diff options
| author | Izorkin <izorkin@elven.pw> | 2019-12-23 14:58:02 +0300 |
|---|---|---|
| committer | Izorkin <izorkin@elven.pw> | 2020-01-29 23:15:56 +0300 |
| commit | 96e2669114ce92be090b5348ba3e1f2d0d58366f (patch) | |
| tree | 16452c361ef129db9e6599aed5907bb4b7ec2f01 | |
| parent | f1d7dfe29f091639d935358f2d3a4ee94973d30a (diff) | |
| download | nixlib-96e2669114ce92be090b5348ba3e1f2d0d58366f.tar nixlib-96e2669114ce92be090b5348ba3e1f2d0d58366f.tar.gz nixlib-96e2669114ce92be090b5348ba3e1f2d0d58366f.tar.bz2 nixlib-96e2669114ce92be090b5348ba3e1f2d0d58366f.tar.lz nixlib-96e2669114ce92be090b5348ba3e1f2d0d58366f.tar.xz nixlib-96e2669114ce92be090b5348ba3e1f2d0d58366f.tar.zst nixlib-96e2669114ce92be090b5348ba3e1f2d0d58366f.zip | |
nixos/fail2ban: enable sandboxing
| -rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index ba1a23f05d29..cb748c93d24e 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -250,12 +250,26 @@ in Type = "simple"; Restart = "on-failure"; PIDFile = "/run/fail2ban/fail2ban.pid"; - - ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib"; - PrivateTmp = "true"; + # Capabilities + CapabilityBoundingSet = [ "CAP_AUDIT_READ" "CAP_DAC_READ_SEARCH" "CAP_NET_ADMIN" "CAP_NET_RAW" ]; + # Security + NoNewPrivileges = true; + # Directory RuntimeDirectory = "fail2ban"; - CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; + RuntimeDirectoryMode = "0750"; + StateDirectory = "fail2ban"; + StateDirectoryMode = "0750"; + LogsDirectory = "fail2ban"; + LogsDirectoryMode = "0750"; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; }; }; |