diff --git a/munin-cgi-graph.service b/munin-cgi-graph.service index 962f17c..0b6c41a 100644 --- a/munin-cgi-graph.service +++ b/munin-cgi-graph.service @@ -3,6 +3,19 @@ Description=Munin CGI Graph generator Requires=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/bin/spawn-fcgi -s /var/run/munin/munin-cgi-graph.sock -P /var/run/munin/munin-cgi-graph.pid -u munin -g munin -M 0770 -U munin -G www /srv/www/cgi-bin/munin-cgi-graph PIDFile=/var/run/munin/munin-cgi-graph.pid diff --git a/munin-cgi-html.service b/munin-cgi-html.service index 359455f..acc15da 100644 --- a/munin-cgi-html.service +++ b/munin-cgi-html.service @@ -3,6 +3,19 @@ Description=Munin CGI HTML generator Requires=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/bin/spawn-fcgi -s /var/run/munin/munin-cgi-html.sock -P /var/run/munin/munin-cgi-html.pid -u munin -g munin -M 0770 -U munin -G www /srv/www/cgi-bin/munin-cgi-html PIDFile=/var/run/munin/munin-cgi-html.pid diff --git a/munin-cron.service b/munin-cron.service index ee19547..bce0bd6 100644 --- a/munin-cron.service +++ b/munin-cron.service @@ -3,6 +3,19 @@ Description=Collect node data Documentation=man:munin-cron(8) [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot User=munin ExecStart=/usr/bin/munin-cron diff --git a/munin-node.service b/munin-node.service index ed49b44..1a0c33a 100644 --- a/munin-node.service +++ b/munin-node.service @@ -3,6 +3,19 @@ Description=Munin Node Requires=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/sbin/munin-node ExecStartPre=/usr/bin/mkdir -p /var/run/munin/ diff --git a/munin.changes b/munin.changes index 29e3b24..ef60d65 100644 --- a/munin.changes +++ b/munin.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Oct 7 10:26:31 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * munin-cgi-graph.service + * munin-cgi-html.service + * munin-cron.service + * munin-node.service + ------------------------------------------------------------------- Fri Mar 5 09:49:51 UTC 2021 - Thorsten Kukuk