From 75f3e7d403b54e9158b5bd9fad683db401c56200 Mon Sep 17 00:00:00 2001 From: Fox in the shell Date: Mon, 21 Sep 2015 18:27:32 +0200 Subject: [PATCH 1/4] systemd: Remove spurious overrides --- systemd/system/sshd.service | 1 - systemd/system/syslog.service | 1 - 2 files changed, 2 deletions(-) delete mode 120000 systemd/system/sshd.service delete mode 120000 systemd/system/syslog.service diff --git a/systemd/system/sshd.service b/systemd/system/sshd.service deleted file mode 120000 index 7504947..0000000 --- a/systemd/system/sshd.service +++ /dev/null @@ -1 +0,0 @@ -/lib/systemd/system/ssh.service \ No newline at end of file diff --git a/systemd/system/syslog.service b/systemd/system/syslog.service deleted file mode 120000 index c3fe73f..0000000 --- a/systemd/system/syslog.service +++ /dev/null @@ -1 +0,0 @@ -/lib/systemd/system/rsyslog.service \ No newline at end of file From 62d8e78f39dce714bde53b60bd251225dfa107ea Mon Sep 17 00:00:00 2001 From: Fox in the shell Date: Mon, 21 Sep 2015 19:17:28 +0200 Subject: [PATCH 2/4] systemd: Do not start mcstrans in multi-user This seems to be a spurious service start --- systemd/system/multi-user.target.wants/mcstrans.service | 1 - 1 file changed, 1 deletion(-) delete mode 120000 systemd/system/multi-user.target.wants/mcstrans.service diff --git a/systemd/system/multi-user.target.wants/mcstrans.service b/systemd/system/multi-user.target.wants/mcstrans.service deleted file mode 120000 index ce08528..0000000 --- a/systemd/system/multi-user.target.wants/mcstrans.service +++ /dev/null @@ -1 +0,0 @@ -/lib/systemd/system/mcstrans.service \ No newline at end of file From 39a713bf5bcec549d648d74c1e558bdd1257ed5e Mon Sep 17 00:00:00 2001 From: Fox in the shell Date: Mon, 21 Sep 2015 18:12:49 +0200 Subject: [PATCH 3/4] system.conf: Default security settings for services --- systemd/system.conf.d/service-isolation.conf | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 systemd/system.conf.d/service-isolation.conf diff --git a/systemd/system.conf.d/service-isolation.conf b/systemd/system.conf.d/service-isolation.conf new file mode 100644 index 0000000..6edbad8 --- /dev/null +++ b/systemd/system.conf.d/service-isolation.conf @@ -0,0 +1,8 @@ +[Service] +PrivateTmp=true # Poly-instantiates {/var,}/tmp per service +PrivateDevices=true # Only exposes API pseudo-devices (/dev/null, zero, random) +ProtectSystem=full # Makes /usr, /boot and /etc read-only +ProtectHome=true # Prevents access to /home, /root and /run/user + +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE +NoNewPrivileges=true From 9f5538c9798e322f24e679e66f169991fe7f7c42 Mon Sep 17 00:00:00 2001 From: Fox in the shell Date: Mon, 21 Sep 2015 20:15:42 +0200 Subject: [PATCH 4/4] systemd: Override security measures for some services --- systemd/system/auditd.service.d/override.conf | 3 +++ systemd/system/cron.service.d/override.conf | 2 ++ systemd/system/lm-sensors.service.d/override.conf | 2 ++ systemd/system/restorecond.service.d/override.conf | 4 ++++ systemd/system/ssh.service.d/override.conf | 3 +++ 5 files changed, 14 insertions(+) create mode 100644 systemd/system/auditd.service.d/override.conf create mode 100644 systemd/system/cron.service.d/override.conf create mode 100644 systemd/system/lm-sensors.service.d/override.conf create mode 100644 systemd/system/restorecond.service.d/override.conf create mode 100644 systemd/system/ssh.service.d/override.conf diff --git a/systemd/system/auditd.service.d/override.conf b/systemd/system/auditd.service.d/override.conf new file mode 100644 index 0000000..ad7372c --- /dev/null +++ b/systemd/system/auditd.service.d/override.conf @@ -0,0 +1,3 @@ +[Service] +CapabilityBoundingSet= +NoNewPrivileges=false diff --git a/systemd/system/cron.service.d/override.conf b/systemd/system/cron.service.d/override.conf new file mode 100644 index 0000000..d1ce090 --- /dev/null +++ b/systemd/system/cron.service.d/override.conf @@ -0,0 +1,2 @@ +[Service] +ProtectSystem=false diff --git a/systemd/system/lm-sensors.service.d/override.conf b/systemd/system/lm-sensors.service.d/override.conf new file mode 100644 index 0000000..225db39 --- /dev/null +++ b/systemd/system/lm-sensors.service.d/override.conf @@ -0,0 +1,2 @@ +[Service] +PrivateDevices=false diff --git a/systemd/system/restorecond.service.d/override.conf b/systemd/system/restorecond.service.d/override.conf new file mode 100644 index 0000000..ea23c39 --- /dev/null +++ b/systemd/system/restorecond.service.d/override.conf @@ -0,0 +1,4 @@ +[Service] +CapabilityBoundingSet= +ProtectSystem=true # restorecond handles files in /etc +ProtectHome=false # restorecond handles files in /root diff --git a/systemd/system/ssh.service.d/override.conf b/systemd/system/ssh.service.d/override.conf new file mode 100644 index 0000000..ad7372c --- /dev/null +++ b/systemd/system/ssh.service.d/override.conf @@ -0,0 +1,3 @@ +[Service] +CapabilityBoundingSet= +NoNewPrivileges=false