From 1d79aa82f6d47ff1cf15603d62f803cca6d490f7d1558f5da2fe4dcfea75c992 Mon Sep 17 00:00:00 2001 From: Lars Vogdt Date: Fri, 29 Oct 2021 13:55:01 +0000 Subject: [PATCH] Accepting request 923726 from home:jsegitz:branches:systemdhardening:server:monitoring Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/923726 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=69 --- munin-cgi-graph.service | 13 +++++++++++++ munin-cgi-html.service | 13 +++++++++++++ munin-cron.service | 13 +++++++++++++ munin-node.service | 13 +++++++++++++ munin.changes | 9 +++++++++ 5 files changed, 61 insertions(+) diff --git a/munin-cgi-graph.service b/munin-cgi-graph.service index 962f17c..0b6c41a 100644 --- a/munin-cgi-graph.service +++ b/munin-cgi-graph.service @@ -3,6 +3,19 @@ Description=Munin CGI Graph generator Requires=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/bin/spawn-fcgi -s /var/run/munin/munin-cgi-graph.sock -P /var/run/munin/munin-cgi-graph.pid -u munin -g munin -M 0770 -U munin -G www /srv/www/cgi-bin/munin-cgi-graph PIDFile=/var/run/munin/munin-cgi-graph.pid diff --git a/munin-cgi-html.service b/munin-cgi-html.service index 359455f..acc15da 100644 --- a/munin-cgi-html.service +++ b/munin-cgi-html.service @@ -3,6 +3,19 @@ Description=Munin CGI HTML generator Requires=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/bin/spawn-fcgi -s /var/run/munin/munin-cgi-html.sock -P /var/run/munin/munin-cgi-html.pid -u munin -g munin -M 0770 -U munin -G www /srv/www/cgi-bin/munin-cgi-html PIDFile=/var/run/munin/munin-cgi-html.pid diff --git a/munin-cron.service b/munin-cron.service index ee19547..bce0bd6 100644 --- a/munin-cron.service +++ b/munin-cron.service @@ -3,6 +3,19 @@ Description=Collect node data Documentation=man:munin-cron(8) [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot User=munin ExecStart=/usr/bin/munin-cron diff --git a/munin-node.service b/munin-node.service index ed49b44..1a0c33a 100644 --- a/munin-node.service +++ b/munin-node.service @@ -3,6 +3,19 @@ Description=Munin Node Requires=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/sbin/munin-node ExecStartPre=/usr/bin/mkdir -p /var/run/munin/ diff --git a/munin.changes b/munin.changes index 29e3b24..ef60d65 100644 --- a/munin.changes +++ b/munin.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Oct 7 10:26:31 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * munin-cgi-graph.service + * munin-cgi-html.service + * munin-cron.service + * munin-node.service + ------------------------------------------------------------------- Fri Mar 5 09:49:51 UTC 2021 - Thorsten Kukuk