06-08, 09:00–09:50 (EST5EDT), AlmaLinux (BallroomC)
Systemd is ubiquitous on Linux for managing services. Unfortunately, properly securing these services is much less common despite excellent tooling for assessment, securing, and logging. We'll show a concrete example, using nginx, to properly secure a service.
Most Linux distribution now include systemd as the default init system for booting and service management. Despite this wide adoption, most distribution take little advantage of the systemd utilities and configuration to secure these services. For example, the default configuration of nginx in Debian has an "exposure level" of 9.6 (unsafe) where the scale of 0.0 to 10.0 where higher is worse.
Many devops and development teams mistakenly believe that containers will automatically secure their services. Containers are capable in this regard but this is not their primary usage.
We will show a step by step process of securing services, using the nginx HTTP server. We will use a number of auditing tools, including systemd-analyze and lynis, to identify which kernel and other system features can be tuned to reduce the security risk exposure. We then discuss the options available in the systemd unit files related to security. We will use service and kernel log files extensively to debug and adjust each of the settings.
This is an intermediate level discussion. You should be familiar at a high level with modern Linux kernel security features such as
capabilities.
Jean Pierre has been involved in the open-source community since 1990. He has been a Debian DM for several years and is currently actively involved in Primero, an open-source platform for social welfare. He has started several companies, the latest is Salus CM (https://salus-cm.care/).