feat(deployment): add systemd security hardening
- Add ProtectSystem=strict for read-only filesystem - Add ReadWritePaths for required directories - Add ProtectHome=yes to block home access - Add NoNewPrivileges=yes to prevent escalation - Add PrivateTmp=yes for isolated temp space - Add RestrictAddressFamilies=AF_INET for IPv4-only Related DAW/furt#110
This commit is contained in:
parent
77b9685231
commit
24bd94dec4
1 changed files with 15 additions and 1 deletions
|
|
@ -1,5 +1,5 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=furt Multi-Tenant API Gateway
|
Description=furt Multi-Tenant API Gateway (Security-Hardened)
|
||||||
After=network.target
|
After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
|
@ -14,6 +14,20 @@ RestartSec=5
|
||||||
StandardOutput=journal
|
StandardOutput=journal
|
||||||
StandardError=journal
|
StandardError=journal
|
||||||
|
|
||||||
|
# === SECURITY HARDENING ===
|
||||||
|
|
||||||
|
# Filesystem Protection
|
||||||
|
ProtectSystem=strict
|
||||||
|
ReadWritePaths=/var/run/furt /var/log/furt
|
||||||
|
ProtectHome=yes
|
||||||
|
|
||||||
|
# Process Hardening
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
|
||||||
|
# Network Restriction
|
||||||
|
RestrictAddressFamilies=AF_INET
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue