Package: ntpsec
Version: 1.1.3+dfsg1-2
Severity: wishlist
Tags: patch
Hello!
systemd includes a huge amount of security features, which are off by default.
"systemd-analyze security" tells you about many of them.
I thought "let's try to fix this!" and used
debian/ntpsec.ntpsec-rotate-stats.service as a test case.
You can drop these lines (below) into debian/ntpsec.ntpsec-rotate-stats.service
and that unit will be more secure, AND still work, yay!
I realize locking down JUST this single shell script isn't very useful,
this is (hopefully) just the first step in "lock down all the things in all the
units".
[Service]
PrivateNetwork=yes
User=ntpsec
PrivateUsers=yes
PrivateNetwork=yes
CapabilityBoundingSet=
RestrictAddressFamilies=AF_UNIX
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ReadWritePaths=-/var/log/ntpsec/
WorkingDirectory=/var/log/ntpsec
IPAddressDeny=any
SystemCallArchitectures=native
RestrictNamespaces=yes
NoNewPrivileges=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
RestrictRealtime=yes
LockPersonality=yes
RemoveIPC=yes
MemoryDenyWriteExecute=yes
## Not set because we *WANT* /var/log/ntpsec/temps.YYYY-MM-DD.gz to be
world-readable.
#Umask=