From 24bd94dec4bf2a20a741ea3395a0ab475cad7769 Mon Sep 17 00:00:00 2001
From: michael <michael@dragons-at-work.de>
Date: Sun, 7 Sep 2025 18:40:32 +0200
Subject: [PATCH] feat(deployment): add systemd security hardening

- Add ProtectSystem=strict for read-only filesystem
- Add ReadWritePaths for required directories
- Add ProtectHome=yes to block home access
- Add NoNewPrivileges=yes to prevent escalation
- Add PrivateTmp=yes for isolated temp space
- Add RestrictAddressFamilies=AF_INET for IPv4-only

Related DAW/furt#110
---
 deployment/linux/furt.service | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/deployment/linux/furt.service b/deployment/linux/furt.service
index a504d30..5dd1150 100644
--- a/deployment/linux/furt.service
+++ b/deployment/linux/furt.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=furt Multi-Tenant API Gateway
+Description=furt Multi-Tenant API Gateway (Security-Hardened)
 After=network.target
 
 [Service]
@@ -14,6 +14,20 @@ RestartSec=5
 StandardOutput=journal
 StandardError=journal
 
+# === SECURITY HARDENING ===
+
+# Filesystem Protection
+ProtectSystem=strict
+ReadWritePaths=/var/run/furt /var/log/furt
+ProtectHome=yes
+
+# Process Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+
+# Network Restriction
+RestrictAddressFamilies=AF_INET
+
 [Install]
 WantedBy=multi-user.target