From b674e55d42577ad0a068e6646295fb6b0e3fab1f Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 25 Jun 2024 22:32:16 -0700 Subject: [PATCH] Unbound systemd hardening moved to Linux-Setup-Scripts Signed-off-by: Tommy --- .../system/unbound.service.d/override.conf | 19 ------------------- x86-QEMU-Docker.ign | 2 +- x86-QEMU-Docker.yml | 2 +- 3 files changed, 2 insertions(+), 21 deletions(-) delete mode 100644 etc/systemd/system/unbound.service.d/override.conf diff --git a/etc/systemd/system/unbound.service.d/override.conf b/etc/systemd/system/unbound.service.d/override.conf deleted file mode 100644 index 72111e5..0000000 --- a/etc/systemd/system/unbound.service.d/override.conf +++ /dev/null @@ -1,19 +0,0 @@ -[Service] -MemoryDenyWriteExecute=true -PrivateDevices=true -PrivateTmp=true -ProtectHome=true -ProtectClock=true -ProtectControlGroups=true -ProtectKernelLogs=true -ProtectKernelModules=true -# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. -ProtectKernelTunables=true -ProtectProc=invisible -RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX -RestrictRealtime=true -SystemCallArchitectures=native -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources -RestrictNamespaces=yes -LockPersonality=yes -RestrictSUIDSGID=yes \ No newline at end of file diff --git a/x86-QEMU-Docker.ign b/x86-QEMU-Docker.ign index 2a5b1bd..2c33e25 100644 --- a/x86-QEMU-Docker.ign +++ b/x86-QEMU-Docker.ign @@ -183,7 +183,7 @@ { "path": "/etc/systemd/system/unbound.service.d/override.conf", "contents": { - "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf" + "source": "https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/unbound.service.d/override.conf" } }, { diff --git a/x86-QEMU-Docker.yml b/x86-QEMU-Docker.yml index d4f6c2c..12f2605 100644 --- a/x86-QEMU-Docker.yml +++ b/x86-QEMU-Docker.yml @@ -238,7 +238,7 @@ storage: source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/unbound/unbound.conf - path: /etc/systemd/system/unbound.service.d/override.conf contents: - source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf + source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/unbound.service.d/override.conf - path: /etc/issue overwrite: true contents: