[Unit]
Description=Coraza WAF SPOA Daemon
Documentation=https://www.coraza.io

[Service]
ExecStart=/usr/local/bin/coraza-spoa -config=/etc/coraza/config.yaml
WorkingDirectory=/
Restart=always
Type=exec
User=coraza
Group=coraza

# Hardening
# Controls which capabilities to include in the ambient capability set for the executed process.
AmbientCapabilities=
#Takes a mount propagation setting: shared, slave or private.
MountFlags=private

# If true, kernel variables accessible through /proc/sys/, /sys/, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only and /proc/kallsyms as well as /proc/kcore will be inaccessible to all processes of the unit.
ProtectKernelTunables=yes
# If true, explicit module loading will be denied.
ProtectKernelModules=yes
# If true, access to the kernel log ring buffer will be denied.
ProtectKernelLogs=yes
# If true, the Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup/ will be made read-only to all processes of the unit.
ProtectControlGroups=yes
# when set to "noaccess" the ability to access most of other users' process metadata in /proc/ is taken away for processes of the service.
ProtectProc=noaccess
# If set, writes to the hardware clock or system clock will be denied.
ProtectClock=yes
# When set, sets up a new UTS namespace for the executed processes. In addition, changing hostname or domainname is prevented.
ProtectHostname=yes
# If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev/, /proc/ and /sys/
ProtectSystem=strict
# If set, any attempts to set the set-user-ID (SUID) or set-group-ID (SGID) bits on files or directories will be denied
RestrictSUIDSGID=true
# If set, any attempts to enable realtime scheduling in a process of the unit are refused.
RestrictRealtime=true
# Controls the secure bits set for the executed process. See man capabilities.
SecureBits=no-setuid-fixup-locked noroot-locked

# frequently used repositories by other applicatons
InaccessiblePaths=-/opt
InaccessiblePaths=-/srv
# block all binary that are not usefull
InaccessiblePaths=-/bin
InaccessiblePaths=-/sbin

# locks down the personality(2) system call so that the kernel execution domain may not be changed
LockPersonality=true
# set the logs directory path
LogsDirectory=coraza
# set the configuration directory path
ConfigurationDirectory=coraza

# unsure taht the memory mapping is not editable. creation and alteration of memory segments to become writable or executable is not allowed
MemoryDenyWriteExecute=yes

# ensures that the service process and all its children can never gain new privileges through execve()
NoNewPrivileges=true

# the directories /home/, /root, and /run/user are made inaccessible and empty for processes invoked by this unit
ProtectHome=true
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random
PrivateDevices=true

# sets up a new user namespace for the executed processes and configures a user and group mapping.
PrivateUsers=true
# a new file system namespace set up for executed processes, /tmp/ and /var/tmp/ inside are not shared with processes outside of the namespace, all temporary files removed after service stopped.
PrivateTmp=true
# all System V and POSIX IPC objects owned by the user and group the processes of this unit are run as are removed when the unit is stopped
RemoveIPC=true

# Restricts the set of socket address families accessible to the processes of this unit. here ipv4 and ipv6
RestrictAddressFamilies=AF_INET AF_INET6

SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=-@setuid -@ipc -@mount

IPAddressDeny=any
IPAddressAllow=localhost

CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target