From afdf4b2cf9d7f9c50fedb51ab2fdb4e2fba528ba Mon Sep 17 00:00:00 2001 From: Rahul Sundaram Date: Mar 11 2024 23:11:21 +0000 Subject: Update Systemd security settings --- diff --git a/openssh.spec b/openssh.spec index 1f8ab4e..3216183 100644 --- a/openssh.spec +++ b/openssh.spec @@ -54,7 +54,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}.2 +Release: %{openssh_rel}%{?dist}.3 URL: http://www.openssh.com/portable.html #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -303,7 +303,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.3 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant AND OpenSSL %description @@ -739,6 +739,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Mon Mar 11 2024 Rahul Sundaram - 9.6p1-1.3 +- Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening + * Thu Jan 25 2024 Fedora Release Engineering - 9.6p1-1.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/sshd.service b/sshd.service index 0cb2a26..ae58509 100644 --- a/sshd.service +++ b/sshd.service @@ -15,6 +15,26 @@ ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartSec=42s +DevicePolicy=closed +KeyringMode=private +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=no +PrivateDevices=yes +PrivateTmp=no +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=no +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=yes +ProcSubset=pid +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/sshd@.service b/sshd@.service index be6d3b9..9cd1f4f 100644 --- a/sshd@.service +++ b/sshd@.service @@ -11,3 +11,23 @@ Wants=ssh-host-keys-migration.service EnvironmentFile=-/etc/sysconfig/sshd ExecStart=-/usr/sbin/sshd -i $OPTIONS StandardInput=socket +DevicePolicy=closed +KeyringMode=private +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=no +PrivateDevices=yes +PrivateTmp=no +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=no +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=yes +ProcSubset=pid +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native