From 228e4fe6da2d3635d5a10b78c5a9b3cdaa83afb5 Mon Sep 17 00:00:00 2001 From: Lars Kneschke Date: Thu, 5 Oct 2023 03:29:26 +0200 Subject: [PATCH] Add more security flogs to service --- REFERENCE.md | 32 ++++++++++++++++++++++++++++---- types/unit/service.pp | 27 +++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 4 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index ca72ed7e..3c60a7de 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -2416,15 +2416,39 @@ Struct[{ Optional['OOMPolicy'] => Enum['continue', 'stop','kill'], Optional['OOMScoreAdjust'] => Integer[-1000,1000], Optional['Environment'] => String, - Optional['EnvironmentFile'] => Variant[ - Stdlib::Unixpath,Pattern[/-\/.+/], - Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1], - ], + Optional['EnvironmentFile'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], Optional['StandardOutput'] => Variant[Enum['inherit','null','tty','journal','kmsg','journal+console','kmsg+console','socket'],Pattern[/\A(file:|append:|truncate:).+$\z/]], Optional['StandardError'] => Variant[Enum['inherit','null','tty','journal','kmsg','journal+console','kmsg+console','socket'],Pattern[/\A(file:|append:|truncate:).+$\z/]], Optional['StandardInput'] => Variant[Enum['null','tty','tty-force','tty-fail','data','socket'], Pattern[/\A(file:|fd:).+$\z/]], Optional['PrivateTmp'] => Boolean, Optional['RuntimeDirectory'] => String, + Optional['RuntimeDirectoryMode'] => Stdlib::Filemode, + Optional['LogsDirectory'] => String, + Optional['LogsDirectoryMode'] => Stdlib::Filemode, + Optional['ProtectSystem'] => Variant[Boolean, Enum['full', 'strict']], + Optional['ProtectHome'] => Variant[Boolean, Enum['read-only', 'tmpfs']], + Optional['BindPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['BindReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['PrivateDevices'] => Boolean, + Optional['RemoveIPC'] => Boolean, + Optional['ProtectKernelModules'] => Boolean, + Optional['ProtectKernelTunables'] => Boolean, + Optional['ProtectControlGroups'] => Boolean, + Optional['RestrictRealtime'] => Boolean, + Optional['RestrictAddressFamilies'] => Variant[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none'], Array[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none']]], + Optional['RestrictNamespaces'] => Variant[Boolean, Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup'], Array[Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup']]], + Optional['SystemCallArchitectures'] => Variant[String, Array[String]], + Optional['SystemCallFilter'] => Variant[String, Array[String]], + Optional['SystemCallErrorNumber'] => String, + Optional['ProtectClock'] => Boolean, + Optional['PrivateUsers'] => Boolean, + Optional['ProtectKernelLogs'] => Boolean, + Optional['ProtectProc'] => Enum['noaccess', 'invisible', 'ptraceable', 'default'], + Optional['ProtectHostname'] => Boolean, + Optional['RestrictSUIDSGID'] => Boolean, + Optional['CapabilityBoundingSet'] => Variant[String, Array[String]], + Optional['NoNewPrivileges'] => Boolean, + Optional['LockPersonality'] => Boolean, }] ``` diff --git a/types/unit/service.pp b/types/unit/service.pp index 5816d509..447a104f 100644 --- a/types/unit/service.pp +++ b/types/unit/service.pp @@ -102,5 +102,32 @@ Optional['StandardInput'] => Variant[Enum['null','tty','tty-force','tty-fail','data','socket'], Pattern[/\A(file:|fd:).+$\z/]], Optional['PrivateTmp'] => Boolean, Optional['RuntimeDirectory'] => String, + Optional['RuntimeDirectoryMode'] => Stdlib::Filemode, + Optional['LogsDirectory'] => String, + Optional['LogsDirectoryMode'] => Stdlib::Filemode, + Optional['ProtectSystem'] => Variant[Boolean, Enum['full', 'strict']], + Optional['ProtectHome'] => Variant[Boolean, Enum['read-only', 'tmpfs']], + Optional['BindPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['BindReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['PrivateDevices'] => Boolean, + Optional['RemoveIPC'] => Boolean, + Optional['ProtectKernelModules'] => Boolean, + Optional['ProtectKernelTunables'] => Boolean, + Optional['ProtectControlGroups'] => Boolean, + Optional['RestrictRealtime'] => Boolean, + Optional['RestrictAddressFamilies'] => Variant[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none'], Array[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none']]], + Optional['RestrictNamespaces'] => Variant[Boolean, Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup'], Array[Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup']]], + Optional['SystemCallArchitectures'] => Variant[String, Array[String]], + Optional['SystemCallFilter'] => Variant[String, Array[String]], + Optional['SystemCallErrorNumber'] => String, + Optional['ProtectClock'] => Boolean, + Optional['PrivateUsers'] => Boolean, + Optional['ProtectKernelLogs'] => Boolean, + Optional['ProtectProc'] => Enum['noaccess', 'invisible', 'ptraceable', 'default'], + Optional['ProtectHostname'] => Boolean, + Optional['RestrictSUIDSGID'] => Boolean, + Optional['CapabilityBoundingSet'] => Variant[String, Array[String]], + Optional['NoNewPrivileges'] => Boolean, + Optional['LockPersonality'] => Boolean, } ]