systemd: Add systemd service settings for better security
This adds additional settings to improve the security of 'ddclient.service'. The settings are based on basic [systemd guidelines][1] and other security-related [guide][2] and [roadmap][3]. [1]: https://www.freedesktop.org/software/systemd/man/systemd.exec.html [2]: https://www.redhat.com/sysadmin/systemd-secure-services [3]: https://wiki.debian.org/ReleaseGoals/SystemdAnalyzeSecurity
This commit is contained in:
Indrajit Raychaudhuri
parent
87a919a715
commit
a624cb6c15
1 changed files with 26 additions and 0 deletions
|
|
@ -9,5 +9,31 @@ Environment=daemon_interval=5m
|
||||||
ExecStart=/usr/bin/ddclient --daemon ${daemon_interval} --foreground
|
ExecStart=/usr/bin/ddclient --daemon ${daemon_interval} --foreground
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=@system-service
|
||||||
|
SystemCallFilter=~ @privileged @resources
|
||||||
|
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
|
||||||
|
ProtectSystem=yes
|
||||||
|
ProtectHome=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue