Package: ntpsec Version: 1.1.3+dfsg1-2 Severity: wishlist Tags: patch Hello!
systemd includes a huge amount of security features, which are off by default. "systemd-analyze security" tells you about many of them. I thought "let's try to fix this!" and used debian/ntpsec.ntpsec-rotate-stats.service as a test case. You can drop these lines (below) into debian/ntpsec.ntpsec-rotate-stats.service and that unit will be more secure, AND still work, yay! I realize locking down JUST this single shell script isn't very useful, this is (hopefully) just the first step in "lock down all the things in all the units". [Service] PrivateNetwork=yes User=ntpsec PrivateUsers=yes PrivateNetwork=yes CapabilityBoundingSet= RestrictAddressFamilies=AF_UNIX PrivateDevices=yes PrivateTmp=yes ProtectHome=yes ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict ReadWritePaths=-/var/log/ntpsec/ WorkingDirectory=/var/log/ntpsec IPAddressDeny=any SystemCallArchitectures=native RestrictNamespaces=yes NoNewPrivileges=yes SystemCallFilter=@system-service SystemCallFilter=~@privileged @resources RestrictRealtime=yes LockPersonality=yes RemoveIPC=yes MemoryDenyWriteExecute=yes ## Not set because we *WANT* /var/log/ntpsec/temps.YYYY-MM-DD.gz to be world-readable. #Umask=