veza/ansible/roles/coraza/files/coraza-spoa.service

[Unit]
Description=Coraza WAF SPOA Daemon
Documentation=https://www.coraza.io

[Service]
ExecStart=/usr/local/bin/coraza-spoa -config=/etc/coraza/config.yaml
WorkingDirectory=/
Restart=always
Type=exec
User=coraza
Group=coraza

# Hardening
# Controls which capabilities to include in the ambient capability set for the executed process.
AmbientCapabilities=
#Takes a mount propagation setting: shared, slave or private.
MountFlags=private

# If true, kernel variables accessible through /proc/sys/, /sys/, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only and /proc/kallsyms as well as /proc/kcore will be inaccessible to all processes of the unit.
ProtectKernelTunables=yes
# If true, explicit module loading will be denied.
ProtectKernelModules=yes
# If true, access to the kernel log ring buffer will be denied.
ProtectKernelLogs=yes
# If true, the Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup/ will be made read-only to all processes of the unit.
ProtectControlGroups=yes
# when set to "noaccess" the ability to access most of other users' process metadata in /proc/ is taken away for processes of the service.
ProtectProc=noaccess
# If set, writes to the hardware clock or system clock will be denied.
ProtectClock=yes
# When set, sets up a new UTS namespace for the executed processes. In addition, changing hostname or domainname is prevented.
ProtectHostname=yes
# If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev/, /proc/ and /sys/
ProtectSystem=strict
# If set, any attempts to set the set-user-ID (SUID) or set-group-ID (SGID) bits on files or directories will be denied
RestrictSUIDSGID=true
# If set, any attempts to enable realtime scheduling in a process of the unit are refused.
RestrictRealtime=true
# Controls the secure bits set for the executed process. See man capabilities.
SecureBits=no-setuid-fixup-locked noroot-locked

# frequently used repositories by other applicatons
InaccessiblePaths=-/opt
InaccessiblePaths=-/srv
# block all binary that are not usefull
InaccessiblePaths=-/bin
InaccessiblePaths=-/sbin

# locks down the personality(2) system call so that the kernel execution domain may not be changed
LockPersonality=true
# set the logs directory path
LogsDirectory=coraza
# set the configuration directory path
ConfigurationDirectory=coraza

# unsure taht the memory mapping is not editable. creation and alteration of memory segments to become writable or executable is not allowed
MemoryDenyWriteExecute=yes

# ensures that the service process and all its children can never gain new privileges through execve()
NoNewPrivileges=true

# the directories /home/, /root, and /run/user are made inaccessible and empty for processes invoked by this unit
ProtectHome=true
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random
PrivateDevices=true

# sets up a new user namespace for the executed processes and configures a user and group mapping.
PrivateUsers=true
# a new file system namespace set up for executed processes, /tmp/ and /var/tmp/ inside are not shared with processes outside of the namespace, all temporary files removed after service stopped.
PrivateTmp=true
# all System V and POSIX IPC objects owned by the user and group the processes of this unit are run as are removed when the unit is stopped
RemoveIPC=true

# Restricts the set of socket address families accessible to the processes of this unit. here ipv4 and ipv6
RestrictAddressFamilies=AF_INET AF_INET6

SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=-@setuid -@ipc -@mount

IPAddressDeny=any
IPAddressAllow=localhost

CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target
BASE: completing the initial repo state 2025-12-03 21:56:50 +00:00			`[Unit]`
			`Description=Coraza WAF SPOA Daemon`
			`Documentation=https://www.coraza.io`

			`[Service]`
			`ExecStart=/usr/local/bin/coraza-spoa -config=/etc/coraza/config.yaml`
			`WorkingDirectory=/`
			`Restart=always`
			`Type=exec`
			`User=coraza`
			`Group=coraza`

			`# Hardening`
			`# Controls which capabilities to include in the ambient capability set for the executed process.`
			`AmbientCapabilities=`
			`#Takes a mount propagation setting: shared, slave or private.`
			`MountFlags=private`

			`# If true, kernel variables accessible through /proc/sys/, /sys/, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only and /proc/kallsyms as well as /proc/kcore will be inaccessible to all processes of the unit.`
			`ProtectKernelTunables=yes`
			`# If true, explicit module loading will be denied.`
			`ProtectKernelModules=yes`
			`# If true, access to the kernel log ring buffer will be denied.`
			`ProtectKernelLogs=yes`
			`# If true, the Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup/ will be made read-only to all processes of the unit.`
			`ProtectControlGroups=yes`
			`# when set to "noaccess" the ability to access most of other users' process metadata in /proc/ is taken away for processes of the service.`
			`ProtectProc=noaccess`
			`# If set, writes to the hardware clock or system clock will be denied.`
			`ProtectClock=yes`
			`# When set, sets up a new UTS namespace for the executed processes. In addition, changing hostname or domainname is prevented.`
			`ProtectHostname=yes`
			`# If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev/, /proc/ and /sys/`
			`ProtectSystem=strict`
			`# If set, any attempts to set the set-user-ID (SUID) or set-group-ID (SGID) bits on files or directories will be denied`
			`RestrictSUIDSGID=true`
			`# If set, any attempts to enable realtime scheduling in a process of the unit are refused.`
			`RestrictRealtime=true`
			`# Controls the secure bits set for the executed process. See man capabilities.`
			`SecureBits=no-setuid-fixup-locked noroot-locked`

			`# frequently used repositories by other applicatons`
			`InaccessiblePaths=-/opt`
			`InaccessiblePaths=-/srv`
			`# block all binary that are not usefull`
			`InaccessiblePaths=-/bin`
			`InaccessiblePaths=-/sbin`

			`# locks down the personality(2) system call so that the kernel execution domain may not be changed`
			`LockPersonality=true`
			`# set the logs directory path`
			`LogsDirectory=coraza`
			`# set the configuration directory path`
			`ConfigurationDirectory=coraza`

			`# unsure taht the memory mapping is not editable. creation and alteration of memory segments to become writable or executable is not allowed`
			`MemoryDenyWriteExecute=yes`

			`# ensures that the service process and all its children can never gain new privileges through execve()`
			`NoNewPrivileges=true`

			`# the directories /home/, /root, and /run/user are made inaccessible and empty for processes invoked by this unit`
			`ProtectHome=true`
			`# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random`
			`PrivateDevices=true`

			`# sets up a new user namespace for the executed processes and configures a user and group mapping.`
			`PrivateUsers=true`
			`# a new file system namespace set up for executed processes, /tmp/ and /var/tmp/ inside are not shared with processes outside of the namespace, all temporary files removed after service stopped.`
			`PrivateTmp=true`
			`# all System V and POSIX IPC objects owned by the user and group the processes of this unit are run as are removed when the unit is stopped`
			`RemoveIPC=true`

			`# Restricts the set of socket address families accessible to the processes of this unit. here ipv4 and ipv6`
			`RestrictAddressFamilies=AF_INET AF_INET6`

			`SystemCallArchitectures=native`
			`SystemCallFilter=@system-service`
			`SystemCallFilter=-@setuid -@ipc -@mount`

			`IPAddressDeny=any`
			`IPAddressAllow=localhost`

			`CapabilityBoundingSet=CAP_NET_BIND_SERVICE`

			`[Install]`
			`WantedBy=multi-user.target`