mirror of
https://github.com/JustArchiNET/ArchiSteamFarm.git
synced 2026-01-06 17:10:13 +00:00
Add explanation to ASF service hardening (#2707)
Co-authored-by: Floofie <sysmin@floofie.org>
This commit is contained in:
Ms Floofie
@@ -10,26 +10,26 @@ SyslogIdentifier=asf-%i
|
|||||||
User=%i
|
User=%i
|
||||||
|
|
||||||
# ASF security hardening, all of the below entries are optional, but their existence improves security of your system
|
# ASF security hardening, all of the below entries are optional, but their existence improves security of your system
|
||||||
LockPersonality=yes
|
LockPersonality=yes # ASF cannot change ABI personality
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes # ASF has no access to hardware devices
|
||||||
PrivateIPC=yes
|
PrivateIPC=yes # ASF has private IPC namespace.
|
||||||
PrivateMounts=yes
|
PrivateMounts=yes # ASF cannot install system mounts
|
||||||
PrivateUsers=yes
|
PrivateUsers=yes # ASF does not have access to other users
|
||||||
ProtectClock=yes
|
ProtectClock=yes # ASF cannot write to the hardware clock or system clock
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes # ASF cannot modify the control group file system
|
||||||
ProtectHome=read-only
|
ProtectHome=read-only # ASF has read-only access to home directories
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes # ASF cannot change system host/domainname
|
||||||
ProtectKernelLogs=yes
|
ProtectKernelLogs=yes # ASF cannot read from or write to the kernel log ring buffer
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes # ASF cannot load or read kernel modules
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes # ASF cannot alter kernel tunables (/proc/sys, ^` )
|
||||||
ProtectProc=invisible
|
ProtectProc=invisible # ASF has restricted access to process tree (/proc hidepid=)
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict # ASF has strict read-only access to the OS file hierarchy
|
||||||
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp
|
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp # ASF only has read/write privileges to these paths
|
||||||
RemoveIPC=yes
|
RemoveIPC=yes # ASF user cannot leave SysV IPC objects around
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6
|
RestrictAddressFamilies=AF_INET AF_INET6 # ASF may allocate Internet sockets
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes # ASF cannot create namespaces
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes # ASF realtime scheduling access is restricted
|
||||||
RestrictSUIDSGID=yes
|
RestrictSUIDSGID=yes # SUID/SGID file creation by ASF is restricted
|
||||||
|
|
||||||
[Unit]
|
[Unit]
|
||||||
After=network.target
|
After=network.target
|
||||||
|
|||||||
@@ -10,26 +10,26 @@ SyslogIdentifier=asf-%i
|
|||||||
User=%i
|
User=%i
|
||||||
|
|
||||||
# ASF security hardening, all of the below entries are optional, but their existence improves security of your system
|
# ASF security hardening, all of the below entries are optional, but their existence improves security of your system
|
||||||
LockPersonality=yes
|
LockPersonality=yes # ASF cannot change ABI personality
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes # ASF has no access to hardware devices
|
||||||
PrivateIPC=yes
|
PrivateIPC=yes # ASF has private IPC namespace.
|
||||||
PrivateMounts=yes
|
PrivateMounts=yes # ASF cannot install system mounts
|
||||||
PrivateUsers=yes
|
PrivateUsers=yes # ASF does not have access to other users
|
||||||
ProtectClock=yes
|
ProtectClock=yes # ASF cannot write to the hardware clock or system clock
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes # ASF cannot modify the control group file system
|
||||||
ProtectHome=read-only
|
ProtectHome=read-only # ASF has read-only access to home directories
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes # ASF cannot change system host/domainname
|
||||||
ProtectKernelLogs=yes
|
ProtectKernelLogs=yes # ASF cannot read from or write to the kernel log ring buffer
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes # ASF cannot load or read kernel modules
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes # ASF cannot alter kernel tunables (/proc/sys, ^` )
|
||||||
ProtectProc=invisible
|
ProtectProc=invisible # ASF has restricted access to process tree (/proc hidepid=)
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict # ASF has strict read-only access to the OS file hierarchy
|
||||||
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp
|
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp # ASF only has read/write privileges to these paths
|
||||||
RemoveIPC=yes
|
RemoveIPC=yes # ASF user cannot leave SysV IPC objects around
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6
|
RestrictAddressFamilies=AF_INET AF_INET6 # ASF may allocate Internet sockets
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes # ASF cannot create namespaces
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes # ASF realtime scheduling access is restricted
|
||||||
RestrictSUIDSGID=yes
|
RestrictSUIDSGID=yes # SUID/SGID file creation by ASF is restricted
|
||||||
|
|
||||||
[Unit]
|
[Unit]
|
||||||
After=network.target
|
After=network.target
|
||||||
|
|||||||
@@ -10,26 +10,26 @@ SyslogIdentifier=asf-%i
|
|||||||
User=%i
|
User=%i
|
||||||
|
|
||||||
# ASF security hardening, all of the below entries are optional, but their existence improves security of your system
|
# ASF security hardening, all of the below entries are optional, but their existence improves security of your system
|
||||||
LockPersonality=yes
|
LockPersonality=yes # ASF cannot change ABI personality
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes # ASF has no access to hardware devices
|
||||||
PrivateIPC=yes
|
PrivateIPC=yes # ASF has private IPC namespace.
|
||||||
PrivateMounts=yes
|
PrivateMounts=yes # ASF cannot install system mounts
|
||||||
PrivateUsers=yes
|
PrivateUsers=yes # ASF does not have access to other users
|
||||||
ProtectClock=yes
|
ProtectClock=yes # ASF cannot write to the hardware clock or system clock
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes # ASF cannot modify the control group file system
|
||||||
ProtectHome=read-only
|
ProtectHome=read-only # ASF has read-only access to home directories
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes # ASF cannot change system host/domainname
|
||||||
ProtectKernelLogs=yes
|
ProtectKernelLogs=yes # ASF cannot read from or write to the kernel log ring buffer
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes # ASF cannot load or read kernel modules
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes # ASF cannot alter kernel tunables (/proc/sys, ^` )
|
||||||
ProtectProc=invisible
|
ProtectProc=invisible # ASF has restricted access to process tree (/proc hidepid=)
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict # ASF has strict read-only access to the OS file hierarchy
|
||||||
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp
|
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp # ASF only has read/write privileges to these paths
|
||||||
RemoveIPC=yes
|
RemoveIPC=yes # ASF user cannot leave SysV IPC objects around
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6
|
RestrictAddressFamilies=AF_INET AF_INET6 # ASF may allocate Internet sockets
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes # ASF cannot create namespaces
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes # ASF realtime scheduling access is restricted
|
||||||
RestrictSUIDSGID=yes
|
RestrictSUIDSGID=yes # SUID/SGID file creation by ASF is restricted
|
||||||
|
|
||||||
[Unit]
|
[Unit]
|
||||||
After=network.target
|
After=network.target
|
||||||
|
|||||||
Reference in New Issue
Block a user