Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sshguard for openSUSE:Factory checked in at 2021-12-29 21:10:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sshguard (Old) and /work/SRC/openSUSE:Factory/.sshguard.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sshguard" Wed Dec 29 21:10:48 2021 rev:14 rq:942932 version:2.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/sshguard/sshguard.changes 2021-05-20 19:26:15.709646831 +0200 +++ /work/SRC/openSUSE:Factory/.sshguard.new.2520/sshguard.changes 2021-12-29 21:11:16.822301495 +0100 @@ -1,0 +2,8 @@ +Tue Nov 23 15:32:07 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_sshguard.service.patch + Modified: + * sshguard.service + +------------------------------------------------------------------- New: ---- harden_sshguard.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sshguard.spec ++++++ --- /var/tmp/diff_new_pack.6IDSep/_old 2021-12-29 21:11:17.422301988 +0100 +++ /var/tmp/diff_new_pack.6IDSep/_new 2021-12-29 21:11:17.426301991 +0100 @@ -41,6 +41,7 @@ Source4: sshguard.whitelist # PATCH-FIX-UPSTREAM sshguard-gcc5.patch Patch0: sshguard-gcc5.patch +Patch1: harden_sshguard.service.patch Requires: openssh Requires(pre): %fillup_prereq @@ -53,6 +54,7 @@ %setup -q %patch0 -p1 find . -type f -iname "*.swp" -print -exec rm {} \; +%patch1 -p1 %build %configure \ ++++++ harden_sshguard.service.patch ++++++ Index: sshguard-2.4.2/examples/sshguard.service =================================================================== --- sshguard-2.4.2.orig/examples/sshguard.service +++ sshguard-2.4.2/examples/sshguard.service @@ -9,6 +9,19 @@ After=libvirtd.service After=firewalld.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStartPre=-/usr/sbin/iptables -N sshguard ExecStart=/usr/local/sbin/sshguard Restart=always ++++++ sshguard.service ++++++ --- /var/tmp/diff_new_pack.6IDSep/_old 2021-12-29 21:11:17.490302044 +0100 +++ /var/tmp/diff_new_pack.6IDSep/_new 2021-12-29 21:11:17.494302047 +0100 @@ -3,6 +3,19 @@ After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions EnvironmentFile=-/etc/sshguard.conf ExecStartPre=/usr/sbin/iptables -N sshguard ExecStartPre=/usr/sbin/ip6tables -N sshguard
