systemd服务安全加固实战:从暴露评分到生产级沙箱配置
从systemd-analyze security安全审计与评分解读,到ProtectSystem、SystemCallFilter等核心加固指令详解,再到Nginx、PostgreSQL和Redis的生产级沙箱配置实战——帮你把服务暴露评分从"危险"降到"安全"。
Tobias spent six years on Canonical's kernel team in the LTS hardening group, mostly working on Livepatch tooling and the long tail of CVE backports nobody wants to do. He left in 2025 to consult independently with Nordic infrastructure customers running large Ubuntu fleets, where most of the work is AppArmor profiles, unattended-upgrades that don't break things, and explaining what kernel.unprivileged_userns_clone actually does. He co-maintains a small open-source tool for diffing kernel config across distributions and contributes occasionally to the linux-hardening mailing list. His side project is a Yocto-based minimal image for industrial gateways that boots in under four seconds with full secure boot. Tobias writes mostly about kernel-level security primitives - namespaces, seccomp, LSMs - with the assumption that you've already read the man page.
从systemd-analyze security安全审计与评分解读,到ProtectSystem、SystemCallFilter等核心加固指令详解,再到Nginx、PostgreSQL和Redis的生产级沙箱配置实战——帮你把服务暴露评分从"危险"降到"安全"。
从2025年runc容器逃逸漏洞(CVE-2025-31133等)出发,系统讲解Seccomp系统调用过滤、AppArmor/SELinux强制访问控制、Podman无根容器及Kubernetes Pod安全标准的实战配置,帮你构建可落地的容器安全纵深防御方案。