feat(security): Enhance systemd hardening directives

Adds additional systemd security directives for defense in depth:
- MemoryDenyWriteExecute=true (prevents RWX memory)
- RestrictRealtime=true (denies realtime scheduling)
- ProtectHostname=true (hostname protection)
- ProtectKernelLogs=true (kernel log protection)
- SystemCallArchitectures=native (native syscalls only)

These directives provide additional layers to slow/prevent
post-compromise exploitation of the proxy process.

Related to security audit 2025-11-07.
This commit is contained in:
rcourtman 2025-11-07 17:09:47 +00:00
parent 9aafa6449f
commit 97f9de6c95

View file

@ -42,6 +42,13 @@ AmbientCapabilities=
KeyringMode=private
LimitNOFILE=1024
# Additional hardening (post-audit)
MemoryDenyWriteExecute=true
RestrictRealtime=true
ProtectHostname=true
ProtectKernelLogs=true
SystemCallArchitectures=native
# Logging
StandardOutput=journal
StandardError=journal