Here's what I have now, with your latest feedback incorporated: --- a/debian/ntpsec.ntpsec-rotate-stats.service +++ b/debian/ntpsec.ntpsec-rotate-stats.service @@ -5,3 +5,35 @@ Requisite=ntpsec.service [Service] Type=simple ExecStart=/usr/lib/ntp/rotate-stats + +# These lock down this service to minimal privileges. +# See also: systemd-analyze security +CapabilityBoundingSet= +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateTmp=yes +PrivateUsers=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ReadWritePaths=-/var/log/ntpsec/ +RemoveIPC=yes +# AF_UNIX is probably not necessary, but there is no clear syntax for +# disabling all address families. An empty string clears the list. +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallArchitectures=native +# Order is important here: +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +# TODO: Can we use 077 and make ntpviz run as User=ntpsec? +UMask=022 +User=ntpsec +WorkingDirectory=/var/log/ntpsec
-- Richard