First of all, I’m still relatively new to Linux so apologies if this is a noob question, lol. I’m trying to build a secure system ( as best I can lol ) and have recently discovered this. I’m looking to get some feedback on how concerned we should be when using ‘sudo systemd-analyze security’.
You’ll notice that several of the services are labelled as ‘unsafe’. I have read this is merely analyzing the potential of harm for each service based on its permissions and not the actual service itself, but I also understand it is possible to sandbox some of them manually (I’ve already done this with a few services myself). As it takes a painful amount of time to harden these services manually, I am wondering why many of these built in services have not been sandboxed / hardened by default? ( it appears to be this way on most / all distributions, not just pureOS ).
Is this something that is safe to ignore if they are built-in services? Should we be trying to sandbox these .service files ourselves? If so, is there a stash of ‘hardened’ .service files others have already made that we can just use without having to figure it out ourselves via trial and error?
I think this falls squarely in the realm of “it depends”. In my limited experience, there can be unforseen consequences to this kind of hardening and in turn it may not be a suitable default.
If this were the default and it caused a functionality problem having people, likely the less technically inclined, make the change to make their system functional is counter to the goal of making the system accessible to as many as possible; whereas having the option to lock the system down further for those whom want/need it is a more reasonable default, again based on my experience.
I would like to see this kind of hardening as the default eventually, I’m just not sure it’s the best default at this moment in time.
It would be cool if there was a bunch of .service files (for basic core services) somewhere that were already hardened to the point of “OK” to make things a little easier, but oh well, lol.
I completely agree, and since you already have some you’ve made, you could create a github repo for the ones you’ve created and see if others contribute. This would also allow for issue tracking dialog for the services that cause people problems and have that information near to the service file itself.
To be honest, I stopped after the 2 service units I did as I didn’t really feel I was experienced enough to continue.
I’ve never started or even worked on a project in github before but it could be a cool start to encourage others to contribute. I’ll look into this some more!