[pkg-go] Bug#950759: hardened systemd configuration

Antoine Beaupre anarcat at debian.org
Wed Feb 5 20:44:05 GMT 2020 

Package: prometheus
Severity: wishlist

I'm working with the Puppet community to maintain a Prometheus Puppet
module that's available here:

https://github.com/voxpupuli/puppet-prometheus/

We recently introduced a new feature where the systemd unit file is
hardened. I think it would be a great addition to the Debian package
as well, considering that it seems to work for us. Here's the magic
incantation that was added:

NoNewPrivileges=true
ProtectHome=true
ProtectSystem=full
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
LockPersonality=true
RestrictRealtime=yes
RestrictNamespaces=yes
MemoryDenyWriteExecute=yes
PrivateDevices=yes
CapabilityBoundingