From dac2c07d102d14d68f65736826a51c9876982bca Mon Sep 17 00:00:00 2001 From: Hunter Peavey Date: Thu, 28 Jan 2021 23:55:53 -0800 Subject: [PATCH] Add postgrey service hardening --- postgrey.service.d/hardening.conf | 70 +++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 postgrey.service.d/hardening.conf diff --git a/postgrey.service.d/hardening.conf b/postgrey.service.d/hardening.conf new file mode 100644 index 0000000..6ca3f73 --- /dev/null +++ b/postgrey.service.d/hardening.conf @@ -0,0 +1,70 @@ +[Service] +############## +# Networking # +############## + +PrivateNetwork=yes +RestrictAddressFamilies=AF_UNIX +IPAccounting=yes +# IPAddressAllow= service does not require access to any IP addresses +IPAddressDeny=any + +############### +# File system # +############### +# Note that the effect of these settings may be undone by privileged processes. In order to +# set up an effective sandboxed environment for a unit it is thus recommended to combine +# these settings with either CapabilityBoundingSet=~CAP_SYS_ADMIN or +# SystemCallFilter=~@mount. + +ProtectHome=yes +ProtectSystem=strict +ReadWritePaths=-/etc/postfix -/var/spool/postfix/postgrey -/run/postgrey +PrivateTmp=yes + +################### +# User separation # +################### + +# PrivateUsers= service runs as root +# DynamicUser= service runs as root + +########### +# Devices # +########### + +PrivateDevices=yes +# DeviceAllow=/dev/exampledevice + +########## +# Kernel # +########## + +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes + +######## +# Misc # +######## + +CapabilityBoundingSet= +# AmbientCapabilities= service runs as root +NoNewPrivileges=yes +ProtectHostname=yes +ProtectClock=yes +ProtectControlGroups=yes +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +# RemoveIPC= service runs as root + +################ +# System calls # +################ + +SystemCallFilter=@system-service +SystemCallFilter=~@resources @privileged +SystemCallArchitectures=native -- 2.45.2