Add systemd configurations to strengthen OS core security (#17107)

* Add systemd configurations to strengthen OS core security Signed-off-by: Rajat Gupta <[email protected]> * Add systemd template unit file Signed-off-by: Rajat Gupta <[email protected]> * Update CHANGELOG-3.0.md Signed-off-by: Rajat Gupta <[email protected]> * Revert "Add systemd configurations to strengthen OS core security" This reverts commit 71b2584. Signed-off-by: Rajat Gupta <[email protected]> * Remove SocketBind Directives and template unit file Signed-off-by: Rajat Gupta <[email protected]> * Minor fixes Signed-off-by: Rajat Gupta <[email protected]> * Modify systemd unit file in core to be in sync with distribution unit file Signed-off-by: Rajat Gupta <[email protected]> * Modify systemd env file to be in sync with opensearch-build Signed-off-by: Rajat Gupta <[email protected]> --------- Signed-off-by: Rajat Gupta <[email protected]> Signed-off-by: Rajat Gupta <[email protected]> Co-authored-by: Rajat Gupta <[email protected]>
opensearch-project · Feb 23, 2025 · e7ac072 · e7ac072
1 parent 4bd1323
commit e7ac072
Show file tree

Hide file tree

Showing 3 changed files with 114 additions and 13 deletions.
diff --git a/CHANGELOG-3.0.md b/CHANGELOG-3.0.md
@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [WLM] Add WLM support for search scroll API ([#16981](https://github.com/opensearch-project/OpenSearch/pull/16981))
 - Allow to pass the list settings through environment variables (like [], ["a", "b", "c"], ...) ([#10625](https://github.com/opensearch-project/OpenSearch/pull/10625))
 - Views, simplify data access and manipulation by providing a virtual layer over one or more indices ([#11957](https://github.com/opensearch-project/OpenSearch/pull/11957))
+- Add systemd configurations to strengthen OS core security ([#17107](https://github.com/opensearch-project/OpenSearch/pull/17107))
 - Added pull-based Ingestion (APIs, for ingestion source, a Kafka plugin, and IngestionEngine that pulls data from the ingestion source) ([#16958](https://github.com/opensearch-project/OpenSearch/pull/16958))
 - Added ConfigurationUtils to core for the ease of configuration parsing [#17223](https://github.com/opensearch-project/OpenSearch/pull/17223)
 - Add execution_hint to cardinality aggregator request (#[17312](https://github.com/opensearch-project/OpenSearch/pull/17312))

diff --git a/distribution/packages/src/common/env/opensearch b/distribution/packages/src/common/env/opensearch
@@ -3,17 +3,17 @@
 ################################
 
 # OpenSearch home directory
-#OPENSEARCH_HOME=/usr/share/opensearch
+OPENSEARCH_HOME=/usr/share/opensearch
 
 # OpenSearch Java path
-#OPENSEARCH_JAVA_HOME=
+#OPENSEARCH_JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
 
 # OpenSearch configuration directory
 # Note: this setting will be shared with command-line tools
-OPENSEARCH_PATH_CONF=${path.conf}
+OPENSEARCH_PATH_CONF=/etc/opensearch
 
 # OpenSearch PID directory
-#PID_DIR=/var/run/opensearch
+PID_DIR=/var/run/opensearch
 
 # Additional Java OPTS
 #OPENSEARCH_JAVA_OPTS=
@@ -25,11 +25,12 @@ OPENSEARCH_PATH_CONF=${path.conf}
 # OpenSearch service
 ################################
 
-# SysV init.d
-#
 # The number of seconds to wait before checking if OpenSearch started successfully as a daemon process
 OPENSEARCH_STARTUP_SLEEP_TIME=5
 
+# Notification for systemd
+OPENSEARCH_SD_NOTIFY=true
+
 ################################
 # System properties
 ################################
@@ -49,4 +50,4 @@ OPENSEARCH_STARTUP_SLEEP_TIME=5
 # Maximum number of VMA (Virtual Memory Areas) a process can own
 # When using Systemd, this setting is ignored and the 'vm.max_map_count'
 # property is set at boot time in /usr/lib/sysctl.d/opensearch.conf
-#MAX_MAP_COUNT=262144
+#MAX_MAP_COUNT=262144
diff --git a/distribution/packages/src/common/systemd/opensearch.service b/distribution/packages/src/common/systemd/opensearch.service
@@ -1,18 +1,25 @@
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# The OpenSearch Contributors require contributions made to
+# this file be licensed under the Apache-2.0 license or a
+# compatible open source license.
+
+# Description:
+# Default opensearch.service file
+
 [Unit]
 Description=OpenSearch
-Documentation=https://www.elastic.co
+Documentation=https://opensearch.org/
 Wants=network-online.target
 After=network-online.target
 
