diff --git a/cf-execd.service b/cf-execd.service index 25cb1d9..b09ecd6 100644 --- a/cf-execd.service +++ b/cf-execd.service @@ -3,6 +3,19 @@ Description=CFEngine Execution Daemon After=syslog.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/bin/cf-execd diff --git a/cf-monitord.service b/cf-monitord.service index 1577ab5..e9cec89 100644 --- a/cf-monitord.service +++ b/cf-monitord.service @@ -3,6 +3,19 @@ Description=CFEngine Monitoring Daemon After=syslog.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/bin/cf-monitord diff --git a/cf-serverd.service b/cf-serverd.service index c2d5bd9..11b7acb 100644 --- a/cf-serverd.service +++ b/cf-serverd.service @@ -3,6 +3,19 @@ Description=CFEngine Server Daemon After=syslog.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/bin/cf-serverd diff --git a/cfengine.changes b/cfengine.changes index 73facbc..d9221df 100644 --- a/cfengine.changes +++ b/cfengine.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Wed Aug 25 15:25:36 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s). Added patch(es): + * harden_cf-apache.service.patch + * harden_cf-execd.service.patch + * harden_cf-hub.service.patch + * harden_cf-monitord.service.patch + * harden_cf-postgres.service.patch + * harden_cf-runalerts.service.patch + * harden_cf-serverd.service.patch + * harden_cfengine3.service.patch + Modified: + * cf-execd.service + * cf-monitord.service + * cf-serverd.service + ------------------------------------------------------------------- Sun Apr 18 02:27:07 UTC 2021 - Ferdinand Thiessen diff --git a/cfengine.spec b/cfengine.spec index fedc1dc..0e7fd15 100644 --- a/cfengine.spec +++ b/cfengine.spec @@ -57,6 +57,14 @@ Source16: cf-execd Source17: cf-serverd Source20: %{name}.cron Source21: %{name}-rpmlintrc +Patch0: harden_cf-apache.service.patch +Patch1: harden_cf-execd.service.patch +Patch2: harden_cf-hub.service.patch +Patch3: harden_cf-monitord.service.patch +Patch4: harden_cf-postgres.service.patch +Patch5: harden_cf-runalerts.service.patch +Patch6: harden_cf-serverd.service.patch +Patch7: harden_cfengine3.service.patch BuildRequires: bison BuildRequires: db-devel BuildRequires: fdupes @@ -137,6 +145,14 @@ ln -s libntech-%{libntech_hash} libntech ##### rpmlint #### wrong-file-end-of-line-encoding find ./examples -type f -name "*.cf" -exec perl -p -i -e 's|\r\n|\n|' {} \; +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build EXPLICIT_VERSION=%{version} autoreconf -fvi -I m4 diff --git a/harden_cf-apache.service.patch b/harden_cf-apache.service.patch new file mode 100644 index 0000000..347777b --- /dev/null +++ b/harden_cf-apache.service.patch @@ -0,0 +1,24 @@ +Index: core-3.17.0/misc/systemd/cf-apache.service.in +=================================================================== +--- core-3.17.0.orig/misc/systemd/cf-apache.service.in ++++ core-3.17.0/misc/systemd/cf-apache.service.in +@@ -7,6 +7,19 @@ ConditionPathExists=@workdir@/httpd/bin/ + PartOf=cfengine3.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + ExecStart=@workdir@/httpd/bin/apachectl start + ExecStop=@workdir@/httpd/bin/apachectl stop diff --git a/harden_cf-execd.service.patch b/harden_cf-execd.service.patch new file mode 100644 index 0000000..84846a7 --- /dev/null +++ b/harden_cf-execd.service.patch @@ -0,0 +1,24 @@ +Index: core-3.17.0/misc/systemd/cf-execd.service.in +=================================================================== +--- core-3.17.0.orig/misc/systemd/cf-execd.service.in ++++ core-3.17.0/misc/systemd/cf-execd.service.in +@@ -6,6 +6,19 @@ ConditionPathExists=@workdir@/inputs/pro + PartOf=cfengine3.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=@bindir@/cf-execd --no-fork + Restart=always diff --git a/harden_cf-hub.service.patch b/harden_cf-hub.service.patch new file mode 100644 index 0000000..742fe62 --- /dev/null +++ b/harden_cf-hub.service.patch @@ -0,0 +1,24 @@ +Index: core-3.17.0/misc/systemd/cf-hub.service.in +=================================================================== +--- core-3.17.0.orig/misc/systemd/cf-hub.service.in ++++ core-3.17.0/misc/systemd/cf-hub.service.in +@@ -10,6 +10,19 @@ After=cf-postgres.service + Requires=cf-postgres.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=@bindir@/cf-hub --no-fork + Restart=always diff --git a/harden_cf-monitord.service.patch b/harden_cf-monitord.service.patch new file mode 100644 index 0000000..983eb7d --- /dev/null +++ b/harden_cf-monitord.service.patch @@ -0,0 +1,24 @@ +Index: core-3.17.0/misc/systemd/cf-monitord.service.in +=================================================================== +--- core-3.17.0.orig/misc/systemd/cf-monitord.service.in ++++ core-3.17.0/misc/systemd/cf-monitord.service.in +@@ -6,6 +6,19 @@ ConditionPathExists=@workdir@/inputs/pro + PartOf=cfengine3.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=@bindir@/cf-monitord --no-fork + Restart=always diff --git a/harden_cf-postgres.service.patch b/harden_cf-postgres.service.patch new file mode 100644 index 0000000..92482c9 --- /dev/null +++ b/harden_cf-postgres.service.patch @@ -0,0 +1,24 @@ +Index: core-3.17.0/misc/systemd/cf-postgres.service.in +=================================================================== +--- core-3.17.0.orig/misc/systemd/cf-postgres.service.in ++++ core-3.17.0/misc/systemd/cf-postgres.service.in +@@ -5,6 +5,19 @@ ConditionPathExists=@bindir@/pg_ctl + PartOf=cfengine3.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + WorkingDirectory=/tmp + User=cfpostgres diff --git a/harden_cf-runalerts.service.patch b/harden_cf-runalerts.service.patch new file mode 100644 index 0000000..bc267d2 --- /dev/null +++ b/harden_cf-runalerts.service.patch @@ -0,0 +1,24 @@ +Index: core-3.17.0/misc/systemd/cf-runalerts.service.in +=================================================================== +--- core-3.17.0.orig/misc/systemd/cf-runalerts.service.in ++++ core-3.17.0/misc/systemd/cf-runalerts.service.in +@@ -9,6 +9,19 @@ After=cf-postgres.service + Requires=cf-postgres.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + # We simply launch this script every 60 seconds to perform alert related checks + Type=simple + # The cfapache user must have the rights to write to @workdir@/httpd/php/runalerts_* diff --git a/harden_cf-serverd.service.patch b/harden_cf-serverd.service.patch new file mode 100644 index 0000000..3f91e46 --- /dev/null +++ b/harden_cf-serverd.service.patch @@ -0,0 +1,24 @@ +Index: core-3.17.0/misc/systemd/cf-serverd.service.in +=================================================================== +--- core-3.17.0.orig/misc/systemd/cf-serverd.service.in ++++ core-3.17.0/misc/systemd/cf-serverd.service.in +@@ -8,6 +8,19 @@ ConditionPathExists=@workdir@/inputs/pro + PartOf=cfengine3.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=@bindir@/cf-serverd --no-fork + Restart=always diff --git a/harden_cfengine3.service.patch b/harden_cfengine3.service.patch new file mode 100644 index 0000000..1ff7ed3 --- /dev/null +++ b/harden_cfengine3.service.patch @@ -0,0 +1,24 @@ +Index: core-3.17.0/misc/systemd/cfengine3.service.in +=================================================================== +--- core-3.17.0.orig/misc/systemd/cfengine3.service.in ++++ core-3.17.0/misc/systemd/cfengine3.service.in +@@ -26,6 +26,19 @@ Before=cf-hub.service + WantedBy=multi-user.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + RemainAfterExit=yes +