Accepting request 911452 from home:jsegitz:branches:systemdhardening:security

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/911452
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=127

audit-secondary.spec

@@ -36,6 +36,7 @@ Patch3:         audit-allow-manual-stop.patch
 Patch4:         audit-ausearch-do-not-require-tclass.patch
 Patch5:         change-default-log_group.patch
 Patch6:         libev-werror.patch
+Patch7:         harden_auditd.service.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
@@ -127,6 +128,7 @@ rm -rf audisp/plugins/prelude
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.

harden_auditd.service.patch

@@ -0,0 +1,20 @@
+Index: audit-3.0.3/init.d/auditd.service
+===================================================================
+--- audit-3.0.3.orig/init.d/auditd.service
++++ audit-3.0.3/init.d/auditd.service
+@@ -35,6 +35,15 @@ ProtectControlGroups=true
+ ProtectKernelModules=true
+ ProtectHome=true
+ RestrictRealtime=true
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++# end of automatic additions 
+ 
+ [Install]
+ WantedBy=multi-user.target