From 24bd94dec4bf2a20a741ea3395a0ab475cad7769 Mon Sep 17 00:00:00 2001 From: michael Date: Sun, 7 Sep 2025 18:40:32 +0200 Subject: [PATCH 1/2] feat(deployment): add systemd security hardening - Add ProtectSystem=strict for read-only filesystem - Add ReadWritePaths for required directories - Add ProtectHome=yes to block home access - Add NoNewPrivileges=yes to prevent escalation - Add PrivateTmp=yes for isolated temp space - Add RestrictAddressFamilies=AF_INET for IPv4-only Related DAW/furt#110 --- deployment/linux/furt.service | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/deployment/linux/furt.service b/deployment/linux/furt.service index a504d30..5dd1150 100644 --- a/deployment/linux/furt.service +++ b/deployment/linux/furt.service @@ -1,5 +1,5 @@ [Unit] -Description=furt Multi-Tenant API Gateway +Description=furt Multi-Tenant API Gateway (Security-Hardened) After=network.target [Service] @@ -14,6 +14,20 @@ RestartSec=5 StandardOutput=journal StandardError=journal +# === SECURITY HARDENING === + +# Filesystem Protection +ProtectSystem=strict +ReadWritePaths=/var/run/furt /var/log/furt +ProtectHome=yes + +# Process Hardening +NoNewPrivileges=yes +PrivateTmp=yes + +# Network Restriction +RestrictAddressFamilies=AF_INET + [Install] WantedBy=multi-user.target From 32c51e326e8e87e4b72c24553282ce8b490c469e Mon Sep 17 00:00:00 2001 From: michael Date: Sun, 7 Sep 2025 18:40:32 +0200 Subject: [PATCH 2/2] chore: merkwerk auto-update --- .version_history | 1 + 1 file changed, 1 insertion(+) diff --git a/.version_history b/.version_history index afbb225..3f19c35 100644 --- a/.version_history +++ b/.version_history @@ -23,3 +23,4 @@ a670de0f,d271b84,refactor/extract-health-routes-and-server-core,2025-09-05T17:25 a670de0f,25a709e,feature/pid-file-service-management,2025-09-05T20:30:13Z,michael,git,lua-api a670de0f,59f372f,feature/pid-file-service-management,2025-09-07T14:58:01Z,michael,git,lua-api a670de0f,683d6e5,fix/validate-config-posix-regex,2025-09-07T16:00:48Z,michael,git,lua-api +a670de0f,24bd94d,feature/systemd-hardening,2025-09-07T16:40:47Z,michael,git,lua-api