feat(deployment): add systemd security hardening

- Add ProtectSystem=strict for read-only filesystem - Add ReadWritePaths for required directories - Add ProtectHome=yes to block home access - Add NoNewPrivileges=yes to prevent escalation - Add PrivateTmp=yes for isolated temp space - Add RestrictAddressFamilies=AF_INET for IPv4-only Related DAW/furt#110
2025-09-07 18:40:32 +02:00 · 2025-09-07 18:40:32 +02:00 · 24bd94dec4
commit 24bd94dec4
parent 77b9685231
1 changed files with 15 additions and 1 deletions
--- a/deployment/linux/furt.service
+++ b/deployment/linux/furt.service
@ -1,5 +1,5 @@
 [Unit]
-Description=furt Multi-Tenant API Gateway
+Description=furt Multi-Tenant API Gateway (Security-Hardened)
 After=network.target

 [Service]
@ -14,6 +14,20 @@ RestartSec=5
 StandardOutput=journal
 StandardError=journal

+# === SECURITY HARDENING ===
+
+# Filesystem Protection
+ProtectSystem=strict
+ReadWritePaths=/var/run/furt /var/log/furt
+ProtectHome=yes
+
+# Process Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+
+# Network Restriction
+RestrictAddressFamilies=AF_INET
+
 [Install]
 WantedBy=multi-user.target