I wonder how large a population of fedora users have security consciencenous? This question is directed your way.
My current system building practice uses a minimal kickstart followed by ansible playbooks. The avahi package turns out to be one of those necessary evils the way packages I do want are built. A rather straightforward workaround is to stop and mask
avahi-daemon.socket
avahi-daemon.service
as suggested by Red Hat. Still the daemon runs for some non-zero amount of time between installing the service and masking the service.
Are there any schemes that allow me to install avahi via ansible where the daemon never runs? I did not find a way to do it with rpm directly nor with dnf.
As I expand what gets installed with this automation I expect to find other services being started that I would rather have masked so avahi is serving as an example of a broader issue.
I’ve decided that for now I will disable units on a case by case basis rather than a blanket disable that overrides all the fedora defaults. The work fedora has put into their defaults over the years is a job well done.
To get the new custom defaults active the presets file has to exist before the package is installed. I see how to install the presets file in a kickstart %post script but that is too late for some packages. So a reset-to-presets also needs to be performed before first boot. This technique makes the kickstart services command useless.
%post
...
# some things cannot be handled by presets
: mask units
units="\
sshd-keygen@rsa.service \
sshd-keygen@ecdsa.service \
systemd-suspend.service \
systemd-hibernate.service \
systemd-hybrid-sleep.service \
systemd-suspend-then-hibernate.service \
suspend.target \
"
for unit in $units
do
systemctl mask $unit
done
: system-preset overrides
install -o root -g root -m 0755 -Z -d /etc/systemd/system-preset
install -o root -g root -m 0644 -Z /dev/null /etc/systemd/system-preset/00-custom.preset
cat<<'EOF' | tee /etc/systemd/system-preset/00-custom.preset
# custom deviations from upstream presets
disable avahi-daemon.*
disable dnf-makecache.timer
disable fwupd-refresh.timer
disable irqbalance.service
# redo anaconda deviations from upstream presets
enable dnsconfd.service
disable rpmdb-migrate.service
disable rpmdb-rebuild.service
EOF
systemctl preset-all
: redo anaconda default target selection
systemctl set-default multi-user.target
...
%end
This is controlled by the preset files as described by man systemd.preset.
You can create a file in /etc/systemd/system-preset with a suffix of .preset which overrides the default preset for avahi. For example name it /etc/systemd/systemd-preset/10-no-avahi.preset.
I think a lot of people in Fedora are security conscious. I use Fedora because I trust the defaults - there are a few things like you indicate that could be tightened.