systemd.service: Tighten hardening options.

author: Guilhem Moulin <guilhem@fripost.org> 2018-12-09 18:15:10 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2018-12-09 20:25:40 +0100
commit: 2147ff3bd9091b88960e2243b2d7d76d03cadc89 (patch)
tree: fa970590ab58a1d42913deccbca3adef05eaae83 /roles/bacula-dir
parent: 2845af5f76ad3be9c0a1f69ab478ff5a08346a4c (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
index ba943ce..4873689 100644
--- a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
+++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
@@ -1,22 +1,27 @@
 [Unit]
 Description=Bacula Director service
 After=network.target
 
 [Service]
 Type=simple
 StandardOutput=syslog
 User=bacula
 Group=bacula
 ExecStart=/usr/sbin/bacula-dir -f -c /etc/bacula/bacula-dir.conf
 
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectHome=yes
 ProtectSystem=strict
 ReadWriteDirectories=-/var/lib/bacula
 ReadWriteDirectories=-/var/log/bacula
 ReadWriteDirectories=-/var/run/bacula
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 
 [Install]
 WantedBy=multi-user.target
author	Guilhem Moulin <guilhem@fripost.org>	2018-12-09 18:15:10 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2018-12-09 20:25:40 +0100
commit	2147ff3bd9091b88960e2243b2d7d76d03cadc89 (patch)
tree	fa970590ab58a1d42913deccbca3adef05eaae83 /roles/bacula-dir
parent	2845af5f76ad3be9c0a1f69ab478ff5a08346a4c (diff)