System Grab Bag

systemd Unit Security

systemd is a tool for among other things, managing services. This is primarily done by users through unit files which describe where to find a service, what to run, the service's environment block, and more. Part of this is describing its security configuration. These features use features of the Linux kernel, such as cgroups, namespaces, and capabilities in order to help restrict the attack surface of well meaning services. This tool scores services (in the same way systemd does) on a scale from 0 to 10, where 0 is the least exposed, and 10 is the most exposed. As of systemd 253, the default configuration has an exposure level of 9.6.

It is worth noting that a high score does not inherently mean that a service is unsafe, rather that it does not use many of the features systemd provides to help increase security. However, a service that has many of these features enabled can be safer and can have many restrictions enforced by the operating system (which can help reduce the impact of security issues), as well as be able to run services with slightly higher privileges than unprivileged counterparts, but without running as root.

Your systemd Unit Configuration

Reset
User and Group Run the service under...





Capabilities For more information on capabilities, you can view the capabilities man page.
Ambient Capabilities (CapAmb)
These capabilities will be added to a process (and the capability is in the process's capability bounding set). This is useful, for example, for servers that need to bind to a particular low numbered port (CAP_NET_BIND_SERVICE), such as port 80, which on most distributions is only allowed for root. You should set this to as few capabilities as possible (or even choose none) as many capabilities, if granted, can allow a user to perform system-wide changes.












































Capability Bounding Set (CapBnd)
Capabilities in this set are the maximum amount of capabilities this service's process can have. This provides an upper bound for things that the service can do. You should set this to as few as possible, as it can help to limit any already granted capabilities.












































Namespaces










Address Families












































Note: You can use the symbolic names any, localhost, link-local, and multicast and space separate these names. Do also note that allow takes precedent over deny, so you can put in any in the denied IP addresses field to create a whitelist. This method is the most secure.
Private Service Namespace and System Protection







Protect Home







Protect /proc




Protect System





System Call Restrictions (Show/Hide System Call Groups)

(Hint: to change a allow list to a deny list, prefix the list with the ~ character.)
Allowed Architectures



More Restrictions







Process Subset (more information)


Scale

systemd gives a color, a small text word, and an emoji describing, at a glance, the security profile of a systemd service. Here is a table with all of the different values.

Description Value Range Emoji
Perfect 0.0 😇
Safe 0.1 - 0.9 😀
Ok 1.0 - 4.9 🙂
Medium 5.0 - 7.4 😐
Exposed 7.5 - 8.9 🙁
Unsafe 9.0 - 9.9 😨
Dangerous 10.0 🤢