Harden wtmpdbd.service

thkukuk · Jan 10, 2025 · cbabeb7 · cbabeb7
1 parent 793021a
commit cbabeb7
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/units/wtmpdbd.service b/units/wtmpdbd.service
@@ -7,3 +7,22 @@ Type=notify
 Environment="WTMPDBD_OPTS="
 EnvironmentFile=-/etc/default/wtmpdbd
 ExecStart=/usr/libexec/wtmpdbd -s $WTMPDBD_OPTS
+#DeviceAllow=/dev/vsock r
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateNetwork=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/etc /run/wtmpdb /var/lib/wtmpdb
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes