systemd security settings

This commit is contained in:
palto42 2020-08-22 15:41:25 +02:00
parent 79d4888e22
commit 631c3068a9
3 changed files with 36 additions and 0 deletions

View file

@ -29,6 +29,8 @@ map:
expanded. Multiple repositories are backed up to in expanded. Multiple repositories are backed up to in
sequence. See ssh_command for SSH options like identity file sequence. See ssh_command for SSH options like identity file
or port. or port.
If systemd service is used, then add local repository paths
in the systemd service file to the ReadWritePaths list.
example: example:
- user@backupserver:sourcehostname.borg - user@backupserver:sourcehostname.borg
one_file_system: one_file_system:

View file

@ -268,6 +268,10 @@ sudo mv borgmatic.service borgmatic.timer /etc/systemd/system/
sudo systemctl enable --now borgmatic.timer sudo systemctl enable --now borgmatic.timer
``` ```
Review the security settings in the service file and update them as needed.
If `ProtectSystem=strict` is enabled and local repositories are used, then
the repository path must be added to the `ReadWritePaths` list.
Feel free to modify the timer file based on how frequently you'd like Feel free to modify the timer file based on how frequently you'd like
borgmatic to run. borgmatic to run.

View file

@ -7,6 +7,36 @@ ConditionACPower=true
[Service] [Service]
Type=oneshot Type=oneshot
# Security settings for systemd running as root
# For more details about this settings check the systemd manuals
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Restrict write access
# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file
# system read-only be default and uncomment 'ReadWritePaths' for the required write access.
# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
ProtectSystem=full
# ProtectHome=read-only
# ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
# Lower CPU and I/O priority. # Lower CPU and I/O priority.
Nice=19 Nice=19
CPUSchedulingPolicy=batch CPUSchedulingPolicy=batch