mirror of
https://github.com/tommytran732/Fedora-CoreOS-Ignition.git
synced 2024-10-01 01:15:36 -04:00
Unbound systemd hardening moved to Linux-Setup-Scripts
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
7f470747b9
commit
b674e55d42
@ -1,19 +0,0 @@
|
||||
[Service]
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
ProtectHome=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
|
||||
ProtectKernelTunables=true
|
||||
ProtectProc=invisible
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||
RestrictRealtime=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
|
||||
RestrictNamespaces=yes
|
||||
LockPersonality=yes
|
||||
RestrictSUIDSGID=yes
|
@ -183,7 +183,7 @@
|
||||
{
|
||||
"path": "/etc/systemd/system/unbound.service.d/override.conf",
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf"
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/unbound.service.d/override.conf"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -238,7 +238,7 @@ storage:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/unbound/unbound.conf
|
||||
- path: /etc/systemd/system/unbound.service.d/override.conf
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/unbound.service.d/override.conf
|
||||
- path: /etc/issue
|
||||
overwrite: true
|
||||
contents:
|
||||
|
Loading…
Reference in New Issue
Block a user