From f09c7cbb19ee7f6e7a5f20870ace97a16bba2735 Mon Sep 17 00:00:00 2001 From: Ms Floofie Date: Fri, 30 Sep 2022 14:44:42 -0400 Subject: [PATCH] Add explanation to ASF service hardening (#2707) Co-authored-by: Floofie --- .../linux/ArchiSteamFarm@.service | 40 +++++++++---------- .../generic-netf/ArchiSteamFarm@.service | 40 +++++++++---------- .../generic/ArchiSteamFarm@.service | 40 +++++++++---------- 3 files changed, 60 insertions(+), 60 deletions(-) diff --git a/ArchiSteamFarm/overlay/variant-base/linux/ArchiSteamFarm@.service b/ArchiSteamFarm/overlay/variant-base/linux/ArchiSteamFarm@.service index 710b2cdfc..8ae39cb7e 100644 --- a/ArchiSteamFarm/overlay/variant-base/linux/ArchiSteamFarm@.service +++ b/ArchiSteamFarm/overlay/variant-base/linux/ArchiSteamFarm@.service @@ -10,26 +10,26 @@ SyslogIdentifier=asf-%i User=%i # ASF security hardening, all of the below entries are optional, but their existence improves security of your system -LockPersonality=yes -PrivateDevices=yes -PrivateIPC=yes -PrivateMounts=yes -PrivateUsers=yes -ProtectClock=yes -ProtectControlGroups=yes -ProtectHome=read-only -ProtectHostname=yes -ProtectKernelLogs=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -ProtectProc=invisible -ProtectSystem=strict -ReadWritePaths=/home/%i/ArchiSteamFarm /tmp -RemoveIPC=yes -RestrictAddressFamilies=AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -RestrictSUIDSGID=yes +LockPersonality=yes # ASF cannot change ABI personality +PrivateDevices=yes # ASF has no access to hardware devices +PrivateIPC=yes # ASF has private IPC namespace. +PrivateMounts=yes # ASF cannot install system mounts +PrivateUsers=yes # ASF does not have access to other users +ProtectClock=yes # ASF cannot write to the hardware clock or system clock +ProtectControlGroups=yes # ASF cannot modify the control group file system +ProtectHome=read-only # ASF has read-only access to home directories +ProtectHostname=yes # ASF cannot change system host/domainname +ProtectKernelLogs=yes # ASF cannot read from or write to the kernel log ring buffer +ProtectKernelModules=yes # ASF cannot load or read kernel modules +ProtectKernelTunables=yes # ASF cannot alter kernel tunables (/proc/sys, ^` ) +ProtectProc=invisible # ASF has restricted access to process tree (/proc hidepid=) +ProtectSystem=strict # ASF has strict read-only access to the OS file hierarchy +ReadWritePaths=/home/%i/ArchiSteamFarm /tmp # ASF only has read/write privileges to these paths +RemoveIPC=yes # ASF user cannot leave SysV IPC objects around +RestrictAddressFamilies=AF_INET AF_INET6 # ASF may allocate Internet sockets +RestrictNamespaces=yes # ASF cannot create namespaces +RestrictRealtime=yes # ASF realtime scheduling access is restricted +RestrictSUIDSGID=yes # SUID/SGID file creation by ASF is restricted [Unit] After=network.target diff --git a/ArchiSteamFarm/overlay/variant-specific/generic-netf/ArchiSteamFarm@.service b/ArchiSteamFarm/overlay/variant-specific/generic-netf/ArchiSteamFarm@.service index b2e63485c..f85aade15 100644 --- a/ArchiSteamFarm/overlay/variant-specific/generic-netf/ArchiSteamFarm@.service +++ b/ArchiSteamFarm/overlay/variant-specific/generic-netf/ArchiSteamFarm@.service @@ -10,26 +10,26 @@ SyslogIdentifier=asf-%i User=%i # ASF security hardening, all of the below entries are optional, but their existence improves security of your system -LockPersonality=yes -PrivateDevices=yes -PrivateIPC=yes -PrivateMounts=yes -PrivateUsers=yes -ProtectClock=yes -ProtectControlGroups=yes -ProtectHome=read-only -ProtectHostname=yes -ProtectKernelLogs=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -ProtectProc=invisible -ProtectSystem=strict -ReadWritePaths=/home/%i/ArchiSteamFarm /tmp -RemoveIPC=yes -RestrictAddressFamilies=AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -RestrictSUIDSGID=yes +LockPersonality=yes # ASF cannot change ABI personality +PrivateDevices=yes # ASF has no access to hardware devices +PrivateIPC=yes # ASF has private IPC namespace. +PrivateMounts=yes # ASF cannot install system mounts +PrivateUsers=yes # ASF does not have access to other users +ProtectClock=yes # ASF cannot write to the hardware clock or system clock +ProtectControlGroups=yes # ASF cannot modify the control group file system +ProtectHome=read-only # ASF has read-only access to home directories +ProtectHostname=yes # ASF cannot change system host/domainname +ProtectKernelLogs=yes # ASF cannot read from or write to the kernel log ring buffer +ProtectKernelModules=yes # ASF cannot load or read kernel modules +ProtectKernelTunables=yes # ASF cannot alter kernel tunables (/proc/sys, ^` ) +ProtectProc=invisible # ASF has restricted access to process tree (/proc hidepid=) +ProtectSystem=strict # ASF has strict read-only access to the OS file hierarchy +ReadWritePaths=/home/%i/ArchiSteamFarm /tmp # ASF only has read/write privileges to these paths +RemoveIPC=yes # ASF user cannot leave SysV IPC objects around +RestrictAddressFamilies=AF_INET AF_INET6 # ASF may allocate Internet sockets +RestrictNamespaces=yes # ASF cannot create namespaces +RestrictRealtime=yes # ASF realtime scheduling access is restricted +RestrictSUIDSGID=yes # SUID/SGID file creation by ASF is restricted [Unit] After=network.target diff --git a/ArchiSteamFarm/overlay/variant-specific/generic/ArchiSteamFarm@.service b/ArchiSteamFarm/overlay/variant-specific/generic/ArchiSteamFarm@.service index da3e1ef63..c9d069ec3 100644 --- a/ArchiSteamFarm/overlay/variant-specific/generic/ArchiSteamFarm@.service +++ b/ArchiSteamFarm/overlay/variant-specific/generic/ArchiSteamFarm@.service @@ -10,26 +10,26 @@ SyslogIdentifier=asf-%i User=%i # ASF security hardening, all of the below entries are optional, but their existence improves security of your system -LockPersonality=yes -PrivateDevices=yes -PrivateIPC=yes -PrivateMounts=yes -PrivateUsers=yes -ProtectClock=yes -ProtectControlGroups=yes -ProtectHome=read-only -ProtectHostname=yes -ProtectKernelLogs=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -ProtectProc=invisible -ProtectSystem=strict -ReadWritePaths=/home/%i/ArchiSteamFarm /tmp -RemoveIPC=yes -RestrictAddressFamilies=AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -RestrictSUIDSGID=yes +LockPersonality=yes # ASF cannot change ABI personality +PrivateDevices=yes # ASF has no access to hardware devices +PrivateIPC=yes # ASF has private IPC namespace. +PrivateMounts=yes # ASF cannot install system mounts +PrivateUsers=yes # ASF does not have access to other users +ProtectClock=yes # ASF cannot write to the hardware clock or system clock +ProtectControlGroups=yes # ASF cannot modify the control group file system +ProtectHome=read-only # ASF has read-only access to home directories +ProtectHostname=yes # ASF cannot change system host/domainname +ProtectKernelLogs=yes # ASF cannot read from or write to the kernel log ring buffer +ProtectKernelModules=yes # ASF cannot load or read kernel modules +ProtectKernelTunables=yes # ASF cannot alter kernel tunables (/proc/sys, ^` ) +ProtectProc=invisible # ASF has restricted access to process tree (/proc hidepid=) +ProtectSystem=strict # ASF has strict read-only access to the OS file hierarchy +ReadWritePaths=/home/%i/ArchiSteamFarm /tmp # ASF only has read/write privileges to these paths +RemoveIPC=yes # ASF user cannot leave SysV IPC objects around +RestrictAddressFamilies=AF_INET AF_INET6 # ASF may allocate Internet sockets +RestrictNamespaces=yes # ASF cannot create namespaces +RestrictRealtime=yes # ASF realtime scheduling access is restricted +RestrictSUIDSGID=yes # SUID/SGID file creation by ASF is restricted [Unit] After=network.target