From c73aa08cf616a089116b86ebfd1c4db42b1afe851ad8e9aac9c26efbbf644dc5 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 16 Aug 2021 13:21:35 +0000 Subject: [PATCH] Accepting request 911450 from home:jsegitz:branches:systemdhardening:security Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/911450 OBS-URL: https://build.opensuse.org/package/show/security/argus?expand=0&rev=29 --- argus.changes | 8 ++++++++ argus.service | 13 +++++++++++++ argus.spec | 2 ++ harden_argus.service.patch | 24 ++++++++++++++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 harden_argus.service.patch diff --git a/argus.changes b/argus.changes index c4c49ef..09819ca 100644 --- a/argus.changes +++ b/argus.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Aug 10 11:50:18 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s). Added patch(es): + * harden_argus.service.patch + Modified: + * argus.service + ------------------------------------------------------------------- Thu Jun 3 16:02:21 UTC 2021 - Ferdinand Thiessen diff --git a/argus.service b/argus.service index 2c15453..bfd4135 100644 --- a/argus.service +++ b/argus.service @@ -3,6 +3,19 @@ Description=Argus generates network transaction audit records After=syslog.target network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions PIDFile=/var/run/argus.pid ExecStart=/usr/sbin/argus -d diff --git a/argus.spec b/argus.spec index 7d121d1..8ea6e19 100644 --- a/argus.spec +++ b/argus.spec @@ -28,6 +28,7 @@ Source3: README.SUSE Source4: argus_linux.8.gz Source5: argus.service Patch1: %{name}-3.0.6.1-libpcap.patch +Patch2: harden_argus.service.patch BuildRequires: bison BuildRequires: flex BuildRequires: libnsl-devel @@ -56,6 +57,7 @@ Daemon for Argus network monitoring tool. %patch1 -p1 cp %{SOURCE3} . cp %{SOURCE4} man/man8/ +%patch2 -p1 %build #autoreconf -fiv diff --git a/harden_argus.service.patch b/harden_argus.service.patch new file mode 100644 index 0000000..5ffc13e --- /dev/null +++ b/harden_argus.service.patch @@ -0,0 +1,24 @@ +Index: argus-3.0.8.3/support/Startup/argus.service +=================================================================== +--- argus-3.0.8.3.orig/support/Startup/argus.service ++++ argus-3.0.8.3/support/Startup/argus.service +@@ -12,6 +12,19 @@ After=network.target + # This was tested on Fedora 16 + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + ExecStartPre=/sbin/ifconfig em2 up + ExecStart=/usr/local/sbin/argus +