 [Service]
 Type=notify
 RuntimeDirectory=opensearch
 PrivateTmp=true
-Environment=OPENSEARCH_HOME=/usr/share/opensearch
-Environment=OPENSEARCH_PATH_CONF=${path.conf}
-Environment=PID_DIR=/var/run/opensearch
-Environment=OPENSEARCH_SD_NOTIFY=true
-EnvironmentFile=-${path.env}
+EnvironmentFile=-/etc/default/opensearch
+EnvironmentFile=-/etc/sysconfig/opensearch
 
 WorkingDirectory=/usr/share/opensearch
 
@@ -29,6 +36,7 @@ ExecStart=/usr/share/opensearch/bin/systemd-entrypoint -p ${PID_DIR}/opensearch.
 # logging, you can simply remove the "quiet" option from ExecStart.
 StandardOutput=journal
 StandardError=inherit
+SyslogIdentifier=opensearch
 
 # Specifies the maximum file descriptor number that can be opened by this process
 LimitNOFILE=65535
@@ -60,6 +68,97 @@ SuccessExitStatus=143
 # Allow a slow startup before the systemd notifier module kicks in to extend the timeout
 TimeoutStartSec=75
 
+# Prevent modifications to the control group filesystem
+ProtectControlGroups=true
+
+# Prevent loading or reading kernel modules
+ProtectKernelModules=true
+
+# Prevent altering kernel tunables (sysctl parameters)
+ProtectKernelTunables=true
+
+# Set device access policy to 'closed', allowing access only to specific devices
+DevicePolicy=closed
+
+# Make /proc invisible to the service, enhancing isolation
+ProtectProc=invisible
+
+# Make /usr, /boot, and /etc read-only (less restrictive than 'strict')
+ProtectSystem=full
+
+# Prevent changes to control groups (redundant with earlier setting, can be removed)
+ProtectControlGroups=yes
+
+# Prevent changing the execution domain
+LockPersonality=yes
+
+
+# System call filtering
+# System call filterings which restricts which system calls a process can make
+# @ means allowed
+# ~ means not allowed
+SystemCallFilter=@system-service
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
+
+SystemCallErrorNumber=EPERM
+
+# Capability restrictions
+# Remove the ability to block system suspends
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
+
+# Remove the ability to establish leases on files
+CapabilityBoundingSet=~CAP_LEASE
+
+# Remove the ability to use system resource accounting
+CapabilityBoundingSet=~CAP_SYS_PACCT
+
+# Remove the ability to configure TTY devices
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+
+# Remov below capabilities:
+# - CAP_SYS_ADMIN: Various system administration operations
+# - CAP_SYS_PTRACE: Ability to trace processes
+# - CAP_NET_ADMIN: Various network-related operations
+CapabilityBoundingSet=~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ~CAP_NET_ADMIN
+
+
+# Address family restrictions
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Filesystem Access
+
+ReadWritePaths=/var/log/opensearch
+ReadWritePaths=/var/lib/opensearch
+ReadWritePaths=-/etc/opensearch
+ReadWritePaths=-/mnt/snapshots
+
+## Allow read access to system files
+ReadOnlyPaths=/etc/os-release /usr/lib/os-release /etc/system-release
+
+## Allow read access to Linux IO stats
+ReadOnlyPaths=/proc/self/mountinfo /proc/diskstats
+
+## Allow read access to control group stats
+ReadOnlyPaths=/proc/self/cgroup /sys/fs/cgroup/cpu /sys/fs/cgroup/cpu/-
+ReadOnlyPaths=/sys/fs/cgroup/cpuacct /sys/fs/cgroup/cpuacct/- /sys/fs/cgroup/memory /sys/fs/cgroup/memory/-
+
+
+RestrictNamespaces=true
+
+NoNewPrivileges=true
+
+# Memory and execution protection
+MemoryDenyWriteExecute=true           # Prevent creating writable executable memory mappings
+SystemCallArchitectures=native        # Allow only native system calls
+KeyringMode=private                   # Service does not share key material with other services
+LockPersonality=true                  # Prevent changing ABI personality
+RestrictSUIDSGID=true                 # Prevent creating SUID/SGID files
+RestrictRealtime=true                 # Prevent acquiring realtime scheduling
+ProtectHostname=true                  # Prevent changes to system hostname
+ProtectKernelLogs=true                # Prevent reading/writing kernel logs
+ProtectClock=true                     # Prevent tampering with the system clock
+
 [Install]
 WantedBy=multi-user.target