Rework how syslog-ng works #352
Description
The way syslog works on SEAPATH Yocto is too different from the other flavor.
Except for the syslog server IP, all the configuration is hardcoded, including the certificates and keys.
We should do the syslog configuration with Ansible as the other flavors do (refer to seapath/ansible#835).
In recipes-support/syslog-ng we have to remove everything.
We only need a bbappend file that disables the syslog-ng service and add the hardening rules:
[Service]
PrivateTmp=yes
ProtectSystem=strict
ReadWritePaths=/var/log/syslog-ng /var/lib/syslog-ng
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
NoNewPrivileges=true
RestrictNamespaces=pid
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
CapabilityBoundingSet=CAP_SYSLOG
PrivateDevices=yes
SystemCallFilter=@system-service @privileged @basic-io @chown @file-system @io-event @ipc @network-io @process @signal