Commit 6134cf9a authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

security_tracker: harden system service

Mount /usr, /etc read only, protect the /home, /tmp and kernel
directories. Also disallow privilige escalation.
parent 6560a2df
...@@ -8,5 +8,14 @@ Group=security ...@@ -8,5 +8,14 @@ Group=security
WorkingDirectory=/srv/http/security-tracker WorkingDirectory=/srv/http/security-tracker
ExecStart=/usr/bin/make update ExecStart=/usr/bin/make update
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment