-
Notifications
You must be signed in to change notification settings - Fork 452
Hardening systemd unit for additional security #110
Conversation
Why add the extra config option? All of these changes look sane enough that users shouldn't need to disable it. |
I worry that on older systems it might cause problems. That's why I added an extra config option which by default is set to For example |
Ahh, yes, it would be good to keep compatibility with at least Debian/Jessie and Ubuntu/16.04. I think that specific feature may need to stay out of the default since 16.04 only has 229. |
I did some research:
Feature used in PR with related systemd version (first occurance) based on systemd/NEWS:
|
README.md
Outdated
@@ -27,6 +27,7 @@ All variables which can be overridden are stored in [defaults/main.yml](defaults | |||
| `prometheus_version` | 2.2.1 | Prometheus package version. Also accepts `latest` as parameter. | | |||
| `prometheus_config_dir` | /etc/prometheus | Path to directory with prometheus configuration | | |||
| `prometheus_db_dir` | /var/lib/prometheus | Path to directory with prometheus database | | |||
| `prometheus_service_hardening` | True | Apply security related options to systemd service file | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add a note about the minimum systmed version required for this.
defaults/main.yml
Outdated
@@ -4,6 +4,8 @@ prometheus_version: 2.2.1 | |||
prometheus_config_dir: /etc/prometheus | |||
prometheus_db_dir: /var/lib/prometheus | |||
|
|||
prometheus_service_hardening: True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should disable this by default, as the older operating systems are still quite popular.
Fun fact, systemd ignores options it doesn't understand. I ran this PR against debian jessie (systemd 215) with all hardening options enabled and prometheus works. Journalctl displays some warnings and an error:
"Unknown lvalue" are just ignored, and error can be fixed by lowering security a little and applying
TL;DR; @SuperQ you were right, we shouldn't have a flag to disable security hardening 😄 |
We could have a variable for |
Yeah, that can work, but I wonder if anyone would care to switch it on ;) |
tasks/preflight.yml
Outdated
@@ -75,3 +75,10 @@ | |||
with_items: | |||
- "{{ lookup('url', 'https://github.com/prometheus/prometheus/releases/download/v' + prometheus_version + '/sha256sums.txt', wantlist=True) | list }}" | |||
when: "('linux-' + (go_arch_map[ansible_architecture] | default(ansible_architecture)) + '.tar.gz') in item" | |||
|
|||
- name: Get systemd version | |||
shell: "systemctl --version | head -n1 | sed 's/systemd //g'" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be less fragile:
systemd --version | awk '$1 == "systemd" {print $2}'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I cannot use systemd
command in test suite, since it is not detected in ubuntu and debian containers, but systemctl
works fine and it is always installed with systemd. Also systemctl
can be executed as a regular user and systemd
execution is restricted on some systems. As for awk
it is indeed better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, coffee is not kicked in yet. That was supposed to be the same systemctl
command.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem 😄
Ok, do you think there is anyting more to do in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
* add some protection (via https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#unit-configuration) * security by default; systemd ignores options it doesn't understand * autodetect systemd version
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Add a couple of options to restrict what prometheus process can see and do.
Mostly taken from:
PR needs some extensive testing to ensure everything works.