Accepting request 933462 from home:jsegitz:branches:systemdhardening:Base:System

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/933462 OBS-URL: https://build.opensuse.org/package/show/Base:System/sysstat?expand=0&rev=130
2021-11-29 15:52:56 +00:00 · 2021-11-29 15:52:56 +00:00 · 79f775fb5e
commit 79f775fb5e
parent acbf41dda9
3 changed files with 30 additions and 0 deletions
--- a/harden_sysstat.service.patch
+++ b/harden_sysstat.service.patch
@ -0,0 +1,22 @@
+Index: sysstat-12.4.3/sysstat.service.in
+===================================================================
+--- sysstat-12.4.3.orig/sysstat.service.in
+++ sysstat-12.4.3/sysstat.service.in
+@@ -10,6 +10,17 @@ Description=Resets System Activity Logs
+ After=remote-fs.target local-fs.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=oneshot
+ RemainAfterExit=yes
+ User=@CRON_OWNER@
--- a/sysstat.changes
+++ b/sysstat.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Nov 24 12:33:59 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_sysstat.service.patch
+
 -------------------------------------------------------------------
 Sun Oct  3 15:11:09 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>

--- a/sysstat.spec
+++ b/sysstat.spec
@ -33,6 +33,7 @@ Patch0:         sysstat-8.1.6-sa1sa2lock.diff
 Patch2:         sysstat-8.0.4-pagesize.diff
 # PATCH-FIX-OPENSUSE bsc#1151453
 Patch3:         sysstat-service.patch
+Patch4:         harden_sysstat.service.patch
 BuildRequires:  findutils
 BuildRequires:  gettext-runtime
 BuildRequires:  pkgconfig
@ -75,6 +76,7 @@ from a sysstat package.
 cp %{SOURCE1} .
 # remove date and time from objects
 find ./ -name \*.c -exec sed -i -e 's: " compiled " __DATE__ " " __TIME__::g' {} \;
+%patch4 -p1

 %build
 export conf_dir="%{_sysconfdir}/sysstat"