systemd hardening

author James Bunton <jamesbunton@delx.net.au>

Sat, 10 Aug 2019 23:07:05 +0000 (09:07 +1000)

committer James Bunton <jamesbunton@delx.net.au>

Sat, 10 Aug 2019 23:07:05 +0000 (09:07 +1000)
author James Bunton <jamesbunton@delx.net.au>
Sat, 10 Aug 2019 23:07:05 +0000 (09:07 +1000)
committer James Bunton <jamesbunton@delx.net.au>
Sat, 10 Aug 2019 23:07:05 +0000 (09:07 +1000)
diff --git a/etc/systemd/system/my-overrides/10-security.conf b/etc/systemd/system/my-overrides/10-security.conf

new file mode 100644 (file)

index 0000000..c8fe6e2
--- /dev/null
+++ b/etc/systemd/system/my-overrides/10-security.conf
@@ -0,0 +1,27 @@
+[Service]
+# Never accessible to any services
+InaccessiblePaths=/mnt
+
+# By default inaccessible, may be overriden with BindPaths/BindReadOnlyPaths
+TemporaryFileSystem=/home:ro
+
+NoNewPrivileges=yes
+
+MountFlags=private
+ProtectSystem=strict
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
+PrivateDevices=yes
+
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+RestrictSUIDSGID=yes
+
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
author	James Bunton <jamesbunton@delx.net.au>
	Sat, 10 Aug 2019 23:07:05 +0000 (09:07 +1000)
committer	James Bunton <jamesbunton@delx.net.au>
	Sat, 10 Aug 2019 23:07:05 +0000 (09:07 +1000)