diff --git a/chrony.changes b/chrony.changes index d9137d0..2f69890 100644 --- a/chrony.changes +++ b/chrony.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Aug 30 13:50:07 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s). Added patch(es): + * harden_chrony-wait.service.patch + * harden_chronyd.service.patch + ------------------------------------------------------------------- Thu Jul 1 12:38:13 UTC 2021 - Reinhard Max diff --git a/chrony.spec b/chrony.spec index 7d06103..4c6f632 100644 --- a/chrony.spec +++ b/chrony.spec @@ -55,6 +55,8 @@ Patch1: chrony-service-helper.patch Patch2: chrony-logrotate.patch Patch3: chrony-service-ordering.patch Patch4: chrony-refid-internal-md5.patch +Patch5: harden_chrony-wait.service.patch +Patch6: harden_chronyd.service.patch BuildRequires: NetworkManager-devel BuildRequires: bison BuildRequires: gcc-c++ @@ -155,6 +157,8 @@ sed -e 's-@CHRONY_HELPER@-%{chrony_helper}-g' -i %{PATCH1} %{SOURCE3} %{SOURCE5} %patch2 -p1 %patch3 %patch4 +%patch5 -p1 +%patch6 -p1 # Remove pool statements from the default /etc/chrony.conf. They will # be provided by branding packages in /etc/chrony.d/pool.conf . diff --git a/harden_chrony-wait.service.patch b/harden_chrony-wait.service.patch new file mode 100644 index 0000000..5d103d7 --- /dev/null +++ b/harden_chrony-wait.service.patch @@ -0,0 +1,24 @@ +Index: chrony-4.1/examples/chrony-wait.service +=================================================================== +--- chrony-4.1.orig/examples/chrony-wait.service ++++ chrony-4.1/examples/chrony-wait.service +@@ -7,6 +7,19 @@ Before=time-sync.target + Wants=time-sync.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + # Wait for chronyd to update the clock and the remaining + # correction to be less than 0.1 seconds diff --git a/harden_chronyd.service.patch b/harden_chronyd.service.patch new file mode 100644 index 0000000..c026810 --- /dev/null +++ b/harden_chronyd.service.patch @@ -0,0 +1,20 @@ +Index: chrony-4.1/examples/chronyd.service +=================================================================== +--- chrony-4.1.orig/examples/chronyd.service ++++ chrony-4.1/examples/chronyd.service +@@ -17,6 +17,15 @@ ExecStart=/usr/sbin/chronyd $OPTIONS + PrivateTmp=yes + ProtectHome=yes + ProtectSystem=full ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++PrivateDevices=true ++ProtectHostname=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++DeviceAllow=char-rtc ++# end of automatic additions + + [Install] + WantedBy=multi-user.target