so yet again others sharing information prompted me to have a look at my server set-up:
=> 2022-02-23 Securing Gemini Servers | 2022-02-24 Re: Securing Gemini Servers
i started with:
systemd-analyze security agate
agate score = 9.1 UNSAFE. not a good start although all the vanilla os services were just as bad: i can look at those another day!
i added options to the agate.services file one by one to see what the effect was:
PrivateTmp=yes 8.7 EXPOSED NoNewPrivileges=true 8.6 EXPOSED RestrictNamespaces=yes 7.8 EXPOSED ProtectDevices=yes 7.8 EXPOSED NoNewPrivileges=true 7.8 EXPOSED PrivateDevices=true 7.1 MEDIUM DevicePolicy=closed 7.1 MEDIUM ProtectSystem=strict 6.9 MEDIUM ProtectHome=true 6.7 MEDIUM ProtectHostname=true 6.7 MEDIUM ProtectControlGroups=true 6.5 MEDIUM ProtectKernelModules=true 6.1 MEDIUM ProtectKernelTunables=true 6.0 MEDIUM RestrictAddressFamilies=AF_INET 5.5 MEDIUM RestrictRealtime=true 5.4 MEDIUM RestrictSUIDSGID=true 5.4 MEDIUM MemoryDenyWriteExecute=true 5.4 MEDIUM LockPersonality=true 5.3 MEDIUM PrivateUsers=true 5.2 MEDIUM ProtectClock=true 5.2 MEDIUM ProtectKernelLogs=true 5.2 MEDIUM ProtectProc=invisible 5.2 MEDIUM ProcSubset=pid 5.2 MEDIUM RemoveIPC=true
this post below had me recheck my work and yes i had borked agate!
=> 2022-02-25 - Securing Molly Brown
i commented out these to get going again:
# ProtectHome # RestrictAddressFamilies 5.8 MEDIUM
a little more work on the effect of changes and made myself actually read the error messages and made some changes and additions:
RestrictAddressFamilies=AF_INET AF_INET6 5.3 MEDIUM ProtectHome=read-only 5.2 MEDIUM CapabilityBoundingSet= 3.0 OK (note nothing after the = ) UMask=177 3.0 OK
i'm happy with a score of 3.0 for now until i understand more about this.
some more links for some light reading:-) :
=> 2022-02-20 - security and hardening options for systemd service units
=> 2022-02-25 - (accessed) systemd.exec — Execution environment configuration
=> 2022-02-18 - Systemd Hardening
=> 2021-05-14 - Systemd Service Hardening
i took the opportunity to review the how i was running agate and changed the user account that ran agate and moved the certificates. the server setup is now a little more organized and hopefully more secure.
another block of code from my agate.service (more suitable for CandP):
# security things done CapabilityBoundingSet= DevicePolicy=closed LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=yes PrivateUsers=true ProcSubset=pid ProtectClock=true ProtectControlGroups=true ProtectDevices=yes ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectHome=read-only ProtectHostname=true ProtectProc=invisible ProtectSystem=strict RestrictAddressFamilies=AF_INET AF_INET6 RemoveIPC=true RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=true UMask=177
=> return to gemini.mingmengtou.org index page.
neil.gemini@mingmengtou.org
content licensed CC-BY-SA 4.0 unless stated.
=> creative commons licence. This content has been proxied by September (ba2dc).Proxy Information
text/gemini;lang=en-GB