-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: systemd service file hardening #1047
Comments
From here https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html it seems a PIDFile is not required:
I already used Furthermore, normally a PIDFile should be placed in the This would all resolve the problem of handling the pid file on The unit file would then look like this - I haven't tested it yet:
The problematic part in the agent code is then here I'd guess: https://github.com/NagiosEnterprises/ncpa/blob/master/agent/ncpa.py#L567 |
This is what I came up with in the last couple of hours of testing and it seems to work - though I haven't done a lot of checks yet:
The firewall part might be a bit too restrictive for some users, i.e. needs to be inactive by default and activated by modifying the .service file or adding a
ncpa.service.d/something.conf
file in/etc/systemd/system
.Also this prevents - at least to my knowledge - any kind of
sudo
usage, for example by plugins that can be called. I don't believe I need any such checks, but I guess I'll find out.So I'd say this is a work-in-progress and depends on whether the user is fine with that and wants a more hardenend NCPA service or not.
I thought I'd share it here for anyone who wishes to do some hardening for NCPA.
The text was updated successfully, but these errors were encountered: