More defense-in-depth with systemd?
Sven Hartge
sven at svenhartge.de
Sun Oct 29 19:29:25 UTC 2017
Hi!
While doing the other systemd stuff I had another look at the security
measures systemd provides for free and I came up with this for the
directord:
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ReadWritePaths=/var/lib/bacula /run/bacula /var/log/bacula
This mounts nearly the whole system RO including /proc, /dev and /sys,
leaving only the paths in ReadWritePaths writable by the daemon.
/run/bacula could even be removed with the need to write PID files removed
come 9.0.5.
The only variable path would be the place the database dump is written to.
The default scripts use /var/lib/bacula but who knows what the user has
configured.
The filed is more difficult to protect as it needs by design to access the
whole system read/write.
The stored is a bit more limited in what directories it uses, mostly
/var/spool/bacula for data and attribute spooling.
But this path again is highly likely to be configured differently by the
user. And then is the case of not using tapes but file-based storage. This
path could be anywhere and is not possible to predict.
So in the end we would only end up with easy protection options for the
directord.
Worth doing this? Maybe. Your opinion?
Grüße,
Sven.
More information about the pkg-bacula-devel
mailing list