Moving stuff to role
This commit is contained in:
mustard
parent
528bc75280
commit
b5779bc9e1
9 changed files with 294 additions and 0 deletions
|
|
@ -0,0 +1,28 @@
|
|||
[Service]
|
||||
# Hardening
|
||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
#PrivateDevices=true #breaks tun usage
|
||||
#ProtectProc=invisible
|
||||
PrivateTmp=yes
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=read-only
|
||||
ProtectKernelLogs=true
|
||||
#ProtectKernelModules=true
|
||||
#ProtectSystem=strict
|
||||
#ReadOnlyPaths=/etc/NetworkManager
|
||||
ReadOnlyPaths=-/home
|
||||
#ReadWritePaths=-/etc/NetworkManager/system-connections
|
||||
ReadWritePaths=-/etc/sysconfig/network-scripts
|
||||
ReadWritePaths=/var/lib/NetworkManager
|
||||
ReadWritePaths=-/var/run/NetworkManager
|
||||
ReadWritePaths=-/run/NetworkManager
|
||||
RemoveIPC=true
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
UMask=0077
|
||||
Loading…
Add table
Add a link
Reference in a new issue