SHH (Systemd Hardening Helper)

Automatic systemd service hardening guided by strace profiling.

See this article for an introduction.

Official repository - Mirror repository

Changelog - Currently supported systemd options

Installation

Dependencies

Strace needs to be installed and available in the path. Strace version >=6.4 is strongly recommended.

From source

You need a Rust build environment for example from rustup.

cargo build --release
install -Dm 755 -t /usr/local/bin target/release/shh

Debian (or Debian based distribution)

See GitHub releases for Debian packages built for each tagged version.

Arch Linux

Arch Linux users can install the shh AUR package.

Usage

To harden a system unit named SERVICE.service:

1. Start service profiling: shh service start-profile SERVICE. The service will be restarted with strace profiling.
2. Use the service normally for a while, trying to cover as much features and use cases as possible.
3. Run shh service finish-profile SERVICE -a. The service will be restarted with a hardened configuration built from previous runtime profiling, to allow it to run safely as was observed during the profiling period, and to deny other dangerous system actions.

Run shh -h for full command line reference, or append -h to a subcommand to get help.

Services running in per-user instances of the service manager (controlled via systemctl --user ...) are not supported.

[!WARNING] The hardening options generated by shh are by construction not portable across different systems. They depend on many factors, and may break the service if any of those change:

• the code path covered during profiling
• the Linux kernel version
• the libc used
• the systemd version

Reusing options generated by shh on a system with a different environment (ie. different Linux distribution) is very likely to break the service.

License

GPLv3