Skip to content

Investigate further system security hardening #479

New issue
New issue
Open
Open
Investigate further system security hardening#479
Assignees
jchristgit
Labels
component: securityAn issue relating to host security (e.g. hardened security preferences). This is NOT critical bugs.component: servicesAn issue relating to a Python Discord service (e.g. Bot, Site, Lancebot)group: ansibleIssues and pull requests related to the Ansible setup
@jchristgit

Description

@jchristgit
jchristgit
opened on Aug 21, 2024

Planning ticket to check out and investigate further possibilities at security
hardening. Ideally these should be contributed upstream if applicable.

Things to consider:

  • per-service user accounts (used in any half-sane service)
  • apparmor profiles (used almost nowhere)
  • systemd hardening (used almost nowhere)

Of course, service-specific hardening strategies implemented in code also play a
role. For Postfix and OpenSSH for instance I am way less concerned than e.g. for
Jitsi. At the bare minimum, all services should run under a dedicated user.

This ticket is not for evaluating resource limits per service (e.g. to prevent
DoS on externally reachable services), although it might also be interesting to
evaluate that.

Metadata

Metadata

Assignees

Labels

component: securityAn issue relating to host security (e.g. hardened security preferences). This is NOT critical bugs.component: servicesAn issue relating to a Python Discord service (e.g. Bot, Site, Lancebot)group: ansibleIssues and pull requests related to the Ansible setup

Type

No type

Projects

Infrastructure

Status

Up next

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions