From 2a33c3b96251a8ebc9990ca83f26c87cd4066a1f Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 10 Aug 2022 11:29:37 -0400 Subject: [PATCH] initial certbot-renew service hardening This doesn't switch to using a dedicated certbot user yet since the hooks used across the services will all still need to work. --- .../system/certbot-renew.service.d/local.conf | 26 +++++++++++++++++++ .../mail.grapheneos.org.conf | 4 +++ 2 files changed, 30 insertions(+) create mode 100644 systemd/system/certbot-renew.service.d/mail.grapheneos.org.conf diff --git a/systemd/system/certbot-renew.service.d/local.conf b/systemd/system/certbot-renew.service.d/local.conf index 0ca435f..7afb0a1 100644 --- a/systemd/system/certbot-renew.service.d/local.conf +++ b/systemd/system/certbot-renew.service.d/local.conf @@ -1,2 +1,28 @@ [Service] +CapabilityBoundingSet= +CPUSchedulingPolicy=batch ExecStart=/usr/bin/certbot -q renew --no-random-sleep-on-renew +LockPersonality=true +MemoryDenyWriteExecute=true +PrivateDevices=true +PrivateIPC=true +PrivateUsers=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=read-only +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt -/srv/certbot +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources @obsolete diff --git a/systemd/system/certbot-renew.service.d/mail.grapheneos.org.conf b/systemd/system/certbot-renew.service.d/mail.grapheneos.org.conf new file mode 100644 index 0000000..2f70388 --- /dev/null +++ b/systemd/system/certbot-renew.service.d/mail.grapheneos.org.conf @@ -0,0 +1,4 @@ +[Service] +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +PrivateUsers=false