~arx10/procustodibus-broker

79f9857503c5d3ca6fb9f0c11fd125b6a27a1e20 — Justin Ludwig 11 months ago 6b0f034
additional systemd service hardening
1 files changed, 69 insertions(+), 0 deletions(-)

M etc/systemd.service
M etc/systemd.service => etc/systemd.service +69 -0
@@ 10,13 10,23 @@ ConfigurationDirectory=procustodibus/broker
LogsDirectory=procustodibus/broker
ExecStart=/opt/venvs/procustodibus-broker/bin/procustodibus-broker --loop=120

# DEFAULTS
# must have access to API endpoints
IPAddressAllow=any
# must use host network namespace for syslog pipes
PrivateNetwork=no
# must have access to filesystem for file pipes
# RootDirectory=/

# HARDENING
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes


@@ 24,6 34,7 @@ ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX


@@ 31,6 42,64 @@ RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
UMask=0027

CapabilityBoundingSet=~CAP_AUDIT_CONTROL
CapabilityBoundingSet=~CAP_AUDIT_READ
CapabilityBoundingSet=~CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
CapabilityBoundingSet=~CAP_BPF
CapabilityBoundingSet=~CAP_CHECKPOINT_RESTORE
CapabilityBoundingSet=~CAP_CHOWN
CapabilityBoundingSet=~CAP_DAC_OVERRIDE
CapabilityBoundingSet=~CAP_DAC_READ_SEARCH
CapabilityBoundingSet=~CAP_FOWNER
CapabilityBoundingSet=~CAP_FSETID
CapabilityBoundingSet=~CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_IPC_OWNER
CapabilityBoundingSet=~CAP_KILL
CapabilityBoundingSet=~CAP_LEASE
CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
CapabilityBoundingSet=~CAP_MAC_ADMIN
CapabilityBoundingSet=~CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_MKNOD
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE
CapabilityBoundingSet=~CAP_NET_BROADCAST
CapabilityBoundingSet=~CAP_NET_RAW
CapabilityBoundingSet=~CAP_PERFMON
CapabilityBoundingSet=~CAP_SETFCAP
CapabilityBoundingSet=~CAP_SETGID
CapabilityBoundingSet=~CAP_SETPCAP
CapabilityBoundingSet=~CAP_SETUID
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_SYS_BOOT
CapabilityBoundingSet=~CAP_SYS_CHROOT
CapabilityBoundingSet=~CAP_SYS_MODULE
CapabilityBoundingSet=~CAP_SYS_NICE
CapabilityBoundingSet=~CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_SYS_RAWIO
CapabilityBoundingSet=~CAP_SYS_RESOURCE
CapabilityBoundingSet=~CAP_SYS_TIME
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_SYSLOG
CapabilityBoundingSet=~CAP_WAKE_ALARM

SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@pkey
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@resources
SystemCallFilter=~@sandbox
SystemCallFilter=~@setuid
SystemCallFilter=~@swap

[Install]
WantedBy=default.target