Hardening systemd unit for additional security (#110)

* add some protection (via https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#unit-configuration) * security by default; systemd ignores options it doesn't understand * autodetect systemd version
cloudalchemy · May 17, 2018 · 79842e8 · 79842e8
1 parent 7ff1e99
commit 79842e8
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/tasks/preflight.yml b/tasks/preflight.yml
@@ -76,3 +76,10 @@
   with_items:
     - "{{ lookup('url', 'https://github.com/prometheus/prometheus/releases/download/v' + prometheus_version + '/sha256sums.txt', wantlist=True) | list }}"
   when: "('linux-' + (go_arch_map[ansible_architecture] | default(ansible_architecture)) + '.tar.gz') in item"
+
+- name: Get systemd version
+  shell: systemctl --version | awk '$1 == "systemd" {print $2}'
+  changed_when: false
+  register: prometheus_systemd_version
+  tags:
+    - skip_ansible_lint
diff --git a/templates/prometheus.service.j2 b/templates/prometheus.service.j2
@@ -22,6 +22,24 @@ ExecStart=/usr/local/bin/prometheus \
   {{ pre }}-web.external-url={{ prometheus_web_external_url }}{% for flag, flag_value in prometheus_config_flags_extra.items() %}\
   {{ pre }}-{{ flag }}={{ flag_value }} {% endfor %}
 
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+NoNewPrivileges=true
+{% if prometheus_systemd_version >= 231 %}
+ReadWritePaths={{ prometheus_db_dir }}
+{% else %}
+ReadWriteDirectories={{ prometheus_db_dir }}
+{% endif %}
+{% if prometheus_systemd_version >= 232 %}
+ProtectSystem=strict
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+{% else %}
+ProtectSystem=full
+{% endif %}
+
 {% if http_proxy is defined %}
 Environment="HTTP_PROXY={{ http_proxy }}"{% if https_proxy is defined %} "HTTPS_PROXY={{ https_proxy }}{% endif %}"
 {% endif %}