diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-08 01:06:06 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 20:25:39 +0100 |
| commit | 6a57ea01fd48992883d6dac1b7746e79202215e4 (patch) | |
| tree | f55ae891ecf05aa19511ce1493ae8631f60826bc | |
| parent | bccbd0d4c0faf46e911284e599cc22da2c9b04d9 (diff) | |
systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.
And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
9 files changed, 9 insertions, 17 deletions
diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service index ea5895c..7e790e3 100644 --- a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service @@ -1,23 +1,22 @@ [Unit] Description=Dovecot authentication proxy After=dovecot.target Requires=dovecot-auth-proxy.socket [Service] User=vmail Group=vmail StandardInput=null SyslogFacility=mail ExecStart=/usr/local/bin/dovecot-auth-proxy.pl # Hardening NoNewPrivileges=yes PrivateDevices=yes -ProtectSystem=full +ProtectSystem=strict ProtectHome=read-only -ReadOnlyDirectories=/ RestrictAddressFamilies= [Install] WantedBy=multi-user.target Also=postfix-sender-login.socket diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service index 3ceb310..09204fa 100644 --- a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service +++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service @@ -1,23 +1,22 @@ [Unit] Description=Postfix sender login socketmap After=mail-transport-agent.target Requires=postfix-sender-login.socket [Service] User=postfix Group=postfix StandardInput=null SyslogFacility=mail ExecStart=/usr/local/bin/postfix-sender-login.pl # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict RestrictAddressFamilies=AF_UNIX [Install] WantedBy=multi-user.target Also=postfix-sender-login.socket diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service index 8f952c6..2c09f61 100644 --- a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service +++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service @@ -1,24 +1,23 @@ [Unit] Description=Bacula Director service After=network.target [Service] Type=forking PIDFile=/var/run/bacula/bacula-dir.9101.pid StandardOutput=syslog User=bacula Group=bacula ExecStart=/usr/sbin/bacula-dir -c /etc/bacula/bacula-dir.conf # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/lib/bacula ReadWriteDirectories=-/var/log/bacula ReadWriteDirectories=-/var/run/bacula [Install] WantedBy=multi-user.target diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service index 698ad17..0e27af3 100644 --- a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service +++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service @@ -1,24 +1,23 @@ [Unit] Description=Bacula Storage Daemon service After=network.target [Service] Type=forking PIDFile=/var/run/bacula/bacula-sd.9103.pid StandardOutput=syslog User=bacula Group=tape ExecStart=/usr/sbin/bacula-sd -c /etc/bacula/bacula-sd.conf # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/lib/bacula ReadWriteDirectories=-/var/run/bacula ReadWriteDirectories=/mnt/backup/bacula [Install] WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service index ee5afe3..68934f1 100644 --- a/roles/common/files/etc/systemd/system/bacula-fd.service +++ b/roles/common/files/etc/systemd/system/bacula-fd.service @@ -1,22 +1,21 @@ [Unit] Description=Bacula File Daemon service After=network.target [Service] Type=forking PIDFile=/var/run/bacula/bacula-fd.9102.pid StandardOutput=syslog ExecStart=/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=read-only -ProtectSystem=full +ProtectSystem=strict PrivateTmp=yes -ReadOnlyDirectories=/ ReadWriteDirectories=-/var/lib ReadWriteDirectories=-/var/run/bacula [Install] WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service index e53d29e..d634e50 100644 --- a/roles/common/files/etc/systemd/system/stunnel4@.service +++ b/roles/common/files/etc/systemd/system/stunnel4@.service @@ -1,23 +1,22 @@ [Unit] Description=SSL tunnel for network daemons (instance %i) After=network.target nss-lookup.target PartOf=stunnel4.service ReloadPropagatedFrom=stunnel4.service [Service] ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf ExecReload=/bin/kill -HUP ${MAINPID} KillSignal=SIGINT TimeoutStartSec=120 TimeoutStopSec=60 Restart=on-failure # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict [Install] WantedBy=multi-user.target diff --git a/roles/lists/files/etc/systemd/system/wwsympa.service b/roles/lists/files/etc/systemd/system/wwsympa.service index 4e3d94b..cccf508 100644 --- a/roles/lists/files/etc/systemd/system/wwsympa.service +++ b/roles/lists/files/etc/systemd/system/wwsympa.service @@ -1,25 +1,25 @@ [Unit] Description=WWSympa Service After=network.target PartOf=sympa.service Requires=wwsympa.socket [Service] StandardInput=socket User=sympa Group=sympa ExecStart=/usr/lib/cgi-bin/sympa/wwsympa.fcgi # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full +ProtectSystem=strict PrivateTmp=yes ReadOnlyDirectories=/ ReadWriteDirectories=-/var/lib/sympa ReadWriteDirectories=-/var/run/sympa ReadWriteDirectories=-/var/spool/sympa [Install] WantedBy=multi-user.target diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service index 60ab444..c8a3609 100644 --- a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service @@ -1,23 +1,22 @@ [Unit] Description=Munin CGI Graph Service After=network.target PartOf=munin.service Requires=munin-cgi-graph.socket [Service] StandardInput=socket User=www-data Group=munin ExecStart=/usr/lib/munin/cgi/munin-cgi-graph # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/log/munin ReadWriteDirectories=-/var/lib/munin/cgi-tmp/munin-cgi-graph [Install] WantedBy=multi-user.target diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service index 119d3a2..3c0c0e5 100644 --- a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service @@ -1,22 +1,21 @@ [Unit] Description=Munin CGI HTML Service After=network.target PartOf=munin.service Requires=munin-cgi-html.socket [Service] StandardInput=socket User=www-data Group=munin ExecStart=/usr/lib/munin/cgi/munin-cgi-html # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/log/munin [Install] WantedBy=multi-user.target |