diff options
| author | nico <nico@magicbroccoli.de> | 2020-06-10 12:00:12 +0200 |
|---|---|---|
| committer | nico <nico@magicbroccoli.de> | 2020-06-10 12:00:12 +0200 |
| commit | a6d1ae443e4e613008b2b349bdbb49591cbc1626 (patch) | |
| tree | e198b295c05111ab08153c70d29c2f5e230e98bd | |
| parent | 6c08f4bb647680460191f650860900c9831173bf (diff) | |
systemd service hardening
+ add systemd protective features to restrict the system access
+ add service documentation link
+ add service required / after fields
| -rw-r--r-- | contrib/init/linux-systemd/ejabberd-cleanup.service | 9 | ||||
| -rw-r--r-- | contrib/init/linux-systemd/ejabberd-exporter.service | 10 | ||||
| -rw-r--r-- | contrib/init/linux-systemd/ejabberd-influxdb.service | 10 |
3 files changed, 29 insertions, 0 deletions
diff --git a/contrib/init/linux-systemd/ejabberd-cleanup.service b/contrib/init/linux-systemd/ejabberd-cleanup.service index 4bea474..ea608d5 100644 --- a/contrib/init/linux-systemd/ejabberd-cleanup.service +++ b/contrib/init/linux-systemd/ejabberd-cleanup.service @@ -1,5 +1,7 @@ [Unit] Description=Clean up ejabberd +Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md +Requires=ejabberd.service [Service] Type=oneshot @@ -8,6 +10,13 @@ Group=nobody Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin" ExecStart=/opt/ejabberd-tools/cleanup.py WorkingDirectory=/opt/ejabberd-tools/ +PrivateDevices=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=yes +ProtectSystem=full +NoNewPrivileges=yes [Install] WantedBy=multi-user.target diff --git a/contrib/init/linux-systemd/ejabberd-exporter.service b/contrib/init/linux-systemd/ejabberd-exporter.service index 1c0d9e0..1aa06cd 100644 --- a/contrib/init/linux-systemd/ejabberd-exporter.service +++ b/contrib/init/linux-systemd/ejabberd-exporter.service @@ -1,5 +1,8 @@ [Unit] Description=ejabberd prometheus exporter +Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md +After=prometheus.service +Requires=ejabberd.service prometheus.service [Service] Type=simple @@ -8,6 +11,13 @@ Group=nobody Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin" ExecStart=/opt/ejabberd-tools/prometheus.py WorkingDirectory=/opt/ejabberd-tools/ +PrivateDevices=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=yes +ProtectSystem=full +NoNewPrivileges=yes Restart=always RestartSec=5s diff --git a/contrib/init/linux-systemd/ejabberd-influxdb.service b/contrib/init/linux-systemd/ejabberd-influxdb.service index 364b574..6b711b6 100644 --- a/contrib/init/linux-systemd/ejabberd-influxdb.service +++ b/contrib/init/linux-systemd/ejabberd-influxdb.service @@ -1,5 +1,8 @@ [Unit] Description=ejabberd influxdb exporter +Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md +After=influxdb.service +Requires=ejabberd.service influxdb.service [Service] Type=simple @@ -8,6 +11,13 @@ Group=nogroup Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin" ExecStart=/opt/ejabberd-tools/influx.py WorkingDirectory=/opt/ejabberd-tools/ +PrivateDevices=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=yes +ProtectSystem=full +NoNewPrivileges=yes Restart=always RestartSec=5s |