Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Best systemd hardening is switching to OpenRC or runit


Do you have any references for doing similar system hardening under either of those?


Yeah. With OpenRC or runit, the idea is you just layer the security on yourself since the base is so minimal. Honestly, the best place to start for any system is Madaidan’s Linux Hardening Guide. It’s super thorough and works for pretty much anything. From there, you can add other tools. The Gentoo Hardened setup with SELinux is an option, but it’s a ton of work. AppArmor is way easier for just locking down specific services and apps, it’s what Alpine uses and it’s pretty effective. And for sandboxing random apps, Firejail is perfect. You can just wrap it around your browser or anything else you don’t fully trust to keep it contained. Gives you a lot of control.

https://madaidans-insecurities.github.io/guides/linux-harden...

https://discuss.privacyguides.net/t/add-gentoo-linux-void-li...

https://github.com/gentoo/hardened-refpolicy

https://krython.com/post/hardening-alpine-linux-system-secur...


No, switching to Qubes OS is the real hardening.


also true


An unbootable system is indeed harder to exploit!

/s


Why would OpenRC or runit be any less likely to boot?


My response was a joke to a low-effort comment, but in general - systemd is complex because it solves the complex problem of booting up a system, complete with error handling, logging, etc. Many of the alternatives simply ignore part of the problem space, making the simple case simpler, but the complex case impossible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: