Accepting request 914367 from home:jsegitz:branches:systemdhardening:systemsmanagement

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/914367 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/cfengine?expand=0&rev=195
2021-08-30 14:38:45 +00:00 · 2021-08-30 14:38:45 +00:00 · ab42e2775f
commit ab42e2775f
parent 2d9a111f22
13 changed files with 264 additions and 0 deletions
--- a/cf-execd.service
+++ b/cf-execd.service
@ -3,6 +3,19 @@ Description=CFEngine Execution Daemon
 After=syslog.target

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStart=/usr/bin/cf-execd

--- a/cf-monitord.service
+++ b/cf-monitord.service
@ -3,6 +3,19 @@ Description=CFEngine Monitoring Daemon
 After=syslog.target

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStart=/usr/bin/cf-monitord

--- a/cf-serverd.service
+++ b/cf-serverd.service
@ -3,6 +3,19 @@ Description=CFEngine Server Daemon
 After=syslog.target

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStart=/usr/bin/cf-serverd

--- a/cfengine.changes
+++ b/cfengine.changes
@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Wed Aug 25 15:25:36 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s). Added patch(es):
+  * harden_cf-apache.service.patch
+  * harden_cf-execd.service.patch
+  * harden_cf-hub.service.patch
+  * harden_cf-monitord.service.patch
+  * harden_cf-postgres.service.patch
+  * harden_cf-runalerts.service.patch
+  * harden_cf-serverd.service.patch
+  * harden_cfengine3.service.patch
+  Modified:
+  * cf-execd.service
+  * cf-monitord.service
+  * cf-serverd.service
+
 -------------------------------------------------------------------
 Sun Apr 18 02:27:07 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>

--- a/cfengine.spec
+++ b/cfengine.spec
@ -57,6 +57,14 @@ Source16:       cf-execd
 Source17:       cf-serverd
 Source20:       %{name}.cron
 Source21:       %{name}-rpmlintrc
+Patch0:         harden_cf-apache.service.patch
+Patch1:         harden_cf-execd.service.patch
+Patch2:         harden_cf-hub.service.patch
+Patch3:         harden_cf-monitord.service.patch
+Patch4:         harden_cf-postgres.service.patch
+Patch5:         harden_cf-runalerts.service.patch
+Patch6:         harden_cf-serverd.service.patch
+Patch7:         harden_cfengine3.service.patch
 BuildRequires:  bison
 BuildRequires:  db-devel
 BuildRequires:  fdupes
@ -137,6 +145,14 @@ ln -s libntech-%{libntech_hash} libntech
 ##### rpmlint
 #### wrong-file-end-of-line-encoding
 find ./examples -type f -name "*.cf" -exec perl -p -i -e 's|\r\n|\n|' {} \;
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1

 %build
 EXPLICIT_VERSION=%{version} autoreconf -fvi -I m4
--- a/harden_cf-apache.service.patch
+++ b/harden_cf-apache.service.patch
@ -0,0 +1,24 @@
+Index: core-3.17.0/misc/systemd/cf-apache.service.in
+===================================================================
+--- core-3.17.0.orig/misc/systemd/cf-apache.service.in
+++ core-3.17.0/misc/systemd/cf-apache.service.in
+@@ -7,6 +7,19 @@ ConditionPathExists=@workdir@/httpd/bin/
+ PartOf=cfengine3.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=forking
+ ExecStart=@workdir@/httpd/bin/apachectl start
+ ExecStop=@workdir@/httpd/bin/apachectl stop
--- a/harden_cf-execd.service.patch
+++ b/harden_cf-execd.service.patch
@ -0,0 +1,24 @@
+Index: core-3.17.0/misc/systemd/cf-execd.service.in
+===================================================================
+--- core-3.17.0.orig/misc/systemd/cf-execd.service.in
+++ core-3.17.0/misc/systemd/cf-execd.service.in
+@@ -6,6 +6,19 @@ ConditionPathExists=@workdir@/inputs/pro
+ PartOf=cfengine3.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=simple
+ ExecStart=@bindir@/cf-execd --no-fork
+ Restart=always
--- a/harden_cf-hub.service.patch
+++ b/harden_cf-hub.service.patch
@ -0,0 +1,24 @@
+Index: core-3.17.0/misc/systemd/cf-hub.service.in
+===================================================================
+--- core-3.17.0.orig/misc/systemd/cf-hub.service.in
+++ core-3.17.0/misc/systemd/cf-hub.service.in
+@@ -10,6 +10,19 @@ After=cf-postgres.service
+ Requires=cf-postgres.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=simple
+ ExecStart=@bindir@/cf-hub  --no-fork
+ Restart=always
--- a/harden_cf-monitord.service.patch
+++ b/harden_cf-monitord.service.patch
@ -0,0 +1,24 @@
+Index: core-3.17.0/misc/systemd/cf-monitord.service.in
+===================================================================
+--- core-3.17.0.orig/misc/systemd/cf-monitord.service.in
+++ core-3.17.0/misc/systemd/cf-monitord.service.in
+@@ -6,6 +6,19 @@ ConditionPathExists=@workdir@/inputs/pro
+ PartOf=cfengine3.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=simple
+ ExecStart=@bindir@/cf-monitord --no-fork
+ Restart=always
--- a/harden_cf-postgres.service.patch
+++ b/harden_cf-postgres.service.patch
@ -0,0 +1,24 @@
+Index: core-3.17.0/misc/systemd/cf-postgres.service.in
+===================================================================
+--- core-3.17.0.orig/misc/systemd/cf-postgres.service.in
+++ core-3.17.0/misc/systemd/cf-postgres.service.in
+@@ -5,6 +5,19 @@ ConditionPathExists=@bindir@/pg_ctl
+ PartOf=cfengine3.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=forking
+ WorkingDirectory=/tmp
+ User=cfpostgres
--- a/harden_cf-runalerts.service.patch
+++ b/harden_cf-runalerts.service.patch
@ -0,0 +1,24 @@
+Index: core-3.17.0/misc/systemd/cf-runalerts.service.in
+===================================================================
+--- core-3.17.0.orig/misc/systemd/cf-runalerts.service.in
+++ core-3.17.0/misc/systemd/cf-runalerts.service.in
+@@ -9,6 +9,19 @@ After=cf-postgres.service
+ Requires=cf-postgres.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ # We simply launch this script every 60 seconds to perform alert related checks
+ Type=simple
+ # The cfapache user must have the rights to write to @workdir@/httpd/php/runalerts_*
--- a/harden_cf-serverd.service.patch
+++ b/harden_cf-serverd.service.patch
@ -0,0 +1,24 @@
+Index: core-3.17.0/misc/systemd/cf-serverd.service.in
+===================================================================
+--- core-3.17.0.orig/misc/systemd/cf-serverd.service.in
+++ core-3.17.0/misc/systemd/cf-serverd.service.in
+@@ -8,6 +8,19 @@ ConditionPathExists=@workdir@/inputs/pro
+ PartOf=cfengine3.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=simple
+ ExecStart=@bindir@/cf-serverd --no-fork
+ Restart=always
--- a/harden_cfengine3.service.patch
+++ b/harden_cfengine3.service.patch
@ -0,0 +1,24 @@
+Index: core-3.17.0/misc/systemd/cfengine3.service.in
+===================================================================
+--- core-3.17.0.orig/misc/systemd/cfengine3.service.in
+++ core-3.17.0/misc/systemd/cfengine3.service.in
+@@ -26,6 +26,19 @@ Before=cf-hub.service
+ WantedBy=multi-user.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=oneshot
+ RemainAfterExit=yes
+