From 68ffb942c81ee9580cc5130eb2bfab24cca94b0695192cd89a6e239fb33888c9 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 1 Dec 2021 14:16:09 +0000 Subject: [PATCH] Accepting request 934999 from home:jsegitz:branches:systemdhardening:server:http Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/934999 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=108 --- varnish.changes | 7 +++++++ varnish.service | 13 +++++++++++++ varnishlog.service | 13 +++++++++++++ 3 files changed, 33 insertions(+) diff --git a/varnish.changes b/varnish.changes index 7eae464..6f83ad3 100644 --- a/varnish.changes +++ b/varnish.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Dec 1 10:27:19 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * varnish.service + * varnishlog.service + ------------------------------------------------------------------- Fri Aug 6 10:02:27 UTC 2021 - Jan Engelhardt diff --git a/varnish.service b/varnish.service index 8a4938a..2d82d08 100644 --- a/varnish.service +++ b/varnish.service @@ -3,6 +3,19 @@ Description=Varnish HTTP accelerator/reverse proxy After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions EnvironmentFile=/etc/sysconfig/varnish PIDFile=/var/run/varnishd.pid ExecStart=/usr/sbin/varnishd -P /var/run/varnishd.pid -F $VARNISHD_PARAMS diff --git a/varnishlog.service b/varnishlog.service index e7b236b..3bbcf00 100644 --- a/varnishlog.service +++ b/varnishlog.service @@ -4,6 +4,19 @@ Requires=varnish.service #After= is not required [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions EnvironmentFile=/etc/sysconfig/varnish PIDFile=/var/run/varnishlog.pid ExecStart=/usr/sbin/varnishncsa -P /var/run/varnishlog.pid $VARNISHLOG_PARAMS