SHA256
1
0
forked from pool/audit

Accepting request 911452 from home:jsegitz:branches:systemdhardening:security

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/911452
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=127
This commit is contained in:
Marcus Meissner 2021-08-16 13:21:17 +00:00 committed by Git OBS Bridge
parent d083951a31
commit 127262eccc
2 changed files with 22 additions and 0 deletions

View File

@ -36,6 +36,7 @@ Patch3: audit-allow-manual-stop.patch
Patch4: audit-ausearch-do-not-require-tclass.patch
Patch5: change-default-log_group.patch
Patch6: libev-werror.patch
Patch7: harden_auditd.service.patch
BuildRequires: audit-devel = %{version}
BuildRequires: autoconf >= 2.12
BuildRequires: gcc-c++
@ -127,6 +128,7 @@ rm -rf audisp/plugins/prelude
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%if %{without python2} && %{with python3}
# Fix python env call in tests if we only have Python3.

View File

@ -0,0 +1,20 @@
Index: audit-3.0.3/init.d/auditd.service
===================================================================
--- audit-3.0.3.orig/init.d/auditd.service
+++ audit-3.0.3/init.d/auditd.service
@@ -35,6 +35,15 @@ ProtectControlGroups=true
ProtectKernelModules=true
ProtectHome=true
RestrictRealtime=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+# end of automatic additions
[Install]
WantedBy=multi-user.target