[pkg-bacula-devel] Hardening systemd
Sven Hartge
sven at svenhartge.de
Sat Dec 29 19:37:25 GMT 2018
On 29.12.18 00:09, Sven Hartge wrote:
> I need to identify those unnecessary capabilities and backlist them
> one-by-one or whitelist the ones the FD needs.
I went through capabilities(7) and blacklisted all those which I deem
dangerous or unneeded, like the ability to reboot the system, (un)load
modules, set the clock, change network settings or bind to a power below
1024.
I retained all those who interact with files, their permissions, etc.,
device nodes, raw I/O (if one backups a whole block device).
I also kept CAP_SYS_ADMIN, because it contains too much stuff where I am
not sure if it is needed. The man-page even says so: "Note: this
capability is overloaded;"
It would be nice if there was some form of audit wrapper one could use
to see which capabilities a program uses.
Can you please double check my list to see if I missed something?
Grüße,
Sven.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-bacula-devel/attachments/20181229/10aa7584/attachment.sig>
More information about the pkg-bacula-devel
mailing list