From ab279c7d1034ad91048b5a871cbf670ec7b90a13 Mon Sep 17 00:00:00 2001
From: openoms <oms@tuta.io>
Date: Sun, 23 May 2021 16:46:29 +0100
Subject: [PATCH] add hardening measures to systemd services

---
 home.admin/config.scripts/bonus.clnrest.sh         | 6 ++++++
 home.admin/config.scripts/cln.install.sh           | 6 ++++++
 home.admin/config.scripts/lnd.chain.sh             | 6 ++++++
 home.admin/config.scripts/network.bitcoinchains.sh | 6 ++++++
 4 files changed, 24 insertions(+)

diff --git a/home.admin/config.scripts/bonus.clnrest.sh b/home.admin/config.scripts/bonus.clnrest.sh
index cc42c7ded..2df9696d6 100644
--- a/home.admin/config.scripts/bonus.clnrest.sh
+++ b/home.admin/config.scripts/bonus.clnrest.sh
@@ -79,6 +79,12 @@ Restart=always
 TimeoutSec=120
 RestartSec=30
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/clnrest.service
diff --git a/home.admin/config.scripts/cln.install.sh b/home.admin/config.scripts/cln.install.sh
index 278a47709..5bc43c043 100644
--- a/home.admin/config.scripts/cln.install.sh
+++ b/home.admin/config.scripts/cln.install.sh
@@ -185,6 +185,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/${prefix}lightningd.service
diff --git a/home.admin/config.scripts/lnd.chain.sh b/home.admin/config.scripts/lnd.chain.sh
index 406f5dec9..3d14e164e 100644
--- a/home.admin/config.scripts/lnd.chain.sh
+++ b/home.admin/config.scripts/lnd.chain.sh
@@ -149,6 +149,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/${prefix}lnd.service
diff --git a/home.admin/config.scripts/network.bitcoinchains.sh b/home.admin/config.scripts/network.bitcoinchains.sh
index f5ca8b6dc..f5456b2ee 100644
--- a/home.admin/config.scripts/network.bitcoinchains.sh
+++ b/home.admin/config.scripts/network.bitcoinchains.sh
@@ -132,6 +132,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/${prefix}bitcoind.service