diff --git a/spec/fixtures/files/cli/prometheus1_all.systemd b/spec/fixtures/files/cli/prometheus1_all.systemd
index 9b4c86410..8e4443691 100644
--- a/spec/fixtures/files/cli/prometheus1_all.systemd
+++ b/spec/fixtures/files/cli/prometheus1_all.systemd
@@ -32,6 +32,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/cli/prometheus1_extra.systemd b/spec/fixtures/files/cli/prometheus1_extra.systemd
index c2901d5b9..7882cb836 100644
--- a/spec/fixtures/files/cli/prometheus1_extra.systemd
+++ b/spec/fixtures/files/cli/prometheus1_extra.systemd
@@ -18,6 +18,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/cli/prometheus2_6_retention.systemd b/spec/fixtures/files/cli/prometheus2_6_retention.systemd
index 28bb88359..37b1c0f10 100644
--- a/spec/fixtures/files/cli/prometheus2_6_retention.systemd
+++ b/spec/fixtures/files/cli/prometheus2_6_retention.systemd
@@ -16,6 +16,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/cli/prometheus2_all.systemd b/spec/fixtures/files/cli/prometheus2_all.systemd
index e1be210e4..7711125ba 100644
--- a/spec/fixtures/files/cli/prometheus2_all.systemd
+++ b/spec/fixtures/files/cli/prometheus2_all.systemd
@@ -45,6 +45,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/cli/prometheus2_extra.systemd b/spec/fixtures/files/cli/prometheus2_extra.systemd
index d8373f391..71cd2b924 100644
--- a/spec/fixtures/files/cli/prometheus2_extra.systemd
+++ b/spec/fixtures/files/cli/prometheus2_extra.systemd
@@ -17,6 +17,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/prometheus1.systemd b/spec/fixtures/files/prometheus1.systemd
index 26abc1fe3..aa1a75653 100644
--- a/spec/fixtures/files/prometheus1.systemd
+++ b/spec/fixtures/files/prometheus1.systemd
@@ -16,6 +16,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/spec/fixtures/files/prometheus2.systemd b/spec/fixtures/files/prometheus2.systemd
index dc3a78474..796db72d9 100644
--- a/spec/fixtures/files/prometheus2.systemd
+++ b/spec/fixtures/files/prometheus2.systemd
@@ -16,6 +16,19 @@ ExecStart=/usr/local/bin/prometheus \
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=always
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target
diff --git a/templates/prometheus.systemd.epp b/templates/prometheus.systemd.epp
index 9a1729dcf..75e08998c 100644
--- a/templates/prometheus.systemd.epp
+++ b/templates/prometheus.systemd.epp
@@ -21,6 +21,19 @@ Restart=always
 <% if $max_open_files { -%>
 LimitNOFILE=<%= $max_open_files %>
 <% } -%>
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target