3 files changed, 145 insertions, 34 deletions

diff --git a/scripts/memcached.service b/scripts/memcached.service
index 2bfbb67..88a4b8a 100644
--- a/scripts/memcached.service
+++ b/scripts/memcached.service
@@ -1,10 +1,10 @@
 # It's not recommended to modify this file in-place, because it will be
 # overwritten during upgrades.  If you want to customize, the best
 # way is to use the "systemctl edit" command to create an override unit.
-
+#
 # For example, to pass additional options, create an override unit
 # (as is done by systemctl edit) and enter the following:
-
+#
 #     [Service]
 #     Environment=OPTIONS="-l 127.0.0.1,::1"
 
@@ -17,56 +17,68 @@ After=network.target
 EnvironmentFile=/etc/sysconfig/memcached
 ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
 
-# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
-# so this service cannot access the global directories and other processes cannot
-# access this service's directories.
+# Set up a new file system namespace and mounts private /tmp and /var/tmp
+# directories so this service cannot access the global directories and
+# other processes cannot access this service's directories.
 PrivateTmp=true
 
-# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
+# Mounts the /usr, /boot, and /etc directories read-only for processes
+# invoked by this unit.
 ProtectSystem=full
 
-# Ensures that the service process and all its children can never gain new privileges
+# Ensures that the service process and all its children can never gain new
+# privileges
 NoNewPrivileges=true
 
-# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
-# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
-# but no physical devices such as /dev/sda.
+# Sets up a new /dev namespace for the executed processes and only adds API
+# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
+# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
 PrivateDevices=true
 
 # Required for dropping privileges and running as a different user
 CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
 
-# Attempts to create memory mappings that are writable and executable at the same time,
-# or to change existing memory mappings to become executable are prohibited.
-MemoryDenyWriteExecute=true
+# Restricts the set of socket address families accessible to the processes
+# of this unit. Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 
-# Explicit module loading will be denied. This allows to turn off module load and unload
-# operations on modular kernels. It is recommended to turn this on for most services that
-# do not need special file systems or extra kernel modules to work.
-ProtectKernelModules=true
 
-# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
-# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
-# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
-# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
-# recommended to turn this on for most services.
-ProtectKernelTunables=true
+# Some security features are not in the older versions of systemd used by
+# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
+# build time to uncomment them if the target platform supports them.
 
-# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
-# made read-only to all processes of the unit. Except for container managers no services should
-# require write access to the control groups hierarchies; it is hence recommended to turn this on
-# for most services
-ProtectControlGroups=true
+# Attempts to create memory mappings that are writable and executable at
+# the same time, or to change existing memory mappings to become executable
+# are prohibited.
+##safer##MemoryDenyWriteExecute=true
 
-# Any attempts to enable realtime scheduling in a process of the unit are refused.
-RestrictRealtime=true
+# Explicit module loading will be denied. This allows to turn off module
+# load and unload operations on modular kernels. It is recommended to turn
+# this on for most services that do not need special file systems or extra
+# kernel modules to work.
+##safer##ProtectKernelModules=true
 
-# Restricts the set of socket address families accessible to the processes of this unit.
-# Protects against vulnerabilities such as CVE-2016-8655
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
+# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
+# will be made read-only to all processes of the unit. Usually, tunable
+# kernel variables should only be written at boot-time, with the sysctl.d(5)
+# mechanism. Almost no services need to write to these at runtime; it is hence
+# recommended to turn this on for most services.
+##safer##ProtectKernelTunables=true
+
+# The Linux Control Groups (cgroups(7)) hierarchies accessible through
+# /sys/fs/cgroup will be made read-only to all processes of the unit.
+# Except for container managers no services should require write access
+# to the control groups hierarchies; it is hence recommended to turn this
+# on for most services
+##safer##ProtectControlGroups=true
+
+# Any attempts to enable realtime scheduling in a process of the unit are
+# refused.
+##safer##RestrictRealtime=true
 
