mustard/ansible-playbooks
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixing up roles

Browse source
This commit is contained in:
mustard 2025-03-04 00:28:10 +01:00
parent 9975b95880
commit 4de7935469
78 changed files with 514 additions and 155 deletions
Download patch file Download diff file Expand all files Collapse all files

28
roles/baseline/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf Normal file
View file

@ -0,0 +1,28 @@
[Service]
# Hardening
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
LockPersonality=true
MemoryDenyWriteExecute=true
#PrivateDevices=true #breaks tun usage
#ProtectProc=invisible
PrivateTmp=yes
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only
ProtectKernelLogs=true
#ProtectKernelModules=true
#ProtectSystem=strict
#ReadOnlyPaths=/etc/NetworkManager
ReadOnlyPaths=-/home
#ReadWritePaths=-/etc/NetworkManager/system-connections
ReadWritePaths=-/etc/sysconfig/network-scripts
ReadWritePaths=/var/lib/NetworkManager
ReadWritePaths=-/var/run/NetworkManager
ReadWritePaths=-/run/NetworkManager
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0077