Merge pull request voxpupuli#415 from bastelfreak/systemd4

prometheus: harden systemd service
cegeka · Jan 6, 2020 · e483d42 · e483d42
2 parents d9538d5 + 3d1248e
commit e483d42
Show file tree

Hide file tree

Showing 8 changed files with 104 additions and 0 deletions.
diff --git a/spec/fixtures/files/cli/prometheus1_all.systemd b/spec/fixtures/files/cli/prometheus1_all.systemd
@@ -32,6 +32,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/cli/prometheus1_extra.systemd b/spec/fixtures/files/cli/prometheus1_extra.systemd
@@ -18,6 +18,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/cli/prometheus2_6_retention.systemd b/spec/fixtures/files/cli/prometheus2_6_retention.systemd
@@ -16,6 +16,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/cli/prometheus2_all.systemd b/spec/fixtures/files/cli/prometheus2_all.systemd
@@ -45,6 +45,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/cli/prometheus2_extra.systemd b/spec/fixtures/files/cli/prometheus2_extra.systemd
@@ -17,6 +17,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/prometheus1.systemd b/spec/fixtures/files/prometheus1.systemd
@@ -16,6 +16,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/prometheus2.systemd b/spec/fixtures/files/prometheus2.systemd
@@ -16,6 +16,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/templates/prometheus.systemd.epp b/templates/prometheus.systemd.epp
@@ -21,6 +21,19 @@ Restart=always
 <% if $max_open_files { -%>
 LimitNOFILE=<%= $max_open_files %>
 <% } -%>
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target