From 97f9de6c959e371b9bce2ef4fe1bd85100896c5f Mon Sep 17 00:00:00 2001 From: rcourtman Date: Fri, 7 Nov 2025 17:09:47 +0000 Subject: [PATCH] feat(security): Enhance systemd hardening directives Adds additional systemd security directives for defense in depth: - MemoryDenyWriteExecute=true (prevents RWX memory) - RestrictRealtime=true (denies realtime scheduling) - ProtectHostname=true (hostname protection) - ProtectKernelLogs=true (kernel log protection) - SystemCallArchitectures=native (native syscalls only) These directives provide additional layers to slow/prevent post-compromise exploitation of the proxy process. Related to security audit 2025-11-07. --- scripts/pulse-sensor-proxy.service | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/pulse-sensor-proxy.service b/scripts/pulse-sensor-proxy.service index 7452614..584bd05 100644 --- a/scripts/pulse-sensor-proxy.service +++ b/scripts/pulse-sensor-proxy.service @@ -42,6 +42,13 @@ AmbientCapabilities= KeyringMode=private LimitNOFILE=1024 +# Additional hardening (post-audit) +MemoryDenyWriteExecute=true +RestrictRealtime=true +ProtectHostname=true +ProtectKernelLogs=true +SystemCallArchitectures=native + # Logging StandardOutput=journal StandardError=journal