Project

General

Profile

Actions
Copy link

Feature #29417

open

Harden foreman.service using systemd features

Added by Ewoud Kohl van Wijngaarden over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Packaging
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Systemd services can be hardened and Foreman should use this to the fullest extent possible.

A quick check makes me thing the following is a good start

[Service]
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
ReadWritePaths=/var/lib/foreman

The only complication is that Katello's Pulp 2 export relies on paths in Pulp's home directory.

Related issues 1 (0 open1 closed)

Related to Foreman - Feature #29960: Run foreman.service with systemd PrivateTmp=trueClosedEvgeni GolovActions
Actions
Copy link
 #1

Updated by Ewoud Kohl van Wijngaarden about 4 years ago

  • Related to Feature #29960: Run foreman.service with systemd PrivateTmp=true added
Actions
Copy link

Also available in: Atom PDF