Developing, deploying, and using software securely is something which is important and whose importance only continues to grow with time. The ConfD User Guide contains information about how to increase the security of ConfD deployments as well as options to verify that the confd.conf configuration file and other resources under ConfD's direct control don't contain any glaring security issues.
The question of whether there is anything else to be done to further enhance security and robustness of ConfD deployments then naturally arises. The answer to this question is "yes". We can do so by leveraging security and sandboxing capabilities enabled by the standard Linux systemd service. We have written an application note that describes how to do so using the systemd init daemon and namespaces to further enhance security and robustness of ConfD deployments. Systemd provides a significant number of security features that can be used to isolate services and applications from each other as well as from the underlying operating system. In many cases, systemd provides easy access to the same mechanisms provided by the Linux kernel that are also used to create isolation for Linux containers.
In this application note, we show how to use these mechanisms to improve the security of ConfD deployments without any loss of functionality. If the ConfD process is ever compromised once these options are active, the potential for a breakout and ensuing damage to the rest of the system is drastically reduced.
Download this application note to learn how to use the systemd init daemon and namespaces features to further enhance security and robustness of ConfD deployments.
