diff options
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/memcached.service | 80 | ||||
-rw-r--r-- | scripts/memcached.sysconfig | 10 | ||||
-rw-r--r-- | scripts/memcached@.service | 89 |
3 files changed, 145 insertions, 34 deletions
diff --git a/scripts/memcached.service b/scripts/memcached.service index 2bfbb67..88a4b8a 100644 --- a/scripts/memcached.service +++ b/scripts/memcached.service @@ -1,10 +1,10 @@ # It's not recommended to modify this file in-place, because it will be # overwritten during upgrades. If you want to customize, the best # way is to use the "systemctl edit" command to create an override unit. - +# # For example, to pass additional options, create an override unit # (as is done by systemctl edit) and enter the following: - +# # [Service] # Environment=OPTIONS="-l 127.0.0.1,::1" @@ -17,56 +17,68 @@ After=network.target EnvironmentFile=/etc/sysconfig/memcached ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS -# Set up a new file system namespace and mounts private /tmp and /var/tmp directories -# so this service cannot access the global directories and other processes cannot -# access this service's directories. +# Set up a new file system namespace and mounts private /tmp and /var/tmp +# directories so this service cannot access the global directories and +# other processes cannot access this service's directories. PrivateTmp=true -# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. +# Mounts the /usr, /boot, and /etc directories read-only for processes +# invoked by this unit. ProtectSystem=full -# Ensures that the service process and all its children can never gain new privileges +# Ensures that the service process and all its children can never gain new +# privileges NoNewPrivileges=true -# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices -# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, -# but no physical devices such as /dev/sda. +# Sets up a new /dev namespace for the executed processes and only adds API +# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as +# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda. PrivateDevices=true # Required for dropping privileges and running as a different user CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE -# Attempts to create memory mappings that are writable and executable at the same time, -# or to change existing memory mappings to become executable are prohibited. -MemoryDenyWriteExecute=true +# Restricts the set of socket address families accessible to the processes +# of this unit. Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -# Explicit module loading will be denied. This allows to turn off module load and unload -# operations on modular kernels. It is recommended to turn this on for most services that -# do not need special file systems or extra kernel modules to work. -ProtectKernelModules=true -# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats, -# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes -# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the -# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence -# recommended to turn this on for most services. -ProtectKernelTunables=true +# Some security features are not in the older versions of systemd used by +# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package +# build time to uncomment them if the target platform supports them. -# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be -# made read-only to all processes of the unit. Except for container managers no services should -# require write access to the control groups hierarchies; it is hence recommended to turn this on -# for most services -ProtectControlGroups=true +# Attempts to create memory mappings that are writable and executable at +# the same time, or to change existing memory mappings to become executable +# are prohibited. +##safer##MemoryDenyWriteExecute=true -# Any attempts to enable realtime scheduling in a process of the unit are refused. -RestrictRealtime=true +# Explicit module loading will be denied. This allows to turn off module +# load and unload operations on modular kernels. It is recommended to turn +# this on for most services that do not need special file systems or extra +# kernel modules to work. +##safer##ProtectKernelModules=true -# Restricts the set of socket address families accessible to the processes of this unit. -# Protects against vulnerabilities such as CVE-2016-8655 -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, +# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq +# will be made read-only to all processes of the unit. Usually, tunable +# kernel variables should only be written at boot-time, with the sysctl.d(5) +# mechanism. Almost no services need to write to these at runtime; it is hence +# recommended to turn this on for most services. +##safer##ProtectKernelTunables=true + +# The Linux Control Groups (cgroups(7)) hierarchies accessible through +# /sys/fs/cgroup will be made read-only to all processes of the unit. +# Except for container managers no services should require write access +# to the control groups hierarchies; it is hence recommended to turn this +# on for most services +##safer##ProtectControlGroups=true + +# Any attempts to enable realtime scheduling in a process of the unit are +# refused. +##safer##RestrictRealtime=true # Takes away the ability to create or manage any kind of namespace -RestrictNamespaces=true +##safer##RestrictNamespaces=true [Install] WantedBy=multi-user.target diff --git a/scripts/memcached.sysconfig b/scripts/memcached.sysconfig new file mode 100644 index 0000000..bd46483 --- /dev/null +++ b/scripts/memcached.sysconfig @@ -0,0 +1,10 @@ +# These defaults will be used by every memcached instance, unless overridden +# by values in /etc/sysconfig/memcached.<port> +USER="nobody" +MAXCONN="1024" +CACHESIZE="64" +OPTIONS="" + +# The PORT variable will only be used by memcached.service, not by +# memcached@xxxxx services, which will use the xxxxx +PORT="11211" diff --git a/scripts/memcached@.service b/scripts/memcached@.service new file mode 100644 index 0000000..4e9f1d7 --- /dev/null +++ b/scripts/memcached@.service @@ -0,0 +1,89 @@ +# It's not recommended to modify this file in-place, because it will be +# overwritten during upgrades. If you want to customize, the best +# way is to use the "systemctl edit" command to create an override unit. +# +# For example, to pass additional options, create an override unit +# (as is done by systemctl edit) and enter the following: +# +# [Service] +# Environment=OPTIONS="-l 127.0.0.1,::1" +# +# To use the "instanced" version of this, just start 'memcached@11211' or +# whatever port you'd like. If /etc/sysconfig/memcached.<port> exists, it +# will be read first, so you can set different parameters for a given +# instance. + +[Unit] +Description=memcached daemon +After=network.target + +[Service] +EnvironmentFile=/etc/sysconfig/memcached +EnvironmentFile=-/etc/sysconfig/memcached.%i +ExecStart=/usr/bin/memcached -p %i -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS + +# Set up a new file system namespace and mounts private /tmp and /var/tmp +# directories so this service cannot access the global directories and +# other processes cannot access this service's directories. +PrivateTmp=true + +# Mounts the /usr, /boot, and /etc directories read-only for processes +# invoked by this unit. +ProtectSystem=full + +# Ensures that the service process and all its children can never gain new +# privileges +NoNewPrivileges=true + +# Sets up a new /dev namespace for the executed processes and only adds API +# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as +# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda. +PrivateDevices=true + +# Required for dropping privileges and running as a different user +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE + +# Restricts the set of socket address families accessible to the processes +# of this unit. Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + + +# Some security features are not in the older versions of systemd used by +# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package +# build time to uncomment them if the target platform supports them. + +# Attempts to create memory mappings that are writable and executable at +# the same time, or to change existing memory mappings to become executable +# are prohibited. +##safer##MemoryDenyWriteExecute=true + +# Explicit module loading will be denied. This allows to turn off module +# load and unload operations on modular kernels. It is recommended to turn +# this on for most services that do not need special file systems or extra +# kernel modules to work. +##safer##ProtectKernelModules=true + +# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, +# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq +# will be made read-only to all processes of the unit. Usually, tunable +# kernel variables should only be written at boot-time, with the sysctl.d(5) +# mechanism. Almost no services need to write to these at runtime; it is hence +# recommended to turn this on for most services. +##safer##ProtectKernelTunables=true + +# The Linux Control Groups (cgroups(7)) hierarchies accessible through +# /sys/fs/cgroup will be made read-only to all processes of the unit. +# Except for container managers no services should require write access +# to the control groups hierarchies; it is hence recommended to turn this +# on for most services +##safer##ProtectControlGroups=true + +# Any attempts to enable realtime scheduling in a process of the unit are +# refused. +##safer##RestrictRealtime=true + +# Takes away the ability to create or manage any kind of namespace +##safer##RestrictNamespaces=true + +[Install] +WantedBy=multi-user.target |