From 4d8d81d4791c9a0ba5125b3da791c81d915fe5067e0568d8b204e9adadc48013 Mon Sep 17 00:00:00 2001 From: Andy Cress Date: Fri, 24 Sep 2021 19:00:55 +0000 Subject: [PATCH] Accepting request 921089 from home:jsegitz:branches:systemdhardening:systemsmanagement Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/921089 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ipmiutil?expand=0&rev=43 --- harden_ipmi_port.service.patch | 23 +++++++++++++++++++++++ harden_ipmiutil_asy.service.patch | 23 +++++++++++++++++++++++ harden_ipmiutil_evt.service.patch | 23 +++++++++++++++++++++++ harden_ipmiutil_wdt.service.patch | 23 +++++++++++++++++++++++ ipmiutil.changes | 9 +++++++++ ipmiutil.spec | 8 ++++++++ 6 files changed, 109 insertions(+) create mode 100644 harden_ipmi_port.service.patch create mode 100644 harden_ipmiutil_asy.service.patch create mode 100644 harden_ipmiutil_evt.service.patch create mode 100644 harden_ipmiutil_wdt.service.patch diff --git a/harden_ipmi_port.service.patch b/harden_ipmi_port.service.patch new file mode 100644 index 0000000..c77eab4 --- /dev/null +++ b/harden_ipmi_port.service.patch @@ -0,0 +1,23 @@ +Index: ipmiutil-3.1.7/scripts/ipmi_port.service +=================================================================== +--- ipmiutil-3.1.7.orig/scripts/ipmi_port.service ++++ ipmiutil-3.1.7/scripts/ipmi_port.service +@@ -3,6 +3,18 @@ Description=ipmiutil ipmi_port service + After=network.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + PIDFile=/run/ipmi_port.pid + EnvironmentFile=/usr/share/ipmiutil/ipmiutil.env diff --git a/harden_ipmiutil_asy.service.patch b/harden_ipmiutil_asy.service.patch new file mode 100644 index 0000000..efb93f1 --- /dev/null +++ b/harden_ipmiutil_asy.service.patch @@ -0,0 +1,23 @@ +Index: ipmiutil-3.1.7/scripts/ipmiutil_asy.service +=================================================================== +--- ipmiutil-3.1.7.orig/scripts/ipmiutil_asy.service ++++ ipmiutil-3.1.7/scripts/ipmiutil_asy.service +@@ -3,6 +3,18 @@ Description=ipmiutil Async Bridge Agent + After=network.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + PIDFile=/run/ipmiutil_asy.pid + EnvironmentFile=/usr/share/ipmiutil/ipmiutil.env diff --git a/harden_ipmiutil_evt.service.patch b/harden_ipmiutil_evt.service.patch new file mode 100644 index 0000000..e39a0c3 --- /dev/null +++ b/harden_ipmiutil_evt.service.patch @@ -0,0 +1,23 @@ +Index: ipmiutil-3.1.7/scripts/ipmiutil_evt.service +=================================================================== +--- ipmiutil-3.1.7.orig/scripts/ipmiutil_evt.service ++++ ipmiutil-3.1.7/scripts/ipmiutil_evt.service +@@ -3,6 +3,18 @@ Description=ipmiutil Event Daemon + After=network.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + PIDFile=/run/ipmiutil_evt.pid + EnvironmentFile=/usr/share/ipmiutil/ipmiutil.env diff --git a/harden_ipmiutil_wdt.service.patch b/harden_ipmiutil_wdt.service.patch new file mode 100644 index 0000000..2276287 --- /dev/null +++ b/harden_ipmiutil_wdt.service.patch @@ -0,0 +1,23 @@ +Index: ipmiutil-3.1.7/scripts/ipmiutil_wdt.service +=================================================================== +--- ipmiutil-3.1.7.orig/scripts/ipmiutil_wdt.service ++++ ipmiutil-3.1.7/scripts/ipmiutil_wdt.service +@@ -3,6 +3,18 @@ Description=ipmiutil Watchdog Timer Serv + After=network.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + ExecStart=/usr/share/ipmiutil/ipmiutil_wdt start + ExecStop=/usr/share/ipmiutil/ipmiutil_wdt stop + ExecReload=/usr/share/ipmiutil/ipmiutil_wdt restart diff --git a/ipmiutil.changes b/ipmiutil.changes index 8a4e843..6a896e1 100644 --- a/ipmiutil.changes +++ b/ipmiutil.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Sep 22 14:47:30 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_ipmi_port.service.patch + * harden_ipmiutil_asy.service.patch + * harden_ipmiutil_evt.service.patch + * harden_ipmiutil_wdt.service.patch + ------------------------------------------------------------------- Wed May 12 17:56:58 UTC 2021 - Ferdinand Thiessen diff --git a/ipmiutil.spec b/ipmiutil.spec index 7aa3c58..287a453 100644 --- a/ipmiutil.spec +++ b/ipmiutil.spec @@ -26,6 +26,10 @@ License: BSD-3-Clause Group: System/Management URL: http://ipmiutil.sourceforge.net Source: https://sourceforge.net/projects/ipmiutil/files/%{name}-%{version}.tar.gz +Patch0: harden_ipmi_port.service.patch +Patch1: harden_ipmiutil_asy.service.patch +Patch2: harden_ipmiutil_evt.service.patch +Patch3: harden_ipmiutil_wdt.service.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc @@ -67,6 +71,10 @@ useful for building custom IPMI applications. %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build autoreconf -fiv