Add security hardening directives to systemd service files #572

New Issue

MrUnknownDE · 2026-04-05T16:45:16+02:00

MrUnknownDE commented

2026-04-05 16:45:16 +02:00

Originally created by @adionit7 on 1/15/2026

NetBox version

4.5.0

Feature type

Change to existing functionality

Proposed functionality

Enhance the sample systemd service files in contrib/ with modern security hardening directives to improve the security posture of production deployments.

Current state:
The existing netbox.service and netbox-rq.service files include basic configuration but lack security hardening options that are considered best practices.

Proposed changes:
Add systemd security directives such as:

ProtectSystem, ProtectHome (filesystem restrictions)
NoNewPrivileges (prevent privilege escalation)
PrivateDevices (block hardware access)
Kernel/namespace protections
Network protocol restrictions

These follow modern systemd best practices and have no functional impact on NetBox.

Use case

Organizations deploying NetBox in production environments should follow security best practices. The sample systemd files serve as a starting point for deployments, so including security hardening helps admins start with a secure baseline.

These directives reduce the attack surface by applying the principle of least privilege to the NetBox processes.

Database changes

No response

External dependencies

No response

*Originally created by @adionit7 on 1/15/2026* ### NetBox version 4.5.0 ### Feature type Change to existing functionality ### Proposed functionality Enhance the sample systemd service files in `contrib/` with modern security hardening directives to improve the security posture of production deployments. **Current state:** The existing `netbox.service` and `netbox-rq.service` files include basic configuration but lack security hardening options that are considered best practices. **Proposed changes:** Add systemd security directives such as: - ProtectSystem, ProtectHome (filesystem restrictions) - NoNewPrivileges (prevent privilege escalation) - PrivateDevices (block hardware access) - Kernel/namespace protections - Network protocol restrictions These follow modern systemd best practices and have no functional impact on NetBox. ### Use case Organizations deploying NetBox in production environments should follow security best practices. The sample systemd files serve as a starting point for deployments, so including security hardening helps admins start with a secure baseline. These directives reduce the attack surface by applying the principle of least privilege to the NetBox processes. ### Database changes _No response_ ### External dependencies _No response_

MrUnknownDE closed this issue

2026-04-05 16:45:16 +02:00

Sign in to join this conversation.

Branches Tags

main

21455-sql-indexes-audit

21357-register-model-actions

feature

20924-plugin-ui-components

21766-improve-test-coverage-for-sortable-table-columns

21157-export-template-public-models

21025-pre-render-config-contexts

21364-swagger

feature-ip-prefix-link

20911-dropdown-3

fix_module_substitution

21160-filterset

20911-dropdown-2

20044-elevation-stuck-lightmode

7604-filter-modifiers-v3

20660-script-load

19724-graphql

14884-script

19720-macaddress-interface-generic-relation

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

No Label netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/netbox#572