feat(security): Enhance systemd hardening directives
Adds additional systemd security directives for defense in depth: - MemoryDenyWriteExecute=true (prevents RWX memory) - RestrictRealtime=true (denies realtime scheduling) - ProtectHostname=true (hostname protection) - ProtectKernelLogs=true (kernel log protection) - SystemCallArchitectures=native (native syscalls only) These directives provide additional layers to slow/prevent post-compromise exploitation of the proxy process. Related to security audit 2025-11-07.
This commit is contained in:
parent
9aafa6449f
commit
97f9de6c95
1 changed files with 7 additions and 0 deletions
|
|
@ -42,6 +42,13 @@ AmbientCapabilities=
|
|||
KeyringMode=private
|
||||
LimitNOFILE=1024
|
||||
|
||||
# Additional hardening (post-audit)
|
||||
MemoryDenyWriteExecute=true
|
||||
RestrictRealtime=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# Logging
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
|
|
|
|||
Loading…
Reference in a new issue