From d1aee7b41c9642d796071df3d898d2c008354c3e Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 8 Sep 2023 15:04:33 -0700 Subject: [PATCH] Certbot hardening --- README.md | 3 ++- .../system/certbot.service.d/override.conf | 26 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 etc/systemd/system/certbot.service.d/override.conf diff --git a/README.md b/README.md index 1ca7d6e..997d747 100644 --- a/README.md +++ b/README.md @@ -5,10 +5,11 @@ This configuration does not include some hardening configurations, as those are **Notes**: - snap ufw blocks Docker by default. ArcticFoxes's Matrix server uses .deb ufw instead. +- Use the .deb certbot package so that you can apply systemd hardening. - A lot of these configuration files use ArcticFoxes's domain. If you are adopting this to your own system, make sure that you replace them. - The Certbot-OCSP-Fetcher script can be found [here](https://github.com/GrapheneOS/infrastructure/blob/main/certbot-ocsp-fetcher) - You need to create a `postgres-socket` and add the `postgres` and `matrix-synapse` user to it. - You need to create a `matrix-synapse-socket` and add the `matrix-synapse` and `nginx` user to it. - Systemd overrides for NGINX and SSHD services are based on [GrapheneOS's configurations](https://github.com/GrapheneOS/infrastructure/tree/main/systemd/system). - Systemd override for Synapse is based on Arch Linux's [matrix-synapse](https://gitlab.archlinux.org/archlinux/packaging/packages/matrix-synapse/-/blob/main/override-hardened.conf?ref_type=heads) package. -- The repolists of PostgreSQL and Docker have been modified so that they read GPG keys from `/usr/share/keyring` by default. Make sure that when you follow upstream's documentation on adding their GPG keys, you adjust the location. For PostgreSQL's GPG key, run `curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgresql-debian-repo.gpg >/dev/null` +- The repolists of PostgreSQL and Docker have been modified so that they read GPG keys from `/usr/share/keyring` by default. Make sure that when you follow upstream's documentation on adding their GPG keys, you adjust the location. For PostgreSQL's GPG key, run `curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgresql-debian-repo.gpg >/dev/null` \ No newline at end of file diff --git a/etc/systemd/system/certbot.service.d/override.conf b/etc/systemd/system/certbot.service.d/override.conf new file mode 100644 index 0000000..495243a --- /dev/null +++ b/etc/systemd/system/certbot.service.d/override.conf @@ -0,0 +1,26 @@ +[Service] +CapabilityBoundingSet= +CPUSchedulingPolicy=batch +LockPersonality=true +MemoryDenyWriteExecute=true +PrivateDevices=true +PrivateIPC=true +PrivateUsers=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=read-only +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt /var/cache/certbot-ocsp-fetcher +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources @obsolete \ No newline at end of file