Hardening systemd unit for additional security #110
Conversation
|
Why add the extra config option? All of these changes look sane enough that users shouldn't need to disable it. |
|
I worry that on older systems it might cause problems. That's why I added an extra config option which by default is set to For example |
|
Ahh, yes, it would be good to keep compatibility with at least Debian/Jessie and Ubuntu/16.04. I think that specific feature may need to stay out of the default since 16.04 only has 229. |
|
I did some research:
Feature used in PR with related systemd version (first occurance) based on systemd/NEWS:
|
README.md
Outdated
| @@ -27,6 +27,7 @@ All variables which can be overridden are stored in [defaults/main.yml](defaults | |||
| | `prometheus_version` | 2.2.1 | Prometheus package version. Also accepts `latest` as parameter. | | |||
| | `prometheus_config_dir` | /etc/prometheus | Path to directory with prometheus configuration | | |||
| | `prometheus_db_dir` | /var/lib/prometheus | Path to directory with prometheus database | | |||
| | `prometheus_service_hardening` | True | Apply security related options to systemd service file | | |||
There was a problem hiding this comment.
Let's add a note about the minimum systmed version required for this.
defaults/main.yml
Outdated
| @@ -4,6 +4,8 @@ prometheus_version: 2.2.1 | |||
| prometheus_config_dir: /etc/prometheus | |||
| prometheus_db_dir: /var/lib/prometheus | |||
|
|
|||
| prometheus_service_hardening: True | |||
There was a problem hiding this comment.
I think we should disable this by default, as the older operating systems are still quite popular.
|
Fun fact, systemd ignores options it doesn't understand. I ran this PR against debian jessie (systemd 215) with all hardening options enabled and prometheus works. Journalctl displays some warnings and an error:
"Unknown lvalue" are just ignored, and error can be fixed by lowering security a little and applying
TL;DR; @SuperQ you were right, we shouldn't have a flag to disable security hardening 😄 |
|
We could have a variable for |
|
Yeah, that can work, but I wonder if anyone would care to switch it on ;) |
tasks/preflight.yml
Outdated
| @@ -75,3 +75,10 @@ | |||
| with_items: | |||
| - "{{ lookup('url', 'https://github.com/prometheus/prometheus/releases/download/v' + prometheus_version + '/sha256sums.txt', wantlist=True) | list }}" | |||
| when: "('linux-' + (go_arch_map[ansible_architecture] | default(ansible_architecture)) + '.tar.gz') in item" | |||
|
|
|||
| - name: Get systemd version | |||
| shell: "systemctl --version | head -n1 | sed 's/systemd //g'" | |||
There was a problem hiding this comment.
This might be less fragile:
systemd --version | awk '$1 == "systemd" {print $2}'
There was a problem hiding this comment.
I cannot use systemd command in test suite, since it is not detected in ubuntu and debian containers, but systemctl works fine and it is always installed with systemd. Also systemctl can be executed as a regular user and systemd execution is restricted on some systems. As for awk it is indeed better.
There was a problem hiding this comment.
Sorry, coffee is not kicked in yet. That was supposed to be the same systemctl command.
There was a problem hiding this comment.
No problem 😄
Ok, do you think there is anyting more to do in this PR?
* add some protection (via https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#unit-configuration) * security by default; systemd ignores options it doesn't understand * autodetect systemd version
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Add a couple of options to restrict what prometheus process can see and do.
Mostly taken from:
PR needs some extensive testing to ensure everything works.