Bug#863841: Enable systemd hardening options for named

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#863841: Enable systemd hardening options for named

Russ Allbery-2
Package: bind9
Version: 1:9.10.3.dfsg.P4-12.3
Severity: wishlist

BIND named is a great candidate for enabling systemd hardening features,
since it has very limited required access to the local file system and
a long history of security issues due to its complexity.

I'm currently using the following settings on jessie without any impact,
although I'm not using dynamic DNS or a few other things that may make
a difference.  jessie had much more limited options; there are other
options now available in newer systemd, and I didn't start looking at
system call filtering.

CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=full

CAP_DAC_OVERRIDE is required for rndc to read /etc/bind/rndc.key; a
possible alternative would be to find a way to run it as the bind user
instead.  It's possible that you could drop CAP_SETGID and CAP_SETUID
and instead let systemd switch to the bind user, and put
CAP_NET_BIND_SERVICE into the ambient capability set instead so that it
can still bind to a low-numbered port.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bind9 depends on:
ii  adduser                3.115
ii  bind9utils             1:9.10.3.dfsg.P4-12.3
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  libbind9-140           1:9.10.3.dfsg.P4-12.3
ii  libc6                  2.24-11
ii  libcap2                1:2.25-1
ii  libcomerr2             1.43.4-2
ii  libdns162              1:9.10.3.dfsg.P4-12.3
ii  libgeoip1              1.6.9-4
ii  libgssapi-krb5-2       1.15-1
ii  libirs141              1:9.10.3.dfsg.P4-12.3
ii  libisc160              1:9.10.3.dfsg.P4-12.3
ii  libisccc140            1:9.10.3.dfsg.P4-12.3
ii  libisccfg140           1:9.10.3.dfsg.P4-12.3
ii  libk5crypto3           1.15-1
ii  libkrb5-3              1.15-1
ii  liblwres141            1:9.10.3.dfsg.P4-12.3
ii  libssl1.0.2            1.0.2l-1
ii  libxml2                2.9.4+dfsg1-2.2
ii  lsb-base               9.20161125
ii  net-tools              1.60+git20161116.90da8a0-1
ii  netbase                5.4

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.10.3.dfsg.P4-12.3
pn  resolvconf  <none>
pn  ufw         <none>

-- debconf information:
  bind9/start-as-user: bind
  bind9/different-configuration-file:
  bind9/run-resolvconf: false

Reply | Threaded
Open this post in threaded view
|

Bug#863841: Enable systemd hardening options for named

Bernhard Schmidt
FTR, these are the "others" using (just as a reference, I think we can
easily add more):

Fedora/RHEL:
https://src.fedoraproject.org/rpms/bind/blob/master/f/named.service
PrivateTmp=true

SLES:
Unknown, but https://build.opensuse.org/package/revisions/network/bind
sports a nice "Add back init scripts, systemd units aren't ready yet"

Gentoo:
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-dns/bind/files/named.service-r1
nothing

Arch:
https://git.archlinux.org/svntogit/packages.git/tree/trunk/named.service?h=packages/bind
nothing

The only thing I can think of that might interfere with this is
chrooting the named daemon, which is possible with the "-t" command line
option. We do this to run multiple instances without the need to specify
the full path to the configuration file. I will test this in the
upcoming days.

Bernhard

Reply | Threaded
Open this post in threaded view
|

Bug#863841: Enable systemd hardening options for named

Simon Deziel-2
In reply to this post by Russ Allbery-2
Hi,

It would be really nice to have those hardening options used. I use them
locally on Ubuntu. Please note that the Private*/Protect* options (using
the mount namespace) require this change to the Apparmor profile:

-/usr/sbin/named {
+/usr/sbin/named flags=(attach_disconnected) {

Thanks,
Simon


signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#863841: Enable systemd hardening options for named

Simon Deziel-2
Hi,

In addition to what Russ proposed to add, I've been running with those
additional restrictions:

SystemCallArchitectures=native
# note: AF_NETLINK is needed for getifaddrs(3)
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK

They are available on older systemd versions so they shouldn't cause
problems with backports. I tested with systemd 229 (Xenial).

