summaryrefslogtreecommitdiffstats
path: root/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-09 18:15:10 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-09 20:25:40 +0100
commit2147ff3bd9091b88960e2243b2d7d76d03cadc89 (patch)
treefa970590ab58a1d42913deccbca3adef05eaae83 /roles/bacula-dir/files/etc/systemd/system/bacula-director.service
parent2845af5f76ad3be9c0a1f69ab478ff5a08346a4c (diff)
systemd.service: Tighten hardening options.
Diffstat (limited to 'roles/bacula-dir/files/etc/systemd/system/bacula-director.service')
-rw-r--r--roles/bacula-dir/files/etc/systemd/system/bacula-director.service5
1 files changed, 5 insertions, 0 deletions
diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
index ba943ce..4873689 100644
--- a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
+++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
@@ -17,6 +17,11 @@ ProtectSystem=strict
ReadWriteDirectories=-/var/lib/bacula
ReadWriteDirectories=-/var/log/bacula
ReadWriteDirectories=-/var/run/bacula
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
[Install]
WantedBy=multi-user.target