Last active
December 26, 2020 10:40
-
-
Save CodyKochmann/3b267bcf9df05dccabfc8c2050025f9c to your computer and use it in GitHub Desktop.
rsyslog as a low priv user with no capabilities other than listen and log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
# by: Cody Kochmann | |
# describe the service so journald logs make sense | |
Description=System Logging Service | |
# mandate that systemd ensures syslog socket is created first | |
Requires=syslog.socket systemd-journald.service | |
# note that there is a local manual | |
Documentation=man:rsyslogd(8) | |
# link to official docs online | |
Documentation=https://www.rsyslog.com/doc/ | |
[Service] | |
# start on socket | |
Type=notify | |
# low priv user | |
User=syslog | |
# command that actually runs the server | |
ExecStart=/usr/sbin/rsyslogd -n -iNONE | |
# dont really need stdout for something reading stdout of all services | |
StandardOutput=null | |
# configure auto restart only for failures | |
Restart=on-failure | |
# set realistic open file limits | |
LimitNOFILE=256 | |
# remove all caps | |
CapabilityBoundingSet= | |
# add caps actually needed | |
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYSLOG | |
# add extra cap for serving on low port | |
AmbientCapabilities=CAP_NET_BIND_SERVICE | |
# lock in these privs | |
NoNewPrivileges=yes | |
# give it it's own tmp dir | |
PrivateTmp=yes | |
# no need to access home | |
ProtectHome=yes | |
# no need to mod up kernel modules | |
ProtectKernelModules=yes | |
# no need for it to tweak kernel settings | |
ProtectKernelTunables=yes | |
# general system lockout | |
ProtectSystem=strict | |
# explicitly give it write access to /var/log since.... its a log server | |
ReadWritePaths=/var/log | |
[Install] | |
# configure for general install | |
WantedBy=multi-user.target | |
# make an alias so both rsyslog and syslog point to this | |
Alias=syslog.service |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment