rpm/fail2ban
SHA256
1
0
Fork 0
forked from pool/fail2ban
Code Pull Requests Activity

Accepting request 918942 from home:jsegitz:branches:systemdhardening:security

Browse Source 
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/918942
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=107
This commit is contained in:
Marcus Meissner 2021-09-21 08:14:01 +00:00 committed by Git OBS Bridge
parent 861f18c31d
commit c92a861e40
3 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
fail2ban.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Sep 14 07:47:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_fail2ban.service.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at> Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>

2
fail2ban.spec
View File

@ -51,6 +51,7 @@ Patch201: %{name}-0.10.4-env-script-interpreter.patch
Patch300: fail2ban-opensuse-service-sfw.patch Patch300: fail2ban-opensuse-service-sfw.patch
# PATCH-FIX-UPSTREAM fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch jweberhofer@weberhofer.at -- fixes CVE-2021-32749 # PATCH-FIX-UPSTREAM fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch jweberhofer@weberhofer.at -- fixes CVE-2021-32749
Patch400: fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch Patch400: fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch
Patch401: harden_fail2ban.service.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: logrotate BuildRequires: logrotate
@ -137,6 +138,7 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
%patch300 -p1 %patch300 -p1
%endif %endif
%patch400 -p1 %patch400 -p1
%patch401 -p1
rm config/paths-arch.conf \ rm config/paths-arch.conf \
config/paths-debian.conf \ config/paths-debian.conf \

23
harden_fail2ban.service.patch Normal file
View File

@ -0,0 +1,23 @@
Index: fail2ban-0.11.2/files/fail2ban.service.in
===================================================================
--- fail2ban-0.11.2.orig/files/fail2ban.service.in
+++ fail2ban-0.11.2/files/fail2ban.service.in
@@ -5,6 +5,18 @@ After=network.target iptables.service fi
PartOf=firewalld.service ipset.service nftables.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=simple
EnvironmentFile=-/etc/sysconfig/fail2ban
Environment="PYTHONNOUSERSITE=1"