Add SystemD hardening (#1720)

* Add SystemD hardening

Co-authored-by: abraunegg <alex.braunegg@gmail.com>
This commit is contained in:
Enno G 2021-11-24 20:28:46 +01:00 committed by GitHub
parent df3d137772
commit 89d2085c69
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 0 deletions

View File

@ -5,6 +5,17 @@ After=network-online.target
Wants=network-online.target
[Service]
# Commented out hardenings are disabled because they don't work out of the box.
# If you know what you are doing please try to enable them.
ProtectSystem=full
#PrivateDevices=true
ProtectHostname=true
#ProtectClock=true
ProtectKernelTunables=true
#ProtectKernelModules=true
#ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
ExecStart=@prefix@/bin/onedrive --monitor
Restart=on-failure
RestartSec=3

View File

@ -5,6 +5,17 @@ After=network-online.target
Wants=network-online.target
[Service]
# Commented out hardenings are disabled because they don't work out of the box.
# If you know what you are doing please try to enable them.
ProtectSystem=full
#PrivateDevices=true
ProtectHostname=true
#ProtectClock=true
ProtectKernelTunables=true
#ProtectKernelModules=true
#ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
ExecStart=@prefix@/bin/onedrive --monitor --confdir=/home/%i/.config/onedrive
User=%i
Group=users