From 430cbb67396eb42378ed72c5575330821c95fae5803e9395e50f4e23062c6314 Mon Sep 17 00:00:00 2001 From: Danilo Spinella Date: Mon, 22 Nov 2021 10:20:26 +0000 Subject: [PATCH] Accepting request 932205 from home:jsegitz:branches:systemdhardening:server:database Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/932205 OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=187 --- redis-sentinel@.service | 13 +++++++++++++ redis.changes | 7 +++++++ redis@.service | 13 +++++++++++++ 3 files changed, 33 insertions(+) diff --git a/redis-sentinel@.service b/redis-sentinel@.service index 1701c38..d639681 100644 --- a/redis-sentinel@.service +++ b/redis-sentinel@.service @@ -8,6 +8,19 @@ Type=notify User=redis Group=redis PrivateTmp=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions PIDFile=/run/redis/sentinel-%i.pid ExecStart=/usr/sbin/redis-sentinel /etc/redis/sentinel-%i.conf LimitNOFILE=10240 diff --git a/redis.changes b/redis.changes index 6596a82..5cfb5e9 100644 --- a/redis.changes +++ b/redis.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Nov 15 12:57:13 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * redis-sentinel@.service + * redis@.service + ------------------------------------------------------------------- Mon Oct 4 20:23:56 UTC 2021 - Michael Ströder diff --git a/redis@.service b/redis@.service index 124f47d..3d75dab 100644 --- a/redis@.service +++ b/redis@.service @@ -8,6 +8,19 @@ Type=notify User=redis Group=redis PrivateTmp=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions PIDFile=/run/redis/%i.pid ExecStart=/usr/sbin/redis-server /etc/redis/%i.conf LimitNOFILE=10240