From da6339ae80b7c8d912c2b90c512bd71dcf1996d529e5d11a64120bee1cf0dcd8 Mon Sep 17 00:00:00 2001
From: Lars Vogdt <lrupp@suse.com>
Date: Thu, 31 Mar 2022 21:46:40 +0000
Subject: [PATCH] Accepting request 926725 from
 home:jsegitz:branches:systemdhardening:server:monitoring

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/926725
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/prelude-lml?expand=0&rev=22
---
 prelude-lml.changes |  6 ++++++
 prelude-lml.service | 13 +++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/prelude-lml.changes b/prelude-lml.changes
index 7fc5f47..ce4ed1d 100644
--- a/prelude-lml.changes
+++ b/prelude-lml.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Oct 20 08:59:50 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * prelude-lml.service
+
 -------------------------------------------------------------------
 Sun Oct 25 18:29:49 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
 
diff --git a/prelude-lml.service b/prelude-lml.service
index 6f3e447..59bd5c1 100644
--- a/prelude-lml.service
+++ b/prelude-lml.service
@@ -3,6 +3,19 @@ Description=Log analyzer sensor with IDMEF output
 After=remode_fs.target prelude-manager.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=/usr/bin/prelude-lml
 
 [Install]