From 3c0043ed1ba5c2bccb62617c82f4c9fceb9ebfdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Sun, 9 Apr 2023 23:45:39 +0200 Subject: [PATCH] cleaning --- conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++ doc/ADMIN.md | 3 --- doc/ADMIN_fr.md | 3 --- doc/DESCRIPTION.md | 2 +- doc/DESCRIPTION_fr.md | 2 +- doc/POST_INSTALL.md | 7 ------- 6 files changed, 36 insertions(+), 15 deletions(-) delete mode 100644 doc/ADMIN.md delete mode 100644 doc/ADMIN_fr.md delete mode 100644 doc/POST_INSTALL.md diff --git a/conf/systemd.service b/conf/systemd.service index dd7a987..70d2cd9 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -13,5 +13,39 @@ ExecStop=/bin/bash stop_xwiki.sh Restart=always RestartSec=10 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/doc/ADMIN.md b/doc/ADMIN.md deleted file mode 100644 index c9b5225..0000000 --- a/doc/ADMIN.md +++ /dev/null @@ -1,3 +0,0 @@ -This is a dummy admin doc for this app - -The app install dir is `__INSTALL_DIR__` diff --git a/doc/ADMIN_fr.md b/doc/ADMIN_fr.md deleted file mode 100644 index a138028..0000000 --- a/doc/ADMIN_fr.md +++ /dev/null @@ -1,3 +0,0 @@ -Ceci est une fausse doc d'admin pour cette app - -Le dossier d'install de l'app est `__INSTALL_DIR__` diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md index 3f2e57a..694fcd4 100644 --- a/doc/DESCRIPTION.md +++ b/doc/DESCRIPTION.md @@ -1 +1 @@ -This is a dummy description of this app features +XWiki is an Open Source wiki engine (LGPLv2) suitable for use by workgroups (associations, companies, etc.). The software allows the rapid creation of small applications to meet different information management needs. \ No newline at end of file diff --git a/doc/DESCRIPTION_fr.md b/doc/DESCRIPTION_fr.md index 13f4b64..8ab7192 100644 --- a/doc/DESCRIPTION_fr.md +++ b/doc/DESCRIPTION_fr.md @@ -1 +1 @@ -Ceci est une fausse description des fonctionalités de l'app +XWiki est un moteur de wiki Open Source (LGPLv2) adapté à un usage pour des groupes de travail (associations, entreprises…). Le logiciel permet la création rapide de petites applications pour répondre à différents besoins de gestion de l'information. \ No newline at end of file diff --git a/doc/POST_INSTALL.md b/doc/POST_INSTALL.md deleted file mode 100644 index f367b62..0000000 --- a/doc/POST_INSTALL.md +++ /dev/null @@ -1,7 +0,0 @@ -This is a dummy disclaimer to display after the install - -The app url is `__DOMAIN____PATH__` - -The app install dir is `__INSTALL_DIR__` - -The app id is `__ID__`