Hardened profile with systemd

cyberheb · n00b Joined: 27 Sep 2015 Posts: 3

Hello,

When selecting profile, there is option for systemd but only for un-hardened profile. No option to use systemd for hardened profile. Of course it is possible to follow systemd manual (emerge -vDN @world with new global USE flag using systemd, emerge --deselect sys-fs/udev and emerge systemd), but I am curious about reason behind why systemd not included in the hardened profile option. Was there any known security issue in systemd so developer chose to use openrc instead?

I am currently designing a platform using Gentoo, security is one of top priority. I think systemd offer pretty much good functionality (yes, mostly for desktop, but also good for server), that's why I plan to use it. However, if there are specific crucial aspect related to systemd with hardened server, then I will have strong reason not to use it.

NeddySeagoon · Posted: Sun Sep 27, 2015 8:26 am Post subject:

cyberheb,

Welcome to Gentoo.

This thread is likely to be locked very soon as questions like this decend into a flamefest.
There are many other topics (mostly locked) on these forums that discuss systemd. Some touch on security too.

My personal opinion, having read many of the threads I've referred you to is that systemd and security go together like windows and security.
That is, its an oxymoron.

Security is not an absolute. You need to analyse your perceived threats that create a security model to defend against them.
The reality is that you end up with several layers, like an onion. The basic idea is to deter attackers so they attack someone else.
One tennent of security is to keep things simple - systemd violates that. While systemd may be modular and its modules simple, its modular in the same way as a completed jigsaw is modular. You have to have all the pieces - even if your use case does not need them.

Better to choose starting point that you add in only what you need - that does not mean openrc either. Gentoo provides other options, openrc is the one in the stage3 tarball. By adding in only what you need you know what you have, rather than attempting to take things away, only to find you cannot.

Other contributers.
State your opinions and rational.

Flames will get this topic locked.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Buffoon · Veteran Joined: 17 Jun 2015 Posts: 1369 Location: EU or US

Just curious, is systemd allowing remote logging now?

mv · Watchman Joined: 20 Apr 2005 Posts: 6747

It does not make much sense to harden your kernel and most apps to avoid privilege escalations when you have simulatenously running a highly complex app with root permissions whose main purpose is to make all classical UNIX privileges become a joke.
From the security viewpoint, installing systemd (especially together with policykit) is probably among the most stupid things which you could do.
If you search, you will probably find a list of known security issues with systemd+policykit which I had posted in this forum a while ago. I don't know how much of the issues have been fxied meanwhlie, but you can be sure that a current list of issues would be much longer - though perhaps less easy to get (for the previous list, I needed only a few minutes hunting through open bugs).
It is a not a particular misfeature which is dangerous but the whole concept to build a complex application with high privileges on top of a communication system which every unprivileged user can access.

That being said: hardened does not include other things (like kde, gnome, etc) either. I think they simply want to support a very basic default. You are already out of luck if you happen to have an nvidia card and the nouveau drivers do not work for you....

depontius · Advocate Joined: 05 May 2004 Posts: 3509

Let me try this in a more neutral way, if I may.

With no value judgements either way, let me just say that there is little practical experience with systemd running on secure systems. Though it appears to have "won the init wars," (Boy, doesn't that sound like the old "OS Wars" days!) it has not actually seen that much real-world deployment yet, especially in the server space, which tends to be quite conservative.

You may be able to put systemd on a server, and have no problems, because you sound like a small fish.
On the other hand, putting systemd on a server, even if a small fish, might be detectable and be considered a "training ground" for crackers wanting to learn systemd from their side.

Or maybe you're thinking in terms of a hardened desktop, not a server, in which case at the very least you're less sensitive than a non-hardened systemd system.
_________________
.sigs waste space and bandwidth

cyberheb · n00b Joined: 27 Sep 2015 Posts: 3

Thanks all for the feedback. In my case, it would be a hardened server, not desktop. I am still quite new with systemd, but I think it is a valid point to consider in terms of security risk by deploying systemd: it is a complex application with high privileges where unprivileges user can access. So basically it will break the hardened system concept.