Accepting request 921089 from home:jsegitz:branches:systemdhardening:systemsmanagement

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/921089 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ipmiutil?expand=0&rev=43
2021-09-24 19:00:55 +00:00 · 2021-09-24 19:00:55 +00:00 · 4d8d81d479
commit 4d8d81d479
parent f31a048d87
6 changed files with 109 additions and 0 deletions
--- a/harden_ipmi_port.service.patch
+++ b/harden_ipmi_port.service.patch
@ -0,0 +1,23 @@
+Index: ipmiutil-3.1.7/scripts/ipmi_port.service
+===================================================================
+--- ipmiutil-3.1.7.orig/scripts/ipmi_port.service
+++ ipmiutil-3.1.7/scripts/ipmi_port.service
+@@ -3,6 +3,18 @@ Description=ipmiutil ipmi_port service
+ After=network.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=forking
+ PIDFile=/run/ipmi_port.pid
+ EnvironmentFile=/usr/share/ipmiutil/ipmiutil.env
--- a/harden_ipmiutil_asy.service.patch
+++ b/harden_ipmiutil_asy.service.patch
@ -0,0 +1,23 @@
+Index: ipmiutil-3.1.7/scripts/ipmiutil_asy.service
+===================================================================
+--- ipmiutil-3.1.7.orig/scripts/ipmiutil_asy.service
+++ ipmiutil-3.1.7/scripts/ipmiutil_asy.service
+@@ -3,6 +3,18 @@ Description=ipmiutil Async Bridge Agent
+ After=network.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=forking
+ PIDFile=/run/ipmiutil_asy.pid
+ EnvironmentFile=/usr/share/ipmiutil/ipmiutil.env
--- a/harden_ipmiutil_evt.service.patch
+++ b/harden_ipmiutil_evt.service.patch
@ -0,0 +1,23 @@
+Index: ipmiutil-3.1.7/scripts/ipmiutil_evt.service
+===================================================================
+--- ipmiutil-3.1.7.orig/scripts/ipmiutil_evt.service
+++ ipmiutil-3.1.7/scripts/ipmiutil_evt.service
+@@ -3,6 +3,18 @@ Description=ipmiutil Event Daemon
+ After=network.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=forking
+ PIDFile=/run/ipmiutil_evt.pid
+ EnvironmentFile=/usr/share/ipmiutil/ipmiutil.env
--- a/harden_ipmiutil_wdt.service.patch
+++ b/harden_ipmiutil_wdt.service.patch
@ -0,0 +1,23 @@
+Index: ipmiutil-3.1.7/scripts/ipmiutil_wdt.service
+===================================================================
+--- ipmiutil-3.1.7.orig/scripts/ipmiutil_wdt.service
+++ ipmiutil-3.1.7/scripts/ipmiutil_wdt.service
+@@ -3,6 +3,18 @@ Description=ipmiutil Watchdog Timer Serv
+ After=network.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ ExecStart=/usr/share/ipmiutil/ipmiutil_wdt start
+ ExecStop=/usr/share/ipmiutil/ipmiutil_wdt stop
+ ExecReload=/usr/share/ipmiutil/ipmiutil_wdt restart
--- a/ipmiutil.changes
+++ b/ipmiutil.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Sep 22 14:47:30 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_ipmi_port.service.patch
+  * harden_ipmiutil_asy.service.patch
+  * harden_ipmiutil_evt.service.patch
+  * harden_ipmiutil_wdt.service.patch
+
 -------------------------------------------------------------------
 Wed May 12 17:56:58 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>

--- a/ipmiutil.spec
+++ b/ipmiutil.spec
@ -26,6 +26,10 @@ License:        BSD-3-Clause
 Group:          System/Management
 URL:            http://ipmiutil.sourceforge.net
 Source:         https://sourceforge.net/projects/ipmiutil/files/%{name}-%{version}.tar.gz
+Patch0:	harden_ipmi_port.service.patch
+Patch1:	harden_ipmiutil_asy.service.patch
+Patch2:	harden_ipmiutil_evt.service.patch
+Patch3:	harden_ipmiutil_wdt.service.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gcc
@ -67,6 +71,10 @@ useful for building custom IPMI applications.

 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1

 %build
 autoreconf -fiv