systemd: lock down systemctl status

Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`.
2020-07-27 17:26:45 +00:00 · 2020-07-27 17:26:45 +00:00 · 0248e6493f
commit 0248e6493f
parent 6e694890eb
3 changed files with 59 additions and 0 deletions
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -42,6 +42,9 @@ in {

    networking.firewall.enable = true;

+    # hideProcessInformation even if hardened kernel profile is disabled
+    security.hideProcessInformation = true;
+
    # Tor
    services.tor = {
      enable = true;