Merge pull request #325133 from jpds/nixos-prometheus-hardening

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/prometheus: systemd hardening for alertmanager/pushgateway

authored by

Aaron Andersen and committed by

GitHub 2 years ago aa3e6fad bfbc9454

+106 -7

5 changed files

expand all

nixos

modules

services

monitoring

prometheus

alertmanager-webhook-logger.nix

alertmanager.nix

pushgateway.nix

tests

prometheus

alertmanager.nix

pushgateway.nix

+11

nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix

··· 32 32 ${escapeShellArgs cfg.extraFlags} 33 33 ''; 34 34 35 + CapabilityBoundingSet = [ "" ]; 36 + DeviceAllow = [ "" ]; 35 37 DynamicUser = true; 36 38 NoNewPrivileges = true; 39 + 40 + MemoryDenyWriteExecute = true; 41 + 42 + LockPersonality = true; 37 43 38 44 ProtectProc = "invisible"; 39 45 ProtectSystem = "strict"; ··· 43 49 PrivateDevices = true; 44 50 PrivateIPC = true; 45 51 52 + ProcSubset = "pid"; 53 + 46 54 ProtectHostname = true; 47 55 ProtectClock = true; 48 56 ProtectKernelTunables = true; ··· 50 58 ProtectKernelLogs = true; 51 59 ProtectControlGroups = true; 52 60 61 + Restart = "on-failure"; 62 + 53 63 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; 64 + RestrictNamespaces = true; 54 65 RestrictRealtime = true; 55 66 RestrictSUIDSGID = true; 56 67

+47 -5

nixos/modules/services/monitoring/prometheus/alertmanager.nix

··· 181 181 -i "${alertmanagerYml}" 182 182 ''; 183 183 serviceConfig = { 184 - Restart = "always"; 185 - StateDirectory = "alertmanager"; 186 - DynamicUser = true; # implies PrivateTmp 187 - EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; 188 - WorkingDirectory = "/tmp"; 189 184 ExecStart = "${cfg.package}/bin/alertmanager" + 190 185 optionalString (length cmdlineArgs != 0) (" \\\n " + 191 186 concatStringsSep " \\\n " cmdlineArgs); 192 187 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 188 + 189 + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; 190 + 191 + CapabilityBoundingSet = [ "" ]; 192 + DeviceAllow = [ "" ]; 193 + DynamicUser = true; 194 + NoNewPrivileges = true; 195 + 196 + MemoryDenyWriteExecute = true; 197 + 198 + LockPersonality = true; 199 + 200 + ProtectProc = "invisible"; 201 + ProtectSystem = "strict"; 202 + ProtectHome = "tmpfs"; 203 + 204 + PrivateTmp = true; 205 + PrivateDevices = true; 206 + PrivateIPC = true; 207 + 208 + ProcSubset = "pid"; 209 + 210 + ProtectHostname = true; 211 + ProtectClock = true; 212 + ProtectKernelTunables = true; 213 + ProtectKernelModules = true; 214 + ProtectKernelLogs = true; 215 + ProtectControlGroups = true; 216 + 217 + Restart = "always"; 218 + 219 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ]; 220 + RestrictNamespaces = true; 221 + RestrictRealtime = true; 222 + RestrictSUIDSGID = true; 223 + 224 + StateDirectory = "alertmanager"; 225 + SystemCallFilter = [ 226 + "@system-service" 227 + "~@cpu-emulation" 228 + "~@privileged" 229 + "~@reboot" 230 + "~@setuid" 231 + "~@swap" 232 + ]; 233 + 234 + WorkingDirectory = "/tmp"; 193 235 }; 194 236 }; 195 237 })

+42 -2

nixos/modules/services/monitoring/prometheus/pushgateway.nix

··· 147 147 wantedBy = [ "multi-user.target" ]; 148 148 after = [ "network.target" ]; 149 149 serviceConfig = { 150 - Restart = "always"; 151 - DynamicUser = true; 152 150 ExecStart = "${cfg.package}/bin/pushgateway" + 153 151 optionalString (length cmdlineArgs != 0) (" \\\n " + 154 152 concatStringsSep " \\\n " cmdlineArgs); 153 + 154 + CapabilityBoundingSet = [ "" ]; 155 + DeviceAllow = [ "" ]; 156 + DynamicUser = true; 157 + NoNewPrivileges = true; 158 + 159 + MemoryDenyWriteExecute = true; 160 + 161 + LockPersonality = true; 162 + 163 + ProtectProc = "invisible"; 164 + ProtectSystem = "strict"; 165 + ProtectHome = "tmpfs"; 166 + 167 + PrivateTmp = true; 168 + PrivateDevices = true; 169 + PrivateIPC = true; 170 + 171 + ProcSubset = "pid"; 172 + 173 + ProtectHostname = true; 174 + ProtectClock = true; 175 + ProtectKernelTunables = true; 176 + ProtectKernelModules = true; 177 + ProtectKernelLogs = true; 178 + ProtectControlGroups = true; 179 + 180 + Restart = "always"; 181 + 182 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; 183 + RestrictNamespaces = true; 184 + RestrictRealtime = true; 185 + RestrictSUIDSGID = true; 186 + 155 187 StateDirectory = if cfg.persistMetrics then cfg.stateDir else null; 188 + SystemCallFilter = [ 189 + "@system-service" 190 + "~@cpu-emulation" 191 + "~@privileged" 192 + "~@reboot" 193 + "~@setuid" 194 + "~@swap" 195 + ]; 156 196 }; 157 197 }; 158 198 };

nixos/tests/prometheus/alertmanager.nix

··· 144 144 logger.wait_until_succeeds( 145 145 "journalctl -o cat -u alertmanager-webhook-logger.service | grep '\"alertname\":\"InstanceDown\"'" 146 146 ) 147 + 148 + logger.log(logger.succeed("systemd-analyze security alertmanager-webhook-logger.service | grep -v '✓'")) 149 + 150 + alertmanager.log(alertmanager.succeed("systemd-analyze security alertmanager.service | grep -v '✓'")) 147 151 ''; 148 152 })

nixos/tests/prometheus/pushgateway.nix

··· 90 90 "curl -sf 'http://127.0.0.1:9090/api/v1/query?query=absent(some_metric)' | " 91 91 + "jq '.data.result[0].value[1]' | grep '\"1\"'" 92 92 ) 93 + 94 + pushgateway.log(pushgateway.succeed("systemd-analyze security pushgateway.service | grep -v '✓'")) 93 95 ''; 94 96 })