Information
ID: 360
PHID: PHID-TASK-dm4tx4n2w74hk3j4v7g6
Author: HulaHoop
Status at Migration Time: invalid
Priority at Migration Time: Needs Triage
Description
RestrictAdressFamilies, a systemd.exec feature would have been a good option to bring limit surface attack because it excludes obscure protocols from interacting with the daemon, but its not available on x86:
Quote:
"RestrictAddressFamilies=
Note that this option has no effect on 32-bit x86 and is ignored (but
works correctly on x86-64)."
Unfortunately iptables cannot recognize or limit address families it is something up to the process itself:
This is something that can be defined in the python script by specifying
it as a socket parameter:
https://docs.python.org/2/library/socket.html
search for AF_INET
cpfpd’s code could include this for further hardening.
Comments
HulaHoop
2015-06-21 20:53:02 UTC