From: James Bunton <jamesbunton@delx.net.au>
Date: Sat, 10 Aug 2019 23:07:05 +0000 (+1000)
Subject: systemd hardening
X-Git-Url: https://code.delx.au/monosys/commitdiff_plain/182aefdd27d680a9bfd999dfa45304a42f77b1f2

systemd hardening
---

diff --git a/etc/systemd/system/my-overrides/10-security.conf b/etc/systemd/system/my-overrides/10-security.conf
new file mode 100644
index 0000000..c8fe6e2
--- /dev/null
+++ b/etc/systemd/system/my-overrides/10-security.conf
@@ -0,0 +1,27 @@
+[Service]
+# Never accessible to any services
+InaccessiblePaths=/mnt
+
+# By default inaccessible, may be overriden with BindPaths/BindReadOnlyPaths
+TemporaryFileSystem=/home:ro
+
+NoNewPrivileges=yes
+
+MountFlags=private
+ProtectSystem=strict
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
+PrivateDevices=yes
+
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+RestrictSUIDSGID=yes
+
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native