Regards,
Simon

P.S: flags=(attach_disconnected) is still needed for Apparmor.


signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#863841: Enable systemd hardening options for named

Ludovic Gasc-3
In reply to this post by Russ Allbery-2
Hi,

On Mon, 29 Jan 2018 11:18:47 -0500 Simon Deziel <[hidden email]> wrote:
> SystemCallArchitectures=native
> # note: AF_NETLINK is needed for getifaddrs(3)
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK

I'm also working to increase the security of bind via systemd without MAC enabled, I have integrated your suggestions.
FYI, I have discussed about this on bind mailing-list to validate the unit file, the complete discussion:

Below, the actual unit file, I'm using on our production.
If you have extra suggestions, I'm interested in.

How I could send a merge request ?
I have found the file in Git: https://anonscm.debian.org/git/pkg-dns/bind9.git/tree/debian/bind9.service
I send a patch on the Debian-DNS mailing-list ?

Regards

[Unit]
After=network-online.target

[Service]
Type=simple
TimeoutSec=25
Restart=always
RestartSec=1
User=bind
Group=bind
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
LimitCORE=infinity
LimitNOFILE=65535
NoNewPrivileges=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
RestrictRealtime=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
ReadOnlyPaths=/sys
InaccessiblePaths=/home
InaccessiblePaths=/opt
InaccessiblePaths=/root
ReadWritePaths=/run/named
ReadWritePaths=/var/cache/bind
ReadWritePaths=/var/lib/bind

Reply | Threaded
Open this post in threaded view
|

Bug#863841: [Pkg-dns-devel] Bug#863841: Enable systemd hardening options for named

Ondřej Surý
Here:

https://salsa.debian.org/dns-team/bind9.git (and future https://salsa.debian.org/dns-team/bind.git), you'll probably need an guest account that could be created here: https://signup.salsa.debian.org/

Ondrej
--
Ondřej Surý <[hidden email]>

On Thu, Feb 1, 2018, at 09:44, Ludovic Gasc wrote:

> Hi,
>
> On Mon, 29 Jan 2018 11:18:47 -0500 Simon Deziel <[hidden email]> wrote:
> > SystemCallArchitectures=native
> > # note: AF_NETLINK is needed for getifaddrs(3)
> > RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
>
> I'm also working to increase the security of bind via systemd without MAC
> enabled, I have integrated your suggestions.
> FYI, I have discussed about this on bind mailing-list to validate the unit
> file, the complete discussion:
> https://lists.isc.org/pipermail/bind-users/2018-January/099437.html
>
> Below, the actual unit file, I'm using on our production.
> If you have extra suggestions, I'm interested in.
>
> How I could send a merge request ?
> I have found the file in Git:
> https://anonscm.debian.org/git/pkg-dns/bind9.git/tree/debian/bind9.service
> I send a patch on the Debian-DNS mailing-list ?
>
> Regards
>
> [Unit]
> After=network-online.target
>
> [Service]
> Type=simple
> TimeoutSec=25
> Restart=always
> RestartSec=1
> User=bind
> Group=bind
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
> AmbientCapabilities=CAP_NET_BIND_SERVICE
> SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex
> clock_adjtime delete_module fanotify_init finit_module get_mempolicy
> init_module io_destroy io_getevents iopl ioperm io_setup io_submit
> io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages
> open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace
> remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
> LimitCORE=infinity
> LimitNOFILE=65535
> NoNewPrivileges=true
> SystemCallArchitectures=native
> MemoryDenyWriteExecute=true
> RestrictRealtime=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectHome=true
> ProtectSystem=strict
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectControlGroups=true
> ReadOnlyPaths=/sys
> InaccessiblePaths=/home
> InaccessiblePaths=/opt
> InaccessiblePaths=/root
> ReadWritePaths=/run/named
> ReadWritePaths=/var/cache/bind
> ReadWritePaths=/var/lib/bind
> _______________________________________________
> pkg-dns-devel mailing list
> [hidden email]
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel

Reply | Threaded
Open this post in threaded view
|

Bug#863841: [Pkg-dns-devel] Bug#863841: Enable systemd hardening options for named

Ludovic Gasc-3
Done: https://salsa.debian.org/dns-team/bind9/merge_requests/1

Do I need to send also a merge request on: https://salsa.debian.org/dns-team/bind ?

Thanks for your remarks.
Reply | Threaded
Open this post in threaded view
|

Bug#863841: Merge request status ?

Ludovic Gasc-3
In reply to this post by Russ Allbery-2
Hi,

Is somebody could review my merge request ?

Thank you a lot :-)
--
Ludovic Gasc (GMLudo)