diff --git a/harden_sysstat.service.patch b/harden_sysstat.service.patch new file mode 100644 index 0000000..71ef180 --- /dev/null +++ b/harden_sysstat.service.patch @@ -0,0 +1,22 @@ +Index: sysstat-12.4.3/sysstat.service.in +=================================================================== +--- sysstat-12.4.3.orig/sysstat.service.in ++++ sysstat-12.4.3/sysstat.service.in +@@ -10,6 +10,17 @@ Description=Resets System Activity Logs + After=remote-fs.target local-fs.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + RemainAfterExit=yes + User=@CRON_OWNER@ diff --git a/sysstat.changes b/sysstat.changes index 6a88235..0807c04 100644 --- a/sysstat.changes +++ b/sysstat.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Nov 24 12:33:59 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_sysstat.service.patch + ------------------------------------------------------------------- Sun Oct 3 15:11:09 UTC 2021 - Christian Boltz diff --git a/sysstat.spec b/sysstat.spec index 725f109..bddbaff 100644 --- a/sysstat.spec +++ b/sysstat.spec @@ -33,6 +33,7 @@ Patch0: sysstat-8.1.6-sa1sa2lock.diff Patch2: sysstat-8.0.4-pagesize.diff # PATCH-FIX-OPENSUSE bsc#1151453 Patch3: sysstat-service.patch +Patch4: harden_sysstat.service.patch BuildRequires: findutils BuildRequires: gettext-runtime BuildRequires: pkgconfig @@ -75,6 +76,7 @@ from a sysstat package. cp %{SOURCE1} . # remove date and time from objects find ./ -name \*.c -exec sed -i -e 's: " compiled " __DATE__ " " __TIME__::g' {} \; +%patch4 -p1 %build export conf_dir="%{_sysconfdir}/sysstat"