Commit 18cd2c0f authored by erdnaxe's avatar erdnaxe 🦋
Browse files

Harden logrotate

parent 90a5014a
......@@ -89,4 +89,24 @@
RestrictNamespaces = true; # arch
RestrictRealtime = true; # arch
};
systemd.services.logrotate.serviceConfig = {
# https://github.com/logrotate/logrotate/blob/master/examples/logrotate.service
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
};
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment