harden some services
This commit is contained in:
parent
4dfee5afcc
commit
18b4351fa4
1 changed files with 31 additions and 0 deletions
|
@ -84,6 +84,37 @@ in
|
|||
"tipc"
|
||||
];
|
||||
|
||||
# harden some services
|
||||
systemd.services.systemd-rfkill = {
|
||||
serviceConfig = {
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectClock = true;
|
||||
ProtectProc = "invisible";
|
||||
ProcSubset = "pid";
|
||||
PrivateTmp = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
SystemCallArchitectures = "native";
|
||||
UMask = "0077";
|
||||
IPAddressDeny = "any";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.systemd-journald = {
|
||||
serviceConfig = {
|
||||
UMask = 0077;
|
||||
PrivateNetwork = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelModules = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
|
Loading…
Add table
Reference in a new issue