diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 18:15:10 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 20:25:40 +0100 |
| commit | 2147ff3bd9091b88960e2243b2d7d76d03cadc89 (patch) | |
| tree | fa970590ab58a1d42913deccbca3adef05eaae83 | |
| parent | 2845af5f76ad3be9c0a1f69ab478ff5a08346a4c (diff) | |
systemd.service: Tighten hardening options.
9 files changed, 48 insertions, 0 deletions
diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service index 7e790e3..d20f9c2 100644 --- a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service @@ -1,22 +1,27 @@ [Unit] Description=Dovecot authentication proxy After=dovecot.target Requires=dovecot-auth-proxy.socket [Service] User=vmail Group=vmail StandardInput=null SyslogFacility=mail ExecStart=/usr/local/bin/dovecot-auth-proxy.pl # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectSystem=strict ProtectHome=read-only +PrivateDevices=yes +PrivateNetwork=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes RestrictAddressFamilies= [Install] WantedBy=multi-user.target Also=postfix-sender-login.socket diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service index 09204fa..f5e6d89 100644 --- a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service +++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service @@ -1,22 +1,27 @@ [Unit] Description=Postfix sender login socketmap After=mail-transport-agent.target Requires=postfix-sender-login.socket [Service] User=postfix Group=postfix StandardInput=null SyslogFacility=mail ExecStart=/usr/local/bin/postfix-sender-login.pl # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=strict +PrivateDevices=yes +PrivateNetwork=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX [Install] WantedBy=multi-user.target Also=postfix-sender-login.socket diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service index ba943ce..4873689 100644 --- a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service +++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service @@ -1,22 +1,27 @@ [Unit] Description=Bacula Director service After=network.target [Service] Type=simple StandardOutput=syslog User=bacula Group=bacula ExecStart=/usr/sbin/bacula-dir -f -c /etc/bacula/bacula-dir.conf # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=strict ReadWriteDirectories=-/var/lib/bacula ReadWriteDirectories=-/var/log/bacula ReadWriteDirectories=-/var/run/bacula +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 [Install] WantedBy=multi-user.target diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service index 0117d3d..30fa562 100644 --- a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service +++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service @@ -1,22 +1,27 @@ [Unit] Description=Bacula Storage Daemon service After=network.target [Service] Type=simple StandardOutput=syslog User=bacula Group=tape ExecStart=/usr/sbin/bacula-sd -f -c /etc/bacula/bacula-sd.conf # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=strict ReadWriteDirectories=-/var/lib/bacula ReadWriteDirectories=-/var/run/bacula ReadWriteDirectories=/mnt/backup/bacula +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_INET AF_INET6 [Install] WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service index 192ea1b..792d964 100644 --- a/roles/common/files/etc/systemd/system/bacula-fd.service +++ b/roles/common/files/etc/systemd/system/bacula-fd.service @@ -1,20 +1,25 @@ [Unit] Description=Bacula File Daemon service After=network.target [Service] Type=simple StandardOutput=syslog ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=read-only ProtectSystem=strict PrivateTmp=yes ReadWriteDirectories=-/var/lib ReadWriteDirectories=-/var/run/bacula +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 [Install] WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service index d634e50..1a30599 100644 --- a/roles/common/files/etc/systemd/system/stunnel4@.service +++ b/roles/common/files/etc/systemd/system/stunnel4@.service @@ -1,22 +1,27 @@ [Unit] Description=SSL tunnel for network daemons (instance %i) After=network.target nss-lookup.target PartOf=stunnel4.service ReloadPropagatedFrom=stunnel4.service [Service] ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf ExecReload=/bin/kill -HUP ${MAINPID} KillSignal=SIGINT TimeoutStartSec=120 TimeoutStopSec=60 Restart=on-failure # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_INET AF_INET6 [Install] WantedBy=multi-user.target diff --git a/roles/lists/files/etc/systemd/system/wwsympa.service b/roles/lists/files/etc/systemd/system/wwsympa.service index 7d2440c..3f76aca 100644 --- a/roles/lists/files/etc/systemd/system/wwsympa.service +++ b/roles/lists/files/etc/systemd/system/wwsympa.service @@ -3,23 +3,29 @@ Description=WWSympa Service After=network.target PartOf=sympa.service Requires=wwsympa.socket [Service] StandardInput=socket User=sympa Group=sympa ExecStart=/usr/lib/cgi-bin/sympa/wwsympa.fcgi # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=strict PrivateTmp=yes ReadWriteDirectories=/etc/sympa ReadWriteDirectories=/var/lib/sympa ReadWriteDirectories=-/var/run/sympa ReadWriteDirectories=/var/spool/sympa +PrivateDevices=yes +PrivateNetwork=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies= [Install] WantedBy=multi-user.target diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service index c8a3609..b8e6012 100644 --- a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service @@ -1,22 +1,28 @@ [Unit] Description=Munin CGI Graph Service After=network.target PartOf=munin.service Requires=munin-cgi-graph.socket [Service] StandardInput=socket User=www-data Group=munin ExecStart=/usr/lib/munin/cgi/munin-cgi-graph # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=strict ReadWriteDirectories=-/var/log/munin ReadWriteDirectories=-/var/lib/munin/cgi-tmp/munin-cgi-graph +PrivateDevices=yes +PrivateNetwork=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies= [Install] WantedBy=multi-user.target diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service index 3c0c0e5..0e66b3f 100644 --- a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service @@ -1,21 +1,27 @@ [Unit] Description=Munin CGI HTML Service After=network.target PartOf=munin.service Requires=munin-cgi-html.socket [Service] StandardInput=socket User=www-data Group=munin ExecStart=/usr/lib/munin/cgi/munin-cgi-html # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=strict ReadWriteDirectories=-/var/log/munin +PrivateDevices=yes +PrivateNetwork=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies= [Install] WantedBy=multi-user.target |