diff --git a/systemd-hardening-in-NixOS/article.md b/systemd-hardening-in-NixOS/article.md index b70d802..beea303 100644 --- a/systemd-hardening-in-NixOS/article.md +++ b/systemd-hardening-in-NixOS/article.md @@ -1,4 +1,4 @@ -# systemd services in NixOS and tips for hardening of them +# tips for systemd services management and hardening in NixOS ## introduction @@ -167,7 +167,8 @@ systemd.services.netdata.serviceConfig = { #### blocking outgoing internet connections (not achievable by systemd options) -The idea here is to keep responding to incoming requests for a service, but forbid any outgoing connections, initiated by itself. When it comes to a more sophisticated firewall, systemd is not capable of such granular control. So, `iptables` configuration will be aimed at a specific user, which runs the service: +The idea here is to keep responding to incoming requests for a service, but forbid any outgoing connections, initiated by itself. When it comes to a more sophisticated firewall, systemd is not capable of such granular control. +`iptables` can match packets generated by specific user, which runs the service: ```nix networking.firewall = { @@ -194,15 +195,16 @@ _By specifying `1`, we're instructing `iptables` to insert the rule at the begin - `systemctl status ` - unit state, started/stopped timestamps , running processes, etc - `systemctl cat ` - contents of a systemd unit file, generated by NixOS - `systemctl show ` - actual properties of a systemd unit in effect +- `journalctl -e -u ` - show logs for a unit, scrolled down to the most recent records - `journalctl -u -f` - to monitor systemd service output in real time (by analogy with `tail -f`) - `journalctl -b-1 -u ` - in case you want to see logs only for previous boot -- `systemd-analyze security` - show security summary for all running services ("`SAFE`", "`EXPOSED`" and "`UNSAFE`" do not mean the factual situation, rather whether various systemd hardedning features are in use or not) -- `systemd-analyze security ` - show more detailed analysis for the specified service +- `systemd-analyze security` - show security summary for all running services ("`SAFE`", "`EXPOSED`" and "`UNSAFE`" do not mean the factual situation, rather whether various systemd hardening features are in use or not) +- `systemd-analyze security ` - show more detailed analysis for the specified service, indicating which options might be set - `htop` using tree view (`F5`) - to inspect the whole tree of processes/threads (`nix-shell -p htop --run htop` if you don't have it installed) -### cgroups +#### cgroups -[`cgroups`](https://en.wikipedia.org/wiki/Cgroups) (control groups) linux feature powers systemd. And it allows to have unified control over a collection of processes within a single service. `systemd-ctop` shows top control groups by their resource usage (output can be sorted by utilization of CPU, memory, IO load, number of tasks). It can be a good alternative to `top`/`htop`, because on a server we often care about service entities as a whole, rather than numerous processes, which stats are hard to sum up in mind. +[`cgroups`](https://en.wikipedia.org/wiki/Cgroups) (control groups) linux feature powers systemd. And it allows to have unified control over a collection of processes within a single service. `systemd-cgtop` shows top control groups by their resource usage (output can be sorted by utilization of CPU, memory, IO load, number of tasks). It can be a good alternative to `top`/`htop`, because on a server we often care about service entities as a whole, rather than numerous processes, whose stats are hard to sum up in mind. Just in case, note that enabling `netdata` service in NixOS enables `systemd.enableCgroupAccounting`, which in turn [enables these options in `systemd.conf`](https://github.com/NixOS/nixpkgs/blob/c223f49e6d4b4684286b8d2f9b2325930a4f62ff/nixos/modules/system/boot/systemd.nix#L493): ``` @@ -221,7 +223,7 @@ $ ls -l /home total 0 drwx------ 1 alex users 1126 2023-06-21 19:26 alex -sudo systemd-run -p ProtectHome=yes --shell +$ sudo systemd-run -p ProtectHome=yes --shell Running as unit: run-u2544.service Press ^] three times within 1s to disconnect TTY. @@ -249,7 +251,7 @@ With the help of [`tmux`](https://github.com/tmux/tmux/wiki/Getting-Started) you ## unsolved problems -As of 2023-07-01 [`systemd.services..confinement.enable` NixOS option](https://search.nixos.org/options?channel=unstable&show=systemd.services.%3Cname%3E.confinement.enable&from=0&size=50&sort=relevance&type=packages&query=systemd.services.%3Cname%3E.confinement) [is not compatible with systemd's `ProtectSystem`](https://discourse.nixos.org/t/nixos-policy-regarding-systemd-confinement/18976). +As of 2023-07-10 [`systemd.services..confinement.enable` NixOS option](https://search.nixos.org/options?channel=unstable&show=systemd.services.%3Cname%3E.confinement.enable&from=0&size=50&sort=relevance&type=packages&query=systemd.services.%3Cname%3E.confinement) [is not compatible with systemd's `ProtectSystem`](https://discourse.nixos.org/t/nixos-policy-regarding-systemd-confinement/18976). ## final notes