mirror of
https://github.com/YunoHost-Apps/scrutiny_ynh.git
synced 2024-09-03 20:16:24 +02:00
Harden the security of the systemd services
This commit is contained in:
ewilly
parent
325a131e15
commit
1dbed54860
2 changed files with 58 additions and 31 deletions
|
|
@ -14,26 +14,39 @@ Restart=no
|
||||||
StandardOutput=append:/var/log/__APP__/__APP__-collector.log
|
StandardOutput=append:/var/log/__APP__/__APP__-collector.log
|
||||||
StandardError=inherit
|
StandardError=inherit
|
||||||
|
|
||||||
NoNewPrivileges=true
|
# Sandboxing options to harden security
|
||||||
SystemCallArchitectures=native
|
# Depending on specificities of your service/app, you may need to tweak these
|
||||||
|
# .. but this should be a good baseline
|
||||||
|
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
ProtectHome=yes
|
#PrivateDevices=yes
|
||||||
#ProtectSystem=strict
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
ProtectKernelTunables=yes
|
|
||||||
ProtectKernelModules=yes
|
|
||||||
ProtectKernelLogs=yes
|
|
||||||
ProtectControlGroups=yes
|
|
||||||
ProtectHostname=yes
|
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6
|
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
LockPersonality=yes
|
|
||||||
MemoryDenyWriteExecute=yes
|
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictSUIDSGID=yes
|
#DevicePolicy=closed
|
||||||
RemoveIPC=yes
|
#ProtectClock=yes # smartctl apparently doesn't function properly with this protection in place
|
||||||
|
ProtectHostname=yes
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
LockPersonality=yes
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
|
||||||
|
|
||||||
# smartctl apparently doesn't function properly with this protection in place
|
# Denying access to capabilities that should not be relevant for webapps
|
||||||
#ProtectClock=yes
|
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
||||||
|
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
|
||||||
|
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
|
||||||
|
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
|
||||||
|
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
||||||
|
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
|
||||||
|
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
||||||
|
|
@ -15,25 +15,39 @@ RestartSec=10s
|
||||||
StandardOutput=append:/var/log/__APP__/__APP__-web-server.log
|
StandardOutput=append:/var/log/__APP__/__APP__-web-server.log
|
||||||
StandardError=inherit
|
StandardError=inherit
|
||||||
|
|
||||||
|
# Sandboxing options to harden security
|
||||||
|
# Depending on specificities of your service/app, you may need to tweak these
|
||||||
|
# .. but this should be a good baseline
|
||||||
|
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
ProtectHome=yes
|
|
||||||
#ProtectSystem=strict
|
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
ProtectKernelTunables=yes
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
ProtectKernelModules=yes
|
RestrictNamespaces=yes
|
||||||
ProtectKernelLogs=yes
|
RestrictRealtime=yes
|
||||||
ProtectControlGroups=yes
|
DevicePolicy=closed
|
||||||
ProtectHostname=yes
|
|
||||||
ProtectClock=yes
|
ProtectClock=yes
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6
|
ProtectHostname=yes
|
||||||
RestrictNamespaces=true
|
ProtectProc=invisible
|
||||||
LockPersonality=true
|
ProtectSystem=full
|
||||||
MemoryDenyWriteExecute=true
|
ProtectControlGroups=yes
|
||||||
RestrictRealtime=true
|
ProtectKernelModules=yes
|
||||||
RestrictSUIDSGID=true
|
ProtectKernelTunables=yes
|
||||||
RemoveIPC=true
|
LockPersonality=yes
|
||||||
CapabilityBoundingSet=
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
|
||||||
|
|
||||||
|
# Denying access to capabilities that should not be relevant for webapps
|
||||||
|
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
||||||
|
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
|
||||||
|
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
|
||||||
|
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
|
||||||
|
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
||||||
|
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
|
||||||
|
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue