systemd.service: Tighten hardening options.

2 files changed, 10 insertions, 0 deletions

diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service
index 192ea1b..792d964 100644
--- a/roles/common/files/etc/systemd/system/bacula-fd.service
+++ b/roles/common/files/etc/systemd/system/bacula-fd.service
@@ -1,20 +1,25 @@
 [Unit]
 Description=Bacula File Daemon service
 After=network.target
 
 [Service]
 Type=simple
 StandardOutput=syslog
 ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf
 
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectHome=read-only
 ProtectSystem=strict
 PrivateTmp=yes
 ReadWriteDirectories=-/var/lib
 ReadWriteDirectories=-/var/run/bacula
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 
 [Install]
 WantedBy=multi-user.target
diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service
index d634e50..1a30599 100644
--- a/roles/common/files/etc/systemd/system/stunnel4@.service
+++ b/roles/common/files/etc/systemd/system/stunnel4@.service
@@ -1,22 +1,27 @@
 [Unit]
 Description=SSL tunnel for network daemons (instance %i)
 After=network.target nss-lookup.target
 PartOf=stunnel4.service
 ReloadPropagatedFrom=stunnel4.service
 
 [Service]
 ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
 ExecReload=/bin/kill -HUP ${MAINPID}
 KillSignal=SIGINT
 TimeoutStartSec=120
 TimeoutStopSec=60
 Restart=on-failure
 
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectHome=yes
 ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_INET AF_INET6
 
 [Install]
 WantedBy=multi-user.target