Merge pull request #3770 from easyteacher/systemd-hardening

Add systemd hardening parameters in rabbitmq-server.service.example
author: Michael Klishin <klishinm@vmware.com> 2021-11-19 20:09:38 +0300
committer: GitHub <noreply@github.com> 2021-11-19 20:09:38 +0300
commit: 2483711505622d6e2393f4f967daac775d0e27cb (patch)
tree: d2b7d625f9852a7a6da7b8b796bb0d1b33c921df
parent: bc3cc6a8817663cddfcf93c5f6bd7b3ab3caf5d7 (diff)
parent: 23d5073dcbb54f1119aea02a41baf3d7ba2d60bb (diff)
download: rabbitmq-server-git-2483711505622d6e2393f4f967daac775d0e27cb.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/deps/rabbit/docs/rabbitmq-server.service.example b/deps/rabbit/docs/rabbitmq-server.service.example
index dec70eb635..69531b1ff6 100644
--- a/deps/rabbit/docs/rabbitmq-server.service.example
+++ b/deps/rabbit/docs/rabbitmq-server.service.example
@@ -5,6 +5,19 @@ After=network.target epmd@0.0.0.0.socket
 Wants=network.target epmd@0.0.0.0.socket
 
 [Service]
+# Note: You *may* wish to uncomment the following lines to apply systemd
+# hardening effort to RabbitMQ, to prevent your system from being illegally 
+# modified by undiscovered vulnerabilities in RabbitMQ.
+# ProtectSystem=full
+# ProtectHome=true
+# PrivateDevices=true
+# ProtectHostname=true
+# ProtectClock=true
+# ProtectKernelTunables=true
+# ProtectKernelModules=true
+# ProtectKernelLogs=true
+# ProtectControlGroups=true
+# RestrictRealtime=true
 Type=notify
 User=rabbitmq
 Group=rabbitmq
author	Michael Klishin <klishinm@vmware.com>	2021-11-19 20:09:38 +0300
committer	GitHub <noreply@github.com>	2021-11-19 20:09:38 +0300
commit	2483711505622d6e2393f4f967daac775d0e27cb (patch)
tree	d2b7d625f9852a7a6da7b8b796bb0d1b33c921df
parent	bc3cc6a8817663cddfcf93c5f6bd7b3ab3caf5d7 (diff)
parent	23d5073dcbb54f1119aea02a41baf3d7ba2d60bb (diff)
download	rabbitmq-server-git-2483711505622d6e2393f4f967daac775d0e27cb.tar.gz