forked from pool/fail2ban
Accepting request 918942 from home:jsegitz:branches:systemdhardening:security
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/918942 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=107
This commit is contained in:
parent
861f18c31d
commit
c92a861e40
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 14 07:47:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
|
||||||
|
* harden_fail2ban.service.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
||||||
|
|
||||||
|
@ -51,6 +51,7 @@ Patch201: %{name}-0.10.4-env-script-interpreter.patch
|
|||||||
Patch300: fail2ban-opensuse-service-sfw.patch
|
Patch300: fail2ban-opensuse-service-sfw.patch
|
||||||
# PATCH-FIX-UPSTREAM fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch jweberhofer@weberhofer.at -- fixes CVE-2021-32749
|
# PATCH-FIX-UPSTREAM fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch jweberhofer@weberhofer.at -- fixes CVE-2021-32749
|
||||||
Patch400: fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch
|
Patch400: fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch
|
||||||
|
Patch401: harden_fail2ban.service.patch
|
||||||
|
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: logrotate
|
BuildRequires: logrotate
|
||||||
@ -137,6 +138,7 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
|
|||||||
%patch300 -p1
|
%patch300 -p1
|
||||||
%endif
|
%endif
|
||||||
%patch400 -p1
|
%patch400 -p1
|
||||||
|
%patch401 -p1
|
||||||
|
|
||||||
rm config/paths-arch.conf \
|
rm config/paths-arch.conf \
|
||||||
config/paths-debian.conf \
|
config/paths-debian.conf \
|
||||||
|
23
harden_fail2ban.service.patch
Normal file
23
harden_fail2ban.service.patch
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
Index: fail2ban-0.11.2/files/fail2ban.service.in
|
||||||
|
===================================================================
|
||||||
|
--- fail2ban-0.11.2.orig/files/fail2ban.service.in
|
||||||
|
+++ fail2ban-0.11.2/files/fail2ban.service.in
|
||||||
|
@@ -5,6 +5,18 @@ After=network.target iptables.service fi
|
||||||
|
PartOf=firewalld.service ipset.service nftables.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
+# added automatically, for details please see
|
||||||
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||||
|
+ProtectSystem=full
|
||||||
|
+ProtectHome=true
|
||||||
|
+PrivateDevices=true
|
||||||
|
+ProtectHostname=true
|
||||||
|
+ProtectClock=true
|
||||||
|
+ProtectKernelTunables=true
|
||||||
|
+ProtectKernelModules=true
|
||||||
|
+ProtectControlGroups=true
|
||||||
|
+RestrictRealtime=true
|
||||||
|
+# end of automatic additions
|
||||||
|
Type=simple
|
||||||
|
EnvironmentFile=-/etc/sysconfig/fail2ban
|
||||||
|
Environment="PYTHONNOUSERSITE=1"
|
Loading…
Reference in New Issue
Block a user