Différences

Ci-dessous, les différences entre deux révisions de la page.

--- tech:notes_securite_os_gnu_linux_hardening [2025/03/24 15:06] – créée - modification externe 127.0.0.1
+++ tech:notes_securite_os_gnu_linux_hardening [2026/02/25 15:44] (Version actuelle) – Jean-Baptiste
@@ Ligne 5: / Ligne 5: @@
 Voir :
 * [[Notes sécurité OS GNU/Linux hardening - partitions - noexec]]
+* https://messervices.cyber.gouv.fr/documents-guides/fr_np_linux_configuration-v2.0.pdf
 * https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf
 * https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-cis.html
@@ Ligne 213: / Ligne 214: @@
 * /etc/issue
 * /etc/issue.net
+== Service SystemD
+''/lib/systemd/system/wsl-pro.service''
+<code ini>
+[Unit]
+Description=Bridge to Ubuntu Pro agent on Windows
+ConditionVirtualization=wsl
+[Service]
+Type=notify
+ExecStart=/usr/libexec/wsl-pro-service -vv
+Restart=always
+RestartSec=2s
+# Some daemon restrictions
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=true
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+# Only permit system calls used by common system services, excluding any special purpose calls
+SystemCallFilter=@system-service
+[Install]
+WantedBy=multi-user.target
+</code>
 == Autre