diff --git a/harden_promtail.service.patch b/harden_promtail.service.patch new file mode 100644 index 0000000..94c4051 --- /dev/null +++ b/harden_promtail.service.patch @@ -0,0 +1,23 @@ +Index: loki-2.2.1+git.1617669398.babea82e/docs/sources/clients/aws/ec2/promtail.service +=================================================================== +--- loki-2.2.1+git.1617669398.babea82e.orig/docs/sources/clients/aws/ec2/promtail.service ++++ loki-2.2.1+git.1617669398.babea82e/docs/sources/clients/aws/ec2/promtail.service +@@ -1,6 +1,18 @@ + [Unit] + Description=Promtail + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + User=root + WorkingDirectory=/opt/promtail/ + ExecStartPre=/bin/sleep 30 diff --git a/loki.changes b/loki.changes index 6c6678b..a9b2e11 100644 --- a/loki.changes +++ b/loki.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Oct 6 06:11:13 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_promtail.service.patch + Modified: + * loki.service + * promtail.service + ------------------------------------------------------------------- Fri Jun 25 08:58:58 UTC 2021 - Stefano Torresi diff --git a/loki.service b/loki.service index 1d4e69e..5fe9f80 100644 --- a/loki.service +++ b/loki.service @@ -3,6 +3,18 @@ Description=Loki is a horizontally-scalable, highly-available, multi-tenant log Documentation=https://github.com/grafana/loki [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Restart=always User=loki EnvironmentFile=-/etc/sysconfig/loki diff --git a/loki.spec b/loki.spec index 641ba60..47fc71d 100644 --- a/loki.spec +++ b/loki.spec @@ -28,6 +28,7 @@ Source1: loki.service Source2: promtail.service Source3: sysconfig.loki Source4: sysconfig.promtail +Patch0: harden_promtail.service.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: golang-packaging BuildRequires: systemd-devel @@ -57,6 +58,7 @@ This package contains the Promtail client. %prep %setup -q %{name}-%{version} +%patch0 -p1 %build %define buildpkg github.com/grafana/loki/pkg/build diff --git a/promtail.service b/promtail.service index 21ea56e..ef6d640 100644 --- a/promtail.service +++ b/promtail.service @@ -3,6 +3,18 @@ Description=promtail is the agent responsible for gathering logs and sending the Documentation=https://github.com/grafana/loki/blob/master/docs/promtail.md [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Restart=always User=loki EnvironmentFile=-/etc/sysconfig/promtail