Add systemd configurations to strengthen OS core security

Rajat Gupta · Rajat Gupta · commit 71b2584ecbdc · 2025-01-24T00:28:21.000-08:00
Signed-off-by: Rajat Gupta &lt;gptrajat@amazon.com&gt;
diff --git a/distribution/packages/src/common/systemd/opensearch.service b/distribution/packages/src/common/systemd/opensearch.service
@@ -60,6 +60,101 @@ SuccessExitStatus=143
 # Allow a slow startup before the systemd notifier module kicks in to extend the timeout
 TimeoutStartSec=75
 
+# Prevent modifications to the control group filesystem
+ProtectControlGroups=true
+
+# Prevent loading or reading kernel modules
+ProtectKernelModules=true
+
+# Prevent altering kernel tunables (sysctl parameters)
+ProtectKernelTunables=true
+
+# Set device access policy to 'closed', allowing access only to specific devices
+DevicePolicy=closed
+
+# Make /proc invisible to the service, enhancing isolation
+ProtectProc=invisible
+
+# Make /usr, /boot, and /etc read-only (less restrictive than 'strict')
+ProtectSystem=full
+
+# Prevent changes to control groups (redundant with earlier setting, can be removed)
+ProtectControlGroups=yes
+
+# Prevent changing the execution domain
+LockPersonality=yes
+
+
+# System call filtering
+# System call filterings which restricts which system calls a process can make
+# @ means allowed
+# ~ means not allowed
+SystemCallFilter=@system-service
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
+
+SystemCallErrorNumber=EPERM
+
+# Capability restrictions
+# Remove the ability to block system suspends
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
+
+# Remove the ability to establish leases on files
+CapabilityBoundingSet=~CAP_LEASE
+
+# Remove the ability to use system resource accounting
+CapabilityBoundingSet=~CAP_SYS_PACCT
+
+# Remove the ability to configure TTY devices
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+
+# Remov below capabilities:
+# - CAP_SYS_ADMIN: Various system administration operations
+# - CAP_SYS_PTRACE: Ability to trace processes
+# - CAP_NET_ADMIN: Various network-related operations
+CapabilityBoundingSet=~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ~CAP_NET_ADMIN
+
+
+# Address family restrictions
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Filesystem Access
+
+ReadWritePaths=/var/log/opensearch
+ReadWritePaths=/var/lib/opensearch
+ReadWritePaths=/mnt/snapshots
+
+## Allow read access to system files
+ReadOnlyPaths=/etc/os-release /usr/lib/os-release /etc/system-release
+
+## Allow read access to Linux IO stats
+ReadOnlyPaths=/proc/self/mountinfo /proc/diskstats
+
+## Allow read access to control group stats
+ReadOnlyPaths=/proc/self/cgroup /sys/fs/cgroup/cpu /sys/fs/cgroup/cpu/-
+ReadOnlyPaths=/sys/fs/cgroup/cpuacct /sys/fs/cgroup/cpuacct/- /sys/fs/cgroup/memory /sys/fs/cgroup/memory/-
+
+
+RestrictNamespaces=true
+
+NoNewPrivileges=true
+
+# Memory and execution protection
+MemoryDenyWriteExecute=true           # Prevent creating writable executable memory mappings
+SystemCallArchitectures=native        # Allow only native system calls
+KeyringMode=private                   # Service does not share key material with other services
+LockPersonality=true                  # Prevent changing ABI personality
+RestrictSUIDSGID=true                 # Prevent creating SUID/SGID files
+RestrictRealtime=true                 # Prevent acquiring realtime scheduling
+ProtectHostname=true                  # Prevent changes to system hostname
+ProtectKernelLogs=true                # Prevent reading/writing kernel logs
+ProtectClock=true                     # Prevent tampering with the system clock
+
+# Socket restrictions
+SocketBindAllow=tcp:9200
+SocketBindAllow=tcp:9300
+SocketBindDeny=any                    # Deny all other socket bindings
+
 [Install]
 WantedBy=multi-user.target
 
