diff mbox series

[3/4] suricata: Enable landlock security feature

Message ID 20240405192640.5215-3-stefan.schantl@ipfire.org
State Accepted
Commit 64e057aaa5ac0eb45094773709e481b535891ec4
Headers
Series [1/4] suricata: Update suricata.yaml |

Commit Message

Stefan Schantl April 5, 2024, 7:26 p.m. UTC 
  This will limit the suricata process to only read and write to a certain
files/directories.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/suricata/suricata.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
diff mbox series

Patch

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index fae01fbf5..9c8107429 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -768,16 +768,16 @@  security:
   limit-noproc: true
   # Use landlock security module under Linux
   landlock:
-    enabled: no
+    enabled: yes
     directories:
-      #write:
-      #  - @e_rundir@
+      write:
+        - /run
       # /usr and /etc folders are added to read list to allow
       # file magic to be used.
       read:
-        - /usr/
-        - /etc/
-        - @e_sysconfdir@
+        - /usr/share/misc/magic.mgc
+        - /var/ipfire/suricata/
+        - /var/lib/suricata/rules/
 
   lua:
     # Allow Lua rules. Disabled by default.