Jean-Christophe jcberthon

security and hardening options for systemd service units

A common and reliable pattern in service unit files is thus:

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict

Currently, there is an explosion of tools that aim to manage secrets for automated, cloud native infrastructure management. Daniel Somerfield did some work classifying the various approaches, but (as far as I know) no one has made a recent effort to summarize the various tools.

This is an attempt to give a quick overview of what can be found out there. The list is alphabetical. There will be tools that are missing, and some of the facts might be wrong--I welcome your corrections. For the purpose, I can be reached via @maxvt on Twitter, or just leave me a comment here.

There is a companion feature matrix of various tools. Comments are welcome in the same manner.

Linux NetFilter, IP Tables and Conntrack Diagrams

IPTABLES TABLES and CHAINS

IPTables has the following 4 built-in tables.

1) Filter Table

Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. Iptables’s filter table has the following built-in chains.

THIS GIST WAS MOVED TO TERMSTANDARD/COLORS REPOSITORY.

PLEASE ASK YOUR QUESTIONS OR ADD ANY SUGGESTIONS AS A REPOSITORY ISSUES OR PULL REQUESTS INSTEAD!

	# IMPORTANT!
	# This gist has been transformed into a github repo
	# You can find the most recent version there:
	# https://github.com/Neo23x0/auditd

	# ___ ___ __ __
	# / \| __ ______/ (_) /_____/ /
	# / /\| \|/ / / / __ / / __/ __ /
	# / ___ / /_/ / /_/ / / /_/ /_/ /
	# /_/ \|_\__,_/\__,_/_/\__/\__,_/

	#!/bin/bash
	GARBAGE="/var/lib/docker/aufs/diff"
	du -hd 1 $GARBAGE \| sort -hrk 1 \| head -25
	find $GARBAGE -maxdepth 1 -name *-removing -exec rm -rf '{}' \;

	flush ruleset

	# filter
	table ip filter {
	chain input {
	type filter hook input priority 0; policy drop;
	ct state invalid counter drop comment "drop invalid packets"
	ct state {established, related} counter accept comment "accept all connections related to connections made by us"
	iifname lo accept comment "accept loopback"
	iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

	# -- mode: ruby --
	# vi: set ft=ruby :

	# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
	VAGRANTFILE_API_VERSION = '2'

	Vagrant.configure(VAGRANTFILE_API_VERSION) do \|config\|
	# All Vagrant configuration is done here. The most common configuration
	# options are documented and commented below. For a complete reference,
	# please see the online documentation at vagrantup.com.

	sudo apt-get install -y supervisor

	sudo mkdir /usr/share/elasticsearch
	cd /usr/share/elasticsearch

	sudo wget https://download.elasticsearch.org/kibana/kibana/kibana-4.0.1-linux-x64.tar.gz
	sudo wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.tar.gz
	sudo wget https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz

	sudo tar -zxvf elasticsearch-0.90.0.tar.gz

	#!/usr/bin/env bash

	# check_freak.sh
	# (c) 2015 Martin Seener

	# Simple script which checks SSL/TLS services for the FREAK vulnerability (CVE 2015-0204)
	# It will output if the checked host is vulnerable and returns the right exit code
	# so it can also be used as a nagios check!

	PROGNAME=$(basename $0)