From 7f33063b384ee9aff4db7305137e4f3fa111d731eeb75b79dd9321b74054a3ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=98=D0=BB=D1=8C=D1=8F=20=D0=98=D0=BD=D0=B4=D0=B8=D0=B3?= =?UTF-8?q?=D0=BE?= Date: Tue, 12 Oct 2021 14:29:14 +0000 Subject: [PATCH 1/2] Accepting request 924900 from home:jsegitz:branches:systemdhardening:server:http Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/924900 OBS-URL: https://build.opensuse.org/package/show/server:http/nginx?expand=0&rev=214 --- nginx.changes | 6 ++++++ nginx.service | 13 +++++++++++++ 2 files changed, 19 insertions(+) diff --git a/nginx.changes b/nginx.changes index dedf26a..cc54544 100644 --- a/nginx.changes +++ b/nginx.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 11 09:26:39 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * nginx.service + ------------------------------------------------------------------- Fri Sep 10 17:44:54 UTC 2021 - Илья Индиго diff --git a/nginx.service b/nginx.service index ff7a9d8..a9b409e 100644 --- a/nginx.service +++ b/nginx.service @@ -12,6 +12,19 @@ KillSignal=SIGQUIT TimeoutStopSec=5 KillMode=mixed PrivateTmp=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=read-only +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions [Install] WantedBy=multi-user.target From 7448a9c7db10354db16d13920a1c1a2ec1ab25181b936027d5085a9323c8ccad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=98=D0=BB=D1=8C=D1=8F=20=D0=98=D0=BD=D0=B4=D0=B8=D0=B3?= =?UTF-8?q?=D0=BE?= Date: Fri, 15 Oct 2021 14:30:55 +0000 Subject: [PATCH 2/2] Accepting request 925488 from home:gmbr3:Active - Add CONFIG parameter to %sysusers_generate_pre OBS-URL: https://build.opensuse.org/request/show/925488 OBS-URL: https://build.opensuse.org/package/show/server:http/nginx?expand=0&rev=215 --- nginx.changes | 5 +++++ nginx.spec | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/nginx.changes b/nginx.changes index cc54544..b2ab385 100644 --- a/nginx.changes +++ b/nginx.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 15 14:23:41 UTC 2021 - Callum Farmer + +- Add CONFIG parameter to %sysusers_generate_pre + ------------------------------------------------------------------- Mon Oct 11 09:26:39 UTC 2021 - Johannes Segitz diff --git a/nginx.spec b/nginx.spec index 63a9139..b7b737f 100644 --- a/nginx.spec +++ b/nginx.spec @@ -133,7 +133,7 @@ sed -i 's/^\(#define NGX_LISTEN_BACKLOG \).*/\1-1/' src/os/unix/ngx_linux_config %{ngx_configure} %make_build -%sysusers_generate_pre %{SOURCE9} nginx +%sysusers_generate_pre %{SOURCE9} nginx nginx.conf %install %make_install