From e40c2c999bc2f6adb461d12d6bc1417c37ab89cc Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 9 Jan 2020 09:04:26 +0530 Subject: [PATCH] systemd: Sync security options across units Signed-off-by: Harsh Shandilya --- systemd_units/caddy.service | 17 +++++++++++++---- systemd_units/daas.service | 14 ++++++++++++-- systemd_units/gitea.service | 16 +++++++++++++--- systemd_units/goaccess.service | 14 ++++++++++++-- systemd_units/mirror-bot-2.service | 11 +++++++++++ systemd_units/mirror-bot.service | 11 +++++++++++ systemd_units/mkr-bin.service | 12 +++++++++++- systemd_units/uno-bot.service | 12 +++++++++++- systemd_units/walls-bot.service | 12 +++++++++++- 9 files changed, 105 insertions(+), 14 deletions(-) diff --git a/systemd_units/caddy.service b/systemd_units/caddy.service index c6fbfa1..f14c0dd 100644 --- a/systemd_units/caddy.service +++ b/systemd_units/caddy.service @@ -16,14 +16,23 @@ KillSignal=SIGQUIT TimeoutStopSec=5s LimitNOFILE=1048576 LimitNPROC=512 -PrivateTmp=true -PrivateDevices=true -ProtectHome=true -ProtectSystem=full ReadWriteDirectories=/etc/ssl/caddy /etc/logs CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE + +# Security +PrivateTmp=true +ProtectSystem=full +ProtectHome=true NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/systemd_units/daas.service b/systemd_units/daas.service index fb98477..ed257ff 100644 --- a/systemd_units/daas.service +++ b/systemd_units/daas.service @@ -12,10 +12,20 @@ User=caddy Group=caddy ExecStart=/usr/local/bin/daas Restart=always + +# Security PrivateTmp=true -PrivateDevices=true -ProtectHome=true ProtectSystem=full +ProtectHome=true +NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/systemd_units/gitea.service b/systemd_units/gitea.service index 7d34e09..2d84b46 100644 --- a/systemd_units/gitea.service +++ b/systemd_units/gitea.service @@ -15,12 +15,22 @@ WorkingDirectory=/var/lib/gitea/ ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini Restart=always Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea -PrivateTmp=true -PrivateDevices=true -ProtectSystem=full ReadWriteDirectories=/var/lib/gitea CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE +# Security +PrivateTmp=true +ProtectSystem=full +NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + [Install] WantedBy=multi-user.target diff --git a/systemd_units/goaccess.service b/systemd_units/goaccess.service index a1e9647..c135f92 100644 --- a/systemd_units/goaccess.service +++ b/systemd_units/goaccess.service @@ -12,10 +12,20 @@ User=caddy Group=caddy ExecStart=/usr/bin/goaccess --log-format=VCOMMON --ws-url=wss://stats.msfjarvis.dev/ws --output=/var/www/stats.msfjarvis.dev/index.html --log-file=/etc/logs/requests.log --no-query-string --anonymize-ip --double-decode --real-os --compression=zlib --real-time-html Restart=always + +# Security PrivateTmp=true -PrivateDevices=true -ProtectHome=true ProtectSystem=full +ProtectHome=true +NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/systemd_units/mirror-bot-2.service b/systemd_units/mirror-bot-2.service index 2dfaa3e..efaf063 100644 --- a/systemd_units/mirror-bot-2.service +++ b/systemd_units/mirror-bot-2.service @@ -13,8 +13,19 @@ ExecReload=/bin/kill -USR1 $MAINPID KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s + +# Security PrivateTmp=true +ProtectSystem=full +NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/systemd_units/mirror-bot.service b/systemd_units/mirror-bot.service index 12cd4f0..79c4b4a 100644 --- a/systemd_units/mirror-bot.service +++ b/systemd_units/mirror-bot.service @@ -13,8 +13,19 @@ ExecReload=/bin/kill -USR1 $MAINPID KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s + +# Security PrivateTmp=true +ProtectSystem=full +NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/systemd_units/mkr-bin.service b/systemd_units/mkr-bin.service index cde823e..ea58220 100644 --- a/systemd_units/mkr-bin.service +++ b/systemd_units/mkr-bin.service @@ -14,9 +14,19 @@ ExecReload=/bin/kill -USR1 $MAINPID KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s + +# Security PrivateTmp=true -PrivateDevices=true ProtectSystem=full +NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/systemd_units/uno-bot.service b/systemd_units/uno-bot.service index 7a57c9c..d4513b4 100644 --- a/systemd_units/uno-bot.service +++ b/systemd_units/uno-bot.service @@ -12,9 +12,19 @@ ExecReload=/bin/kill -USR1 $MAINPID KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s + +# Security PrivateTmp=true -PrivateDevices=false ProtectSystem=full +NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/systemd_units/walls-bot.service b/systemd_units/walls-bot.service index 933491a..6e4d1fe 100644 --- a/systemd_units/walls-bot.service +++ b/systemd_units/walls-bot.service @@ -12,9 +12,19 @@ ExecReload=/bin/kill -USR1 $MAINPID KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s + +# Security PrivateTmp=true -PrivateDevices=false ProtectSystem=full +NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native [Install] WantedBy=multi-user.target