systemd security settings
This commit is contained in:
palto42
parent
79d4888e22
commit
631c3068a9
3 changed files with 36 additions and 0 deletions
|
|
@ -29,6 +29,8 @@ map:
|
||||||
expanded. Multiple repositories are backed up to in
|
expanded. Multiple repositories are backed up to in
|
||||||
sequence. See ssh_command for SSH options like identity file
|
sequence. See ssh_command for SSH options like identity file
|
||||||
or port.
|
or port.
|
||||||
|
If systemd service is used, then add local repository paths
|
||||||
|
in the systemd service file to the ReadWritePaths list.
|
||||||
example:
|
example:
|
||||||
- user@backupserver:sourcehostname.borg
|
- user@backupserver:sourcehostname.borg
|
||||||
one_file_system:
|
one_file_system:
|
||||||
|
|
|
||||||
|
|
@ -268,6 +268,10 @@ sudo mv borgmatic.service borgmatic.timer /etc/systemd/system/
|
||||||
sudo systemctl enable --now borgmatic.timer
|
sudo systemctl enable --now borgmatic.timer
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Review the security settings in the service file and update them as needed.
|
||||||
|
If `ProtectSystem=strict` is enabled and local repositories are used, then
|
||||||
|
the repository path must be added to the `ReadWritePaths` list.
|
||||||
|
|
||||||
Feel free to modify the timer file based on how frequently you'd like
|
Feel free to modify the timer file based on how frequently you'd like
|
||||||
borgmatic to run.
|
borgmatic to run.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,36 @@ ConditionACPower=true
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
||||||
|
# Security settings for systemd running as root
|
||||||
|
# For more details about this settings check the systemd manuals
|
||||||
|
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||||
|
LockPersonality=true
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=@system-service
|
||||||
|
# Restrict write access
|
||||||
|
# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file
|
||||||
|
# system read-only be default and uncomment 'ReadWritePaths' for the required write access.
|
||||||
|
# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
|
||||||
|
ProtectSystem=full
|
||||||
|
# ProtectHome=read-only
|
||||||
|
# ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic
|
||||||
|
|
||||||
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
||||||
|
|
||||||
# Lower CPU and I/O priority.
|
# Lower CPU and I/O priority.
|
||||||
Nice=19
|
Nice=19
|
||||||
CPUSchedulingPolicy=batch
|
CPUSchedulingPolicy=batch
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue