Add basic systemd hardening to example service files

init/bird-lg-proxy.service

@@ -13,18 +13,37 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 
-
 # Debian GNU/Linux: store this in /etc/systemd/system/
 
-
 [Unit]
 Description=BIRD Looking-Glass proxy
 After=bird.service bird6.service
 
 [Service]
 Type=simple
-ExecStart=/usr/local/lookingglass/lgproxy.py
+#
+# User and group to run as
+#
 User=lgproxy
+Group=lgproxy
+#
+# Service Hardening
+#
+ProtectSystem=strict
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
+PrivateDevices=yes
+DevicePolicy=closed
+MemoryDenyWriteExecute=yes
+ProtectHome=true
+# set this to match LOG_FILE from the .cfg file
+ReadWritePaths=/var/log/lg-proxy
+# set these to match BIRD{,6}_SOCKET 
+ReadWritePaths=/var/run/bird/bird.ctl
+ReadWritePaths=/var/run/bird/bird6.ctl
+#
+ExecStart=/usr/local/lookingglass/lgproxy.py
 Restart=on-failure
 
 [Install]

init/bird-lg-webservice.service

@@ -13,17 +13,33 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 
-
 # Debian GNU/Linux: store this in /etc/systemd/system/
 
-
 [Unit]
 Description=BIRD Looking-Glass service
 After=apache2.service
 
 [Service]
 Type=simple
+#
+# User and group to run as
+#
 User=lookingglass
+Group=lookingglass
+#
+# Service Hardening
+#
+ProtectSystem=strict
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
+PrivateDevices=yes
+DevicePolicy=closed
+MemoryDenyWriteExecute=yes
+ProtectHome=true
+# Change this to match LOG_FILE from the .cfg file
+ReadWritePaths=/var/log/lg.log
+#
 ExecStart=/usr/local/lookingglass/lg.py
 Restart=on-failure