Merge pull request #26 from nbraud/haveged.service/security

haveged.service: Tighten-down security settings
author: jirka-h <hladky.jiri@gmail.com> 2020-05-11 16:04:30 +0200
committer: GitHub <noreply@github.com> 2020-05-11 16:04:30 +0200
commit: fb149442498b7a27c76174faa6df489121758369 (patch)
tree: ed3e36103292dcee30b6a155711be57f0490bafa
parent: Merge pull request #28 from johnou/patch-1 (diff)
parent: init.d/service.fedora: Add syscall filter for the service (diff)
download: haveged-fb149442498b7a27c76174faa6df489121758369.tar.xz
haveged-fb149442498b7a27c76174faa6df489121758369.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/init.d/service.fedora b/init.d/service.fedora
index 5d6bdd3..4ca8128 100644
--- a/init.d/service.fedora
+++ b/init.d/service.fedora
@@ -9,10 +9,25 @@ Before=sysinit.target shutdown.target systemd-journald.service
 ExecStart=/usr/sbin/haveged -w 1024 -v 1 --Foreground
 Restart=always
 SuccessExitStatus=137 143
+
+SecureBits=noroot-locked
 CapabilityBoundingSet=CAP_SYS_ADMIN
+PrivateTmp=true
 PrivateDevices=true
 PrivateNetwork=true
 ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+RestrictNamespaces=true
+RestrictRealtime=true
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=@basic-io @file-system @io-event @network-io @signal
+SystemCallFilter=arch_prctl brk ioctl mprotect sysinfo
 
 [Install]
 WantedBy=sysinit.target
author	jirka-h <hladky.jiri@gmail.com>	2020-05-11 16:04:30 +0200
committer	GitHub <noreply@github.com>	2020-05-11 16:04:30 +0200
commit	fb149442498b7a27c76174faa6df489121758369 (patch)
tree	ed3e36103292dcee30b6a155711be57f0490bafa
parent	Merge pull request #28 from johnou/patch-1 (diff)
parent	init.d/service.fedora: Add syscall filter for the service (diff)
download	haveged-fb149442498b7a27c76174faa6df489121758369.tar.xz haveged-fb149442498b7a27c76174faa6df489121758369.zip