diff options
Diffstat (limited to 'roles/common/files/etc/systemd/system')
| -rw-r--r-- | roles/common/files/etc/systemd/system/bacula-fd.service | 5 | ||||
| -rw-r--r-- | roles/common/files/etc/systemd/system/stunnel4@.service | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service index 192ea1b..792d964 100644 --- a/roles/common/files/etc/systemd/system/bacula-fd.service +++ b/roles/common/files/etc/systemd/system/bacula-fd.service @@ -1,20 +1,25 @@ [Unit] Description=Bacula File Daemon service After=network.target [Service] Type=simple StandardOutput=syslog ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=read-only ProtectSystem=strict PrivateTmp=yes ReadWriteDirectories=-/var/lib ReadWriteDirectories=-/var/run/bacula +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 [Install] WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service index d634e50..1a30599 100644 --- a/roles/common/files/etc/systemd/system/stunnel4@.service +++ b/roles/common/files/etc/systemd/system/stunnel4@.service @@ -1,22 +1,27 @@ [Unit] Description=SSL tunnel for network daemons (instance %i) After=network.target nss-lookup.target PartOf=stunnel4.service ReloadPropagatedFrom=stunnel4.service [Service] ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf ExecReload=/bin/kill -HUP ${MAINPID} KillSignal=SIGINT TimeoutStartSec=120 TimeoutStopSec=60 Restart=on-failure # Hardening NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_INET AF_INET6 [Install] WantedBy=multi-user.target |