From c0015be8a4992b75b24728d8b7f23565eb64ebec7ee57608fed540dc386f0634 Mon Sep 17 00:00:00 2001 From: Martin Hauke Date: Sun, 24 Oct 2021 13:04:19 +0000 Subject: [PATCH] Accepting request 926723 from home:jsegitz:branches:systemdhardening:server:monitoring Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/926723 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/pmacct?expand=0&rev=105 --- pmacct.changes | 8 ++++++++ pmacct.nfacctd.service | 11 +++++++++++ pmacct.pmacctd.service | 11 +++++++++++ pmacct.sfacctd.service | 11 +++++++++++ 4 files changed, 41 insertions(+) diff --git a/pmacct.changes b/pmacct.changes index 30f1622..c9e4175 100644 --- a/pmacct.changes +++ b/pmacct.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Oct 19 09:52:31 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * pmacct.nfacctd.service + * pmacct.pmacctd.service + * pmacct.sfacctd.service + ------------------------------------------------------------------- Sun Mar 14 15:56:31 UTC 2021 - Martin Hauke diff --git a/pmacct.nfacctd.service b/pmacct.nfacctd.service index 13a7331..e972c2f 100644 --- a/pmacct.nfacctd.service +++ b/pmacct.nfacctd.service @@ -3,6 +3,17 @@ Description=netflow accounting daemon After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking EnvironmentFile=-/etc/sysconfig/nfacctd ExecStart=/usr/sbin/nfacctd -f ${NFACCTD_CONF} $DAEMON_OPTS diff --git a/pmacct.pmacctd.service b/pmacct.pmacctd.service index bee33d1..df2de58 100644 --- a/pmacct.pmacctd.service +++ b/pmacct.pmacctd.service @@ -3,6 +3,17 @@ Description=promiscuous mode accounting daemon After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking EnvironmentFile=-/etc/sysconfig/pmacctd ExecStart=/usr/sbin/pmacctd -f ${PMACCTD_CONF} $DAEMON_OPTS diff --git a/pmacct.sfacctd.service b/pmacct.sfacctd.service index 7245a15..48863fa 100644 --- a/pmacct.sfacctd.service +++ b/pmacct.sfacctd.service @@ -3,6 +3,17 @@ Description=sflow accounting daemon After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking EnvironmentFile=-/etc/sysconfig/sfacctd ExecStart=/usr/sbin/sfacctd -f ${SFACCTD_CONF} $DAEMON_OPTS