cpfpd define Address Families for hardening


ID: 360
PHID: PHID-TASK-dm4tx4n2w74hk3j4v7g6
Author: HulaHoop
Status at Migration Time: invalid
Priority at Migration Time: Needs Triage


RestrictAdressFamilies, a systemd.exec feature would have been a good option to bring limit surface attack because it excludes obscure protocols from interacting with the daemon, but its not available on x86:



 Note that this option has no effect on 32-bit x86 and is ignored (but
 works correctly on x86-64)."

Unfortunately iptables cannot recognize or limit address families it is something up to the process itself:

This is something that can be defined in the python script by specifying
it as a socket parameter:


search for AF_INET

cpfpd’s code could include this for further hardening.



2015-06-21 20:53:02 UTC