nixos/prometheus: Harden alertmanager/webhook-logger/pushgateway systemd definitions

2024-06-24 00:13:04 +01:00
parent 7ce4fe5463
commit 008ea18566
3 changed files with 100 additions and 7 deletions
--- a/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix
+++ b/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix
@@ -32,9 +32,15 @@ in
          ${escapeShellArgs cfg.extraFlags}
        '';

+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
        DynamicUser = true;
        NoNewPrivileges = true;

+        MemoryDenyWriteExecute = true;
+
+        LockPersonality = true;
+
        ProtectProc = "invisible";
        ProtectSystem = "strict";
        ProtectHome = "tmpfs";
@@ -43,6 +49,8 @@ in
        PrivateDevices = true;
        PrivateIPC = true;

+        ProcSubset = "pid";
+
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
@@ -50,7 +58,10 @@ in
        ProtectKernelLogs = true;
        ProtectControlGroups = true;

+        Restart  = "on-failure";
+
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;