From 9e72398daad3a366492197b5284203127d0019b3 Mon Sep 17 00:00:00 2001 From: "Alexander \"Arav\" Andreev" Date: Mon, 10 Oct 2022 00:06:35 +0400 Subject: [PATCH] Systemd service file was moved to init dir. Program renamed. Added all security tweaks used in other projects. --- contrib/systemd/httpprocwatchd.service | 13 ---------- init/systemd.service | 35 ++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 13 deletions(-) delete mode 100644 contrib/systemd/httpprocwatchd.service create mode 100644 init/systemd.service diff --git a/contrib/systemd/httpprocwatchd.service b/contrib/systemd/httpprocwatchd.service deleted file mode 100644 index 185efdb..0000000 --- a/contrib/systemd/httpprocwatchd.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=HTTPProcWatchD -After=network.target - -[Service] -Type=simple -DynamicUser=yes -Restart=on-failure -ExecStart=/usr/bin/httpprocwatchd --config /etc/httpprocwatchd/config.conf -ExecReload=kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target diff --git a/init/systemd.service b/init/systemd.service new file mode 100644 index 0000000..49db553 --- /dev/null +++ b/init/systemd.service @@ -0,0 +1,35 @@ +[Unit] +Description=HTTPProcProbeD +After=network.target + +[Service] +Type=simple +DynamicUser=yes +Restart=on-failure +ExecStart=/usr/bin/httpprocprobed -c /etc/httpprocprobed.conf +ExecReload=kill -HUP $MAINPID + +ReadOnlyPaths=/ + +AmbientCapabilities= +CapabilityBoundingSet= + +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target