diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-08 01:06:06 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 20:25:39 +0100 |
| commit | 6a57ea01fd48992883d6dac1b7746e79202215e4 (patch) | |
| tree | f55ae891ecf05aa19511ce1493ae8631f60826bc | |
| parent | bccbd0d4c0faf46e911284e599cc22da2c9b04d9 (diff) | |
systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.
And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
9 files changed, 9 insertions, 17 deletions
diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service index ea5895c..7e790e3 100644 --- a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service @@ -13,9 +13,8 @@ ExecStart=/usr/local/bin/dovecot-auth-proxy.pl # Hardening NoNewPrivileges=yes PrivateDevices=yes -ProtectSystem=full +ProtectSystem=strict ProtectHome=read-only -ReadOnlyDirectories=/ RestrictAddressFamilies= [Install] diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service index 3ceb310..09204fa 100644 --- a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service +++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service @@ -14,8 +14,7 @@ ExecStart=/usr/local/bin/postfix-sender-login.pl NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict RestrictAddressFamilies=AF_UNIX [Install] diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service index 8f952c6..2c09f61 100644 --- a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service +++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service @@ -14,8 +14,7 @@ ExecStart=/usr/sbin/bacula-dir -c /etc/bacula/bacula-dir.conf NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/lib/bacula ReadWriteDirectories=-/var/log/bacula ReadWriteDirectories=-/var/run/bacula diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service index 698ad17..0e27af3 100644 --- a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service +++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service @@ -14,8 +14,7 @@ ExecStart=/usr/sbin/bacula-sd -c /etc/bacula/bacula-sd.conf NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/lib/bacula ReadWriteDirectories=-/var/run/bacula ReadWriteDirectories=/mnt/backup/bacula diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service index ee5afe3..68934f1 100644 --- a/roles/common/files/etc/systemd/system/bacula-fd.service +++ b/roles/common/files/etc/systemd/system/bacula-fd.service @@ -12,9 +12,8 @@ ExecStart=/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf NoNewPrivileges=yes PrivateDevices=yes ProtectHome=read-only -ProtectSystem=full +ProtectSystem=strict PrivateTmp=yes -ReadOnlyDirectories=/ ReadWriteDirectories=-/var/lib ReadWriteDirectories=-/var/run/bacula diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service index e53d29e..d634e50 100644 --- a/roles/common/files/etc/systemd/system/stunnel4@.service +++ b/roles/common/files/etc/systemd/system/stunnel4@.service @@ -16,8 +16,7 @@ Restart=on-failure NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict [Install] WantedBy=multi-user.target diff --git a/roles/lists/files/etc/systemd/system/wwsympa.service b/roles/lists/files/etc/systemd/system/wwsympa.service index 4e3d94b..cccf508 100644 --- a/roles/lists/files/etc/systemd/system/wwsympa.service +++ b/roles/lists/files/etc/systemd/system/wwsympa.service @@ -14,7 +14,7 @@ ExecStart=/usr/lib/cgi-bin/sympa/wwsympa.fcgi NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full +ProtectSystem=strict PrivateTmp=yes ReadOnlyDirectories=/ ReadWriteDirectories=-/var/lib/sympa diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service index 60ab444..c8a3609 100644 --- a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service @@ -14,8 +14,7 @@ ExecStart=/usr/lib/munin/cgi/munin-cgi-graph NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/log/munin ReadWriteDirectories=-/var/lib/munin/cgi-tmp/munin-cgi-graph diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service index 119d3a2..3c0c0e5 100644 --- a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service @@ -14,8 +14,7 @@ ExecStart=/usr/lib/munin/cgi/munin-cgi-html NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/log/munin [Install] |