Fedora 40 To Apply Systemd Security Hardening

Fedora 40 is planning to provide more hardened system security by leveraging some high level security features provided by systemd.

Upstream systemd ships with a number of optional settings that can be used to harden the security for services run by systemd. Fedora developers now have approval for enabling a number of these settings to beef up their defenses.

Among the systemd options to be enabled are PrivateTmp, ProtectSystem, ProtectHome, ProtectClock, ProtectHostname, ProtectKernelModules, PrivateDevices, PrivateNetwork, NoNewPrivileges, ProtectKernelTunables, and a variety of other options that apply additional restrictions and isolation around running systemd services.

The change proposal describes the systemd security benefits to Fedora 40 as:

"Fedora services will get a significant security boost by default by avoiding or mitigating any unknown security vulnerabilities in default system services. Since Fedora will include the very latest version of systemd and other components and has the visibility and control of the default configuration of the services, it can go well beyond what upstream can support directly based on their minimum version of systemd. Since Fedora already has the reputation of being security focused (SELinux enabled by default, system wide compiler flags that enable a number of security features etc), it is in a good position to act as a coordination and integration point.

It can be the first mainstream distribution that enables more of these systemd hardening features by default and push that upstream wherever feasible. This serves the first, features and friends part of the Fedora mission respectively."

The systemd security hardening changes were approved today by the Fedora Engineering and Steering Committee (FESCo) for debuting in Fedora 40 next spring.