From e3459b81d487b6ae7256487d3d5128ab4e08f1b85a7babaa66b56091caafd1c2 Mon Sep 17 00:00:00 2001 From: Axel Braun Date: Tue, 5 Oct 2021 16:12:00 +0000 Subject: [PATCH] Accepting request 920514 from home:jsegitz:branches:systemdhardening:Application:ERP:GNUHealth:Factory Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/920514 OBS-URL: https://build.opensuse.org/package/show/Application:ERP:GNUHealth:Factory/gnuhealth?expand=0&rev=89 --- gnuhealth-webdav@.service | 13 +++++++++++++ gnuhealth.changes | 9 +++++++++ gnuhealth.service | 7 +++++++ gnuhealth.spec | 2 ++ harden_gnuhealth.service.patch | 24 ++++++++++++++++++++++++ 5 files changed, 55 insertions(+) create mode 100644 harden_gnuhealth.service.patch diff --git a/gnuhealth-webdav@.service b/gnuhealth-webdav@.service index 6e3d0b1..29ddf3c 100644 --- a/gnuhealth-webdav@.service +++ b/gnuhealth-webdav@.service @@ -4,6 +4,19 @@ After=syslog.target Requires=gnuhealth.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple User=tryton Group=tryton diff --git a/gnuhealth.changes b/gnuhealth.changes index ccc03d8..d08fbcb 100644 --- a/gnuhealth.changes +++ b/gnuhealth.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Sep 20 14:02:25 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_gnuhealth.service.patch + Modified: + * gnuhealth-webdav@.service + * gnuhealth.service + ------------------------------------------------------------------- Fri Apr 16 17:16:20 UTC 2021 - Axel Braun diff --git a/gnuhealth.service b/gnuhealth.service index fd4a0a3..c35ad46 100644 --- a/gnuhealth.service +++ b/gnuhealth.service @@ -15,6 +15,13 @@ ProtectControlGroups=true MountFlags=private NoNewPrivileges=true PrivateDevices=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectClock=true +ProtectKernelLogs=true +RestrictRealtime=true +# end of automatic additions MemoryDenyWriteExecute=true Type=simple diff --git a/gnuhealth.spec b/gnuhealth.spec index 8561863..48fa3f6 100644 --- a/gnuhealth.spec +++ b/gnuhealth.spec @@ -40,6 +40,7 @@ Source7: gnuhealth-rpmlintrc Source8: https://ftp.gnu.org/gnu/health/%{name}-%{version}.tar.gz.sig Source9: https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=health&download=1#/%{name}.keyring Patch0: shebang.diff +Patch1: harden_gnuhealth.service.patch BuildRequires: fdupes BuildRequires: python-rpm-generators @@ -112,6 +113,7 @@ This package provides the interface to Orthanc %patch0 -p1 cp %{S:1} . cp %{S:2} . +%patch1 -p1 %build for i in h*; do diff --git a/harden_gnuhealth.service.patch b/harden_gnuhealth.service.patch new file mode 100644 index 0000000..f8c7de6 --- /dev/null +++ b/harden_gnuhealth.service.patch @@ -0,0 +1,24 @@ +Index: gnuhealth-3.8.0/scripts/startup/gnuhealth.service +=================================================================== +--- gnuhealth-3.8.0.orig/scripts/startup/gnuhealth.service ++++ gnuhealth-3.8.0/scripts/startup/gnuhealth.service +@@ -3,6 +3,19 @@ Description=GNU Health Server + After=network.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + User=gnuhealth + WorkingDirectory=/home/gnuhealth