Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package logwatch for openSUSE:Factory checked in at 2021-10-20 20:24:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/logwatch (Old) and /work/SRC/openSUSE:Factory/.logwatch.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "logwatch" Wed Oct 20 20:24:03 2021 rev:46 rq:926510 version:7.5.5 Changes: -------- --- /work/SRC/openSUSE:Factory/logwatch/logwatch.changes 2021-07-21 19:07:47.267438271 +0200 +++ /work/SRC/openSUSE:Factory/.logwatch.new.1890/logwatch.changes 2021-10-20 20:24:58.093403406 +0200 @@ -1,0 +2,7 @@ +Tue Oct 5 14:26:13 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_logwatch.service.patch + * harden_logwatch_dmeventd.service.patch + +------------------------------------------------------------------- New: ---- harden_logwatch.service.patch harden_logwatch_dmeventd.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ logwatch.spec ++++++ --- /var/tmp/diff_new_pack.PPc03O/_old 2021-10-20 20:24:58.565403698 +0200 +++ /var/tmp/diff_new_pack.PPc03O/_new 2021-10-20 20:24:58.565403698 +0200 @@ -30,6 +30,8 @@ Source3: ChangeLog Patch0: logwatch-firewall.patch Patch2: logwatch-timestamp_in_var.patch +Patch3: harden_logwatch.service.patch +Patch4: harden_logwatch_dmeventd.service.patch Requires: grep Requires: mailx Requires: perl @@ -65,6 +67,8 @@ cp %{S:3} . # fix package doc dir in man page sed -i -e 's,/usr/share/doc/logwatch-\*,%{_defaultdocdir}/logwatch,' logwatch.8 +%patch3 -p1 +%patch4 -p1 %build ++++++ harden_logwatch.service.patch ++++++ Index: logwatch-7.5.5/scheduler/logwatch.service =================================================================== --- logwatch-7.5.5.orig/scheduler/logwatch.service +++ logwatch-7.5.5/scheduler/logwatch.service @@ -4,6 +4,18 @@ Documentation=man:logwatch(8) man:logwat Before=logrotate.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot # This first EnvironmentFile has the Logwatch default variables EnvironmentFile=-/usr/share/logwatch/default.conf/systemd.conf ++++++ harden_logwatch_dmeventd.service.patch ++++++ Index: logwatch-7.5.5/Logwatch_Setup_Files/logwatch_dmeventd.service =================================================================== --- logwatch-7.5.5.orig/Logwatch_Setup_Files/logwatch_dmeventd.service +++ logwatch-7.5.5/Logwatch_Setup_Files/logwatch_dmeventd.service @@ -22,6 +22,18 @@ Description=Log analyzer and reporter, s Documentation=man:logwatch(8) man:logwatch.conf(5) [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions User=root Type=oneshot ExecStart=/usr/sbin/logwatch --service dmeventd
