Best systemd hardening is switching to OpenRC or runit

mcpherrinm 7 days ago | parent | next [-]

Do you have any references for doing similar system hardening under either of those?

	▲	0xfedcafe 7 days ago \| parent [-]
		Yeah. With OpenRC or runit, the idea is you just layer the security on yourself since the base is so minimal. Honestly, the best place to start for any system is Madaidan’s Linux Hardening Guide. It’s super thorough and works for pretty much anything. From there, you can add other tools. The Gentoo Hardened setup with SELinux is an option, but it’s a ton of work. AppArmor is way easier for just locking down specific services and apps, it’s what Alpine uses and it’s pretty effective. And for sandboxing random apps, Firejail is perfect. You can just wrap it around your browser or anything else you don’t fully trust to keep it contained. Gives you a lot of control. https://madaidans-insecurities.github.io/guides/linux-harden... https://discuss.privacyguides.net/t/add-gentoo-linux-void-li... https://github.com/gentoo/hardened-refpolicy https://krython.com/post/hardening-alpine-linux-system-secur...

fsflover 7 days ago | parent | prev | next [-]

No, switching to Qubes OS is the real hardening.

	▲	0xfedcafe 7 days ago \| parent [-]
		also true

gf000 7 days ago | parent | prev [-]

An unbootable system is indeed harder to exploit!

Why would OpenRC or runit be any less likely to boot?

	▲	gf000 6 days ago \| parent [-]
		My response was a joke to a low-effort comment, but in general - systemd is complex because it solves the complex problem of booting up a system, complete with error handling, logging, etc. Many of the alternatives simply ignore part of the problem space, making the simple case simpler, but the complex case impossible.