pool/ipmiutil
SHA256
5
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 921089 from home:jsegitz:branches:systemdhardening:systemsmanagement

Browse Source 
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/921089
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ipmiutil?expand=0&rev=43
This commit is contained in:
Andy Cress 2021-09-24 19:00:55 +00:00 committed by Git OBS Bridge
parent f31a048d87
commit 4d8d81d479
6 changed files with 109 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
harden_ipmi_port.service.patch Normal file
View File

@ -0,0 +1,23 @@
Index: ipmiutil-3.1.7/scripts/ipmi_port.service
===================================================================
--- ipmiutil-3.1.7.orig/scripts/ipmi_port.service
+++ ipmiutil-3.1.7/scripts/ipmi_port.service
@@ -3,6 +3,18 @@ Description=ipmiutil ipmi_port service
After=network.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=forking
PIDFile=/run/ipmi_port.pid
EnvironmentFile=/usr/share/ipmiutil/ipmiutil.env

23
harden_ipmiutil_asy.service.patch Normal file
View File

@ -0,0 +1,23 @@
Index: ipmiutil-3.1.7/scripts/ipmiutil_asy.service
===================================================================
--- ipmiutil-3.1.7.orig/scripts/ipmiutil_asy.service
+++ ipmiutil-3.1.7/scripts/ipmiutil_asy.service
@@ -3,6 +3,18 @@ Description=ipmiutil Async Bridge Agent
After=network.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=forking
PIDFile=/run/ipmiutil_asy.pid
EnvironmentFile=/usr/share/ipmiutil/ipmiutil.env

23
harden_ipmiutil_evt.service.patch Normal file
View File

@ -0,0 +1,23 @@
Index: ipmiutil-3.1.7/scripts/ipmiutil_evt.service
===================================================================
--- ipmiutil-3.1.7.orig/scripts/ipmiutil_evt.service
+++ ipmiutil-3.1.7/scripts/ipmiutil_evt.service
@@ -3,6 +3,18 @@ Description=ipmiutil Event Daemon
After=network.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=forking
PIDFile=/run/ipmiutil_evt.pid
EnvironmentFile=/usr/share/ipmiutil/ipmiutil.env

23
harden_ipmiutil_wdt.service.patch Normal file
View File

@ -0,0 +1,23 @@
Index: ipmiutil-3.1.7/scripts/ipmiutil_wdt.service
===================================================================
--- ipmiutil-3.1.7.orig/scripts/ipmiutil_wdt.service
+++ ipmiutil-3.1.7/scripts/ipmiutil_wdt.service
@@ -3,6 +3,18 @@ Description=ipmiutil Watchdog Timer Serv
After=network.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
ExecStart=/usr/share/ipmiutil/ipmiutil_wdt start
ExecStop=/usr/share/ipmiutil/ipmiutil_wdt stop
ExecReload=/usr/share/ipmiutil/ipmiutil_wdt restart

9
ipmiutil.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Wed Sep 22 14:47:30 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_ipmi_port.service.patch
* harden_ipmiutil_asy.service.patch
* harden_ipmiutil_evt.service.patch
* harden_ipmiutil_wdt.service.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed May 12 17:56:58 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de> Wed May 12 17:56:58 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>

8
ipmiutil.spec
View File

@ -26,6 +26,10 @@ License: BSD-3-Clause
Group: System/Management Group: System/Management
URL: http://ipmiutil.sourceforge.net URL: http://ipmiutil.sourceforge.net
Source: https://sourceforge.net/projects/ipmiutil/files/%{name}-%{version}.tar.gz Source: https://sourceforge.net/projects/ipmiutil/files/%{name}-%{version}.tar.gz
Patch0: harden_ipmi_port.service.patch
Patch1: harden_ipmiutil_asy.service.patch
Patch2: harden_ipmiutil_evt.service.patch
Patch3: harden_ipmiutil_wdt.service.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: gcc BuildRequires: gcc
@ -67,6 +71,10 @@ useful for building custom IPMI applications.
%prep %prep
%setup -q %setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build %build
autoreconf -fiv autoreconf -fiv