trust-dns: apply some hardening (still need more)
This commit is contained in:
parent
384428756d
commit
8c4af55f82
|
@ -132,8 +132,29 @@ in
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
# TODO: hardening (like, don't run as root!)
|
|
||||||
# TODO: link to docs
|
# TODO: link to docs
|
||||||
|
# TODO: hardening:
|
||||||
|
# - User/DynamicUser
|
||||||
|
# - Group
|
||||||
|
# - CapabilityBoundingSet
|
||||||
|
# - SystemCallFilter ?
|
||||||
|
# - RestrictAddressFamilies
|
||||||
|
# - LockPersonality ?
|
||||||
|
# use `systemd-analyze security trust-dns`
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "full";
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
};
|
};
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
Loading…
Reference in New Issue
Block a user