From 44671939c2dea5a3f7db9fec6754b70827bcbd29 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Fri, 8 Sep 2023 07:43:16 -0700
Subject: [PATCH] NGINX hardening

Signed-off-by: Tommy <contact@tommytran.io>
---
 .../system/nginx.service.d/override.conf      | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 etc/systemd/system/nginx.service.d/override.conf

diff --git a/etc/systemd/system/nginx.service.d/override.conf b/etc/systemd/system/nginx.service.d/override.conf
new file mode 100644
index 0000000..543a4fc
--- /dev/null
+++ b/etc/systemd/system/nginx.service.d/override.conf
@@ -0,0 +1,27 @@
+[Service]
+CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
+LockPersonality=true
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+PrivateIPC=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/log/nginx /var/cache/nginx
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectory=nginx
+RuntimeDirectoryMode=700
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@obsolete