 # Takes away the ability to create or manage any kind of namespace
-RestrictNamespaces=true
+##safer##RestrictNamespaces=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/scripts/memcached.sysconfig b/scripts/memcached.sysconfig
new file mode 100644
index 0000000..bd46483
--- /dev/null
+++ b/scripts/memcached.sysconfig
@@ -0,0 +1,10 @@
+# These defaults will be used by every memcached instance, unless overridden
+# by values in /etc/sysconfig/memcached.<port>
+USER="nobody"
+MAXCONN="1024"
+CACHESIZE="64"
+OPTIONS=""
+
+# The PORT variable will only be used by memcached.service, not by
+# memcached@xxxxx services, which will use the xxxxx
+PORT="11211"
diff --git a/scripts/memcached@.service b/scripts/memcached@.service
new file mode 100644
index 0000000..4e9f1d7
--- /dev/null
+++ b/scripts/memcached@.service
@@ -0,0 +1,89 @@
+# It's not recommended to modify this file in-place, because it will be
+# overwritten during upgrades.  If you want to customize, the best
+# way is to use the "systemctl edit" command to create an override unit.
+#
+# For example, to pass additional options, create an override unit
+# (as is done by systemctl edit) and enter the following:
+#
+#     [Service]
+#     Environment=OPTIONS="-l 127.0.0.1,::1"
+#
+# To use the "instanced" version of this, just start 'memcached@11211' or
+# whatever port you'd like. If /etc/sysconfig/memcached.<port> exists, it
+# will be read first, so you can set different parameters for a given
+# instance.
+
+[Unit]
+Description=memcached daemon
+After=network.target
+
+[Service]
+EnvironmentFile=/etc/sysconfig/memcached
+EnvironmentFile=-/etc/sysconfig/memcached.%i
+ExecStart=/usr/bin/memcached -p %i -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
+
+# Set up a new file system namespace and mounts private /tmp and /var/tmp
+# directories so this service cannot access the global directories and
+# other processes cannot access this service's directories.
+PrivateTmp=true
+
+# Mounts the /usr, /boot, and /etc directories read-only for processes
+# invoked by this unit.
+ProtectSystem=full
+
+# Ensures that the service process and all its children can never gain new
+# privileges
+NoNewPrivileges=true
+
+# Sets up a new /dev namespace for the executed processes and only adds API
+# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
+# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
+PrivateDevices=true
+
+# Required for dropping privileges and running as a different user
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+
+# Restricts the set of socket address families accessible to the processes
+# of this unit. Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+
+# Some security features are not in the older versions of systemd used by
+# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
+# build time to uncomment them if the target platform supports them.
+
+# Attempts to create memory mappings that are writable and executable at
+# the same time, or to change existing memory mappings to become executable
+# are prohibited.
+##safer##MemoryDenyWriteExecute=true
+
+# Explicit module loading will be denied. This allows to turn off module
+# load and unload operations on modular kernels. It is recommended to turn
+# this on for most services that do not need special file systems or extra
+# kernel modules to work.
+##safer##ProtectKernelModules=true
+
+# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
+# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
+# will be made read-only to all processes of the unit. Usually, tunable
+# kernel variables should only be written at boot-time, with the sysctl.d(5)
+# mechanism. Almost no services need to write to these at runtime; it is hence
+# recommended to turn this on for most services.
+##safer##ProtectKernelTunables=true
+
+# The Linux Control Groups (cgroups(7)) hierarchies accessible through
+# /sys/fs/cgroup will be made read-only to all processes of the unit.
+# Except for container managers no services should require write access
+# to the control groups hierarchies; it is hence recommended to turn this
+# on for most services
+##safer##ProtectControlGroups=true
+
+# Any attempts to enable realtime scheduling in a process of the unit are
+# refused.
+##safer##RestrictRealtime=true
+
+# Takes away the ability to create or manage any kind of namespace
+##safer##RestrictNamespaces=true
+
+[Install]
+WantedBy=multi-user.target