commit 85c2e46b4831beb055dc6d732ada5f70dbcfe5eb (tree) parent 04a8944d3668748243027b8d8c11d2d883809990 Author: Motiejus Jakštys <desired.mta@gmail.com> Date: Mon, 13 Apr 2020 09:09:28 +0300 hardening nginx Diffstat:
| M | root/iot3/etc/systemd/system/nginx.service.d/hardening.conf | | | 14 | +++++++++++--- |
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/root/iot3/etc/systemd/system/nginx.service.d/hardening.conf b/root/iot3/etc/systemd/system/nginx.service.d/hardening.conf @@ -1,15 +1,23 @@ [Service] ProtectSystem=strict PrivateTmp=true -SystemCallArchitectures=native +LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true +PrivateDevices=true ProtectControlGroups=true +ProtectHome=tmpfs +ProtectHostname=true ProtectKernelModules=true ProtectKernelTunables=true -PrivateDevices=true -ProtectHome=tmpfs +RemoveIPC=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native BindPaths=/run BindPaths=/var/log/nginx +BindPaths=/var/lib/nginx BindReadOnlyPaths=/home/motiejus/.dotfiles/root/nginx/