pool/cfengine
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 914367 from home:jsegitz:branches:systemdhardening:systemsmanagement

Browse Source 
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/914367
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/cfengine?expand=0&rev=195
This commit is contained in:
Klaus Kämpf 2021-08-30 14:38:45 +00:00 committed by Git OBS Bridge
parent 2d9a111f22
commit ab42e2775f
13 changed files with 264 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cf-execd.service
View File

@ -3,6 +3,19 @@ Description=CFEngine Execution Daemon
After=syslog.target After=syslog.target
[Service] [Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=forking Type=forking
ExecStart=/usr/bin/cf-execd ExecStart=/usr/bin/cf-execd

13
cf-monitord.service
View File

@ -3,6 +3,19 @@ Description=CFEngine Monitoring Daemon
After=syslog.target After=syslog.target
[Service] [Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=forking Type=forking
ExecStart=/usr/bin/cf-monitord ExecStart=/usr/bin/cf-monitord

13
cf-serverd.service
View File

@ -3,6 +3,19 @@ Description=CFEngine Server Daemon
After=syslog.target After=syslog.target
[Service] [Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=forking Type=forking
ExecStart=/usr/bin/cf-serverd ExecStart=/usr/bin/cf-serverd

17
cfengine.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Wed Aug 25 15:25:36 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s). Added patch(es):
* harden_cf-apache.service.patch
* harden_cf-execd.service.patch
* harden_cf-hub.service.patch
* harden_cf-monitord.service.patch
* harden_cf-postgres.service.patch
* harden_cf-runalerts.service.patch
* harden_cf-serverd.service.patch
* harden_cfengine3.service.patch
Modified:
* cf-execd.service
* cf-monitord.service
* cf-serverd.service
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Apr 18 02:27:07 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de> Sun Apr 18 02:27:07 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>

16
cfengine.spec
View File

@ -57,6 +57,14 @@ Source16: cf-execd
Source17: cf-serverd Source17: cf-serverd
Source20: %{name}.cron Source20: %{name}.cron
Source21: %{name}-rpmlintrc Source21: %{name}-rpmlintrc
Patch0: harden_cf-apache.service.patch
Patch1: harden_cf-execd.service.patch
Patch2: harden_cf-hub.service.patch
Patch3: harden_cf-monitord.service.patch
Patch4: harden_cf-postgres.service.patch
Patch5: harden_cf-runalerts.service.patch
Patch6: harden_cf-serverd.service.patch
Patch7: harden_cfengine3.service.patch
BuildRequires: bison BuildRequires: bison
BuildRequires: db-devel BuildRequires: db-devel
BuildRequires: fdupes BuildRequires: fdupes
@ -137,6 +145,14 @@ ln -s libntech-%{libntech_hash} libntech
##### rpmlint ##### rpmlint
#### wrong-file-end-of-line-encoding #### wrong-file-end-of-line-encoding
find ./examples -type f -name "*.cf" -exec perl -p -i -e 's|\r\n|\n|' {} \; find ./examples -type f -name "*.cf" -exec perl -p -i -e 's|\r\n|\n|' {} \;
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build %build
EXPLICIT_VERSION=%{version} autoreconf -fvi -I m4 EXPLICIT_VERSION=%{version} autoreconf -fvi -I m4

24
harden_cf-apache.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: core-3.17.0/misc/systemd/cf-apache.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-apache.service.in
+++ core-3.17.0/misc/systemd/cf-apache.service.in
@@ -7,6 +7,19 @@ ConditionPathExists=@workdir@/httpd/bin/
PartOf=cfengine3.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=forking
ExecStart=@workdir@/httpd/bin/apachectl start
ExecStop=@workdir@/httpd/bin/apachectl stop

24
harden_cf-execd.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: core-3.17.0/misc/systemd/cf-execd.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-execd.service.in
+++ core-3.17.0/misc/systemd/cf-execd.service.in
@@ -6,6 +6,19 @@ ConditionPathExists=@workdir@/inputs/pro
PartOf=cfengine3.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=simple
ExecStart=@bindir@/cf-execd --no-fork
Restart=always

24
harden_cf-hub.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: core-3.17.0/misc/systemd/cf-hub.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-hub.service.in
+++ core-3.17.0/misc/systemd/cf-hub.service.in
@@ -10,6 +10,19 @@ After=cf-postgres.service
Requires=cf-postgres.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=simple
ExecStart=@bindir@/cf-hub --no-fork
Restart=always

24
harden_cf-monitord.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: core-3.17.0/misc/systemd/cf-monitord.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-monitord.service.in
+++ core-3.17.0/misc/systemd/cf-monitord.service.in
@@ -6,6 +6,19 @@ ConditionPathExists=@workdir@/inputs/pro
PartOf=cfengine3.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=simple
ExecStart=@bindir@/cf-monitord --no-fork
Restart=always

24
harden_cf-postgres.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: core-3.17.0/misc/systemd/cf-postgres.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-postgres.service.in
+++ core-3.17.0/misc/systemd/cf-postgres.service.in
@@ -5,6 +5,19 @@ ConditionPathExists=@bindir@/pg_ctl
PartOf=cfengine3.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=forking
WorkingDirectory=/tmp
User=cfpostgres

24
harden_cf-runalerts.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: core-3.17.0/misc/systemd/cf-runalerts.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-runalerts.service.in
+++ core-3.17.0/misc/systemd/cf-runalerts.service.in
@@ -9,6 +9,19 @@ After=cf-postgres.service
Requires=cf-postgres.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
# We simply launch this script every 60 seconds to perform alert related checks
Type=simple
# The cfapache user must have the rights to write to @workdir@/httpd/php/runalerts_*

24
harden_cf-serverd.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: core-3.17.0/misc/systemd/cf-serverd.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-serverd.service.in
+++ core-3.17.0/misc/systemd/cf-serverd.service.in
@@ -8,6 +8,19 @@ ConditionPathExists=@workdir@/inputs/pro
PartOf=cfengine3.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=simple
ExecStart=@bindir@/cf-serverd --no-fork
Restart=always

24
harden_cfengine3.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: core-3.17.0/misc/systemd/cfengine3.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cfengine3.service.in
+++ core-3.17.0/misc/systemd/cfengine3.service.in
@@ -26,6 +26,19 @@ Before=cf-hub.service
WantedBy=multi-user.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=oneshot
RemainAfterExit=yes