Planning ticket to check out and investigate further possibilities at security
hardening. Ideally these should be contributed upstream if applicable.
Things to consider:
- per-service user accounts (used in any half-sane service)
- apparmor profiles (used almost nowhere)
- systemd hardening (used almost nowhere)
Of course, service-specific hardening strategies implemented in code also play a
role. For Postfix and OpenSSH for instance I am way less concerned than e.g. for
Jitsi. At the bare minimum, all services should run under a dedicated user.
This ticket is not for evaluating resource limits per service (e.g. to prevent
DoS on externally reachable services), although it might also be interesting to
evaluate that.
Planning ticket to check out and investigate further possibilities at security
hardening. Ideally these should be contributed upstream if applicable.
Things to consider:
Of course, service-specific hardening strategies implemented in code also play a
role. For Postfix and OpenSSH for instance I am way less concerned than e.g. for
Jitsi. At the bare minimum, all services should run under a dedicated user.
This ticket is not for evaluating resource limits per service (e.g. to prevent
DoS on externally reachable services), although it might also be interesting to
evaluate that.