For a while now I’m working (slowly) on a monumental series of articles about function calls, RPC protocols and arrangements, APIs - all in line to present best and worst practices of modern software engineering. I would like to do it faster, but:
Any country, corp, org, or individual that uses Starlink is subject to the whims, wishes, demands and insults of The Owner. Do so at your peril.
— Ron Filipkowski (@ronfilipkowski.bsky.social) March 9, 2025 at 5:18 PM
[image or embed]
That’s the new reality, folks. Apparently we are all small men, exist at the whim of the new sun king. Who fucking knew we will end up here.
Well, nothing matters anymore, so let’s try doing some completely meaningless things instead! For example, systemd service hardening!
systemd-analyze security
Here’s a starting point for y’all. Run systemd-analyze security sshd. Looks funny, isn’t it. All right, to bleach the console run systemd-analyze security irqbalance (all commands assume fedora 41). But for one irqbalance we’ve got a hundred services which say “AAAA UNSAFE”. What’s going on?
Same thing as always - it is hard to add security as an afterthought. Historically, all the services were barely protected - before systemd and selinux, best in class was “run as a different user”. With selinux, it became possible to control all aspects of what the service does - except that almost nobody is capable of doing it, because you need to understand in the greatest detail what the service does and how, and the prevailing culture in our industry is such as the author of the service will rarely bother with that.
Systemd services brought massive quality of life increase in terms of service configuration, but also provided a few options to improve service security, which are less heavy than selinux. Except even this easy mode is too hard for everyone.
Anyway, supposedly I care. With selinux, technically I can run things in permissive and use audit2allow to produce or fine-tune a policy. It’d be nice if similar things existed for systemd? Well, it does, it has an unsurprising name Systemd Hardening Helper and it works! To an extent. There are a bunch of todos and not all hardening options are implemented.
The basic idea is the same as audit2allow - run the service under strace and parse it. That’s it, the UX is reasonably good, and while - as mentioned - not all options are covered, it provides a good starting point for further improvements.
It’s written in Rust, so here’s a chance to learn more of it and improve the security of everyday services. And with all the shitshow going on, we need all the security we can get.
Until the next time, folks. Please try shielding yourselves from orbital bombardment in the meantime.