Securing and Sandboxing ConfD using Systemd

CommunityDeveloping, deploying, and using software securely is something that is important and whose importance only continues to grow with time.  The ConfD User Guide contains information about how to increase the security of ConfD deployments as well as options to verify that the confd.conf configuration file and other resources under ConfD’s direct control don’t contain any glaring security issues.

The question of whether there is anything else to be done to further enhance the security and robustness of ConfD deployments then naturally arises. The answer to this question is “yes”.  We can do so by leveraging the security and sandboxing capabilities enabled by the standard Linux systemd service. I’ve written a new application note “Securing and Sandboxing ConfD using Systemd” that describes how to do so using the systemd init daemon and namespaces, both features available in most modern Linux distributions, to further enhance the security and robustness of ConfD deployments.

Systemd provides a significant number of security features that can be used to isolate services and applications from each other as well as from the underlying operating system. In many cases, systemd provides easy access to the same mechanisms provided by the Linux kernel that is also used to create isolation for Linux containers. Having the ability to provide container-style isolation for traditional applications and services is powerful because it’s now easy to improve the security and isolation of workloads without the operational impact that containers require. It’s worth noting that the operational and organizational changes inspired by container adoption are indeed healthy and worthwhile. However, even in the most container-savvy enterprise, there are large numbers of traditional Linux deployments where security is a top priority.

In this application note, I show how to use these mechanisms to improve the security of ConfD deployments without any loss of functionality. If the ConfD process is ever compromised once these options are active, the potential for a breakout and ensuing damage to the rest of the system is drastically reduced.

Download this application note to learn more about how to secure and sandbox ConfD using systemd.