Clément Michaud clems4ever

## systemd_service_hardening.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                clems4ever
                / systemd_service_hardening.md
            
            
              Created
              September 20, 2022 21:18
                — forked from ageis/systemd_service_hardening.md
            
              
                Options for hardening systemd service units
              
          
    security and hardening options for systemd service units

A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict


## package-lock authelia
{
  "name": "authelia",
  "version": "3.7.1",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "@sinonjs/formatio": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/@sinonjs/formatio/-/formatio-2.0.0.tgz",
      "integrity": "sha512-ls6CAMA6/5gG+O/IdsBcblvnd8qcO/l1TYoNeAzp3wcISOxlPXQEus0mLcdwazEkWjaBdaJ3TaxmNgCLWwvWzg==",

## app.py
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
import os

class MyHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        self.wfile.write('<html><head><title>Hello Criteo</title></head><body><h1>Hello Criteo!</h1></body></html>')
    def log_message(self, format, *args):

## custom-chain-enforcement.service
[Unit]
Description=Public filter enforcement Service

[Service]
Type=simple
ExecStart=/home/user/custom-chain-enforcement.sh
KillMode=mixed

TimeoutStartSec=0
RestartSec=0

## ansible-docker-network.yml
---
- name: Check if network {{ name }} exists
  delegate_to: "{{ groups['docker_swarm_issuer'][0] }}"
  run_once: true
  command: docker network ls -q --filter name=^{{ name }}$
  register: network_exists
  changed_when: false

- name: Create network {{ name }}
  command: docker network create --driver {{ driver }} {{ name }}
	{
	"name": "authelia",
	"version": "3.7.1",
	"lockfileVersion": 1,
	"requires": true,
	"dependencies": {
	"@sinonjs/formatio": {
	"version": "2.0.0",
	"resolved": "https://registry.npmjs.org/@sinonjs/formatio/-/formatio-2.0.0.tgz",
	"integrity": "sha512-ls6CAMA6/5gG+O/IdsBcblvnd8qcO/l1TYoNeAzp3wcISOxlPXQEus0mLcdwazEkWjaBdaJ3TaxmNgCLWwvWzg==",
	from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
	import os

	class MyHandler(BaseHTTPRequestHandler):
	def do_GET(self):
	self.send_response(200)
	self.send_header('Content-type', 'text/html')
	self.end_headers()
	self.wfile.write('<html><head><title>Hello Criteo</title></head><body><h1>Hello Criteo!</h1></body></html>')
	def log_message(self, format, *args):
	[Unit]
	Description=Public filter enforcement Service

	[Service]
	Type=simple
	ExecStart=/home/user/custom-chain-enforcement.sh
	KillMode=mixed

	TimeoutStartSec=0
	RestartSec=0
	---
	- name: Check if network {{ name }} exists
	delegate_to: "{{ groups['docker_swarm_issuer'][0] }}"
	run_once: true
	command: docker network ls -q --filter name=^{{ name }}$
	register: network_exists
	changed_when: false

	- name: Create network {{ name }}
	command: docker network create --driver {{ driver }} {{ name }}