From 715507b5ffc73bc1efe4ffd6c3d09d0dee1671c7 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 12 Nov 2017 08:33:33 +0000
Subject: [PATCH] Add systemd hardening to sso-server

---
 debian/sso-server.service | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/debian/sso-server.service b/debian/sso-server.service
index 3988260..6f99826 100644
--- a/debian/sso-server.service
+++ b/debian/sso-server.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=SSO Server
-After=auth-server.socket
+After=network.target auth-server.socket
 
 [Service]
 User=sso-server
@@ -9,6 +9,15 @@ EnvironmentFile=-/etc/default/sso-server
 ExecStart=/usr/bin/sso-server --addr $ADDR
 Restart=always
 
+# Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
 [Install]
 WantedBy=multi-user.target
 
-- 
GitLab