Giters

JensTimmerman / ansible-role-vaultwarden

Builds, installs and configures vaultwarden (https://github.com/dani-garcia/vaultwarden) (without Docker)

Home Page:https://galaxy.ansible.com/jenstimmerman/vaultwarden

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

further restrict systemd service file

JensTimmerman opened this issue · comments

commented
  • PrivateTmp=yes
  • ProtectSystem=strict
  • ProtectHome=yes
  • ProtectClock=yes
  • ProtectHostname=yes
  • ProtectControlGroups=yes
  • ProtectHostname=yes
  • ProtectKernelLogs=yes
  • ProtectKernelModules=yes
  • ProtectKernelTunables=yes
  • ProtectProc=invisible
  • PrivateDevices=yes
  • PrivateNetwork=yes
  • NoNewPrivileges=yes
  • User=vaultwarden

If we want to go further, we could also consider:

  • CapabilityBoundingSet=
  • DevicePolicy=closed
  • KeyringMode=private
  • LockPersonality=yes
  • MemoryDenyWriteExecute=yes
  • PrivateUsers=yes
  • RemoveIPC=yes
  • RestrictAddressFamilies=
  • RestrictNamespaces=yes
  • RestrictRealtime=yes
  • RestrictSUIDSGID=yes
  • SystemCallFilter=
  • SystemCallArchitectures=native