80 lines
1.5 KiB
Plaintext
80 lines
1.5 KiB
Plaintext
// Server Security Profile
|
|
// For server deployments with strict isolation and enhanced auditing
|
|
|
|
profile "Server" {
|
|
version "1.0"
|
|
description "Strict isolation with no desktop and enhanced auditing for servers"
|
|
|
|
// Isolation settings (strict for server security)
|
|
isolation {
|
|
level "Strict" // Mount + PID + network + IPC namespaces
|
|
|
|
namespaces {
|
|
mount true
|
|
pid true
|
|
network true
|
|
ipc true
|
|
user false
|
|
uts true
|
|
}
|
|
}
|
|
|
|
// Desktop integration (disabled for headless)
|
|
desktop {
|
|
integration false
|
|
themes false
|
|
fonts false
|
|
clipboard false
|
|
dbus false
|
|
}
|
|
|
|
// Network access (controlled for servers)
|
|
network {
|
|
access "Controlled"
|
|
restrictions [
|
|
"firewall_required"
|
|
"rate_limiting"
|
|
]
|
|
allow_local_network true
|
|
firewall_rules [
|
|
"allow 22/tcp"
|
|
"allow 80/tcp"
|
|
"allow 443/tcp"
|
|
]
|
|
}
|
|
|
|
// Resource limits (high for server workloads)
|
|
resources {
|
|
max_memory "16GB"
|
|
max_cpu 0.95
|
|
max_disk "100GB"
|
|
max_processes 500
|
|
max_open_files 4096
|
|
}
|
|
|
|
// XDG enforcement (strict)
|
|
xdg {
|
|
enforce true
|
|
redirect_legacy true
|
|
strict_mode true
|
|
}
|
|
|
|
// Security settings (maximum for production)
|
|
security {
|
|
allow_system_units false
|
|
audit_logging "Full"
|
|
network_namespace true
|
|
filesystem_isolation true
|
|
selinux_enforcing true
|
|
mandatory_access_control true
|
|
}
|
|
|
|
// Default packages for servers
|
|
recommended_packages [
|
|
"nginx"
|
|
"postgresql"
|
|
"redis"
|
|
"fail2ban"
|
|
]
|
|
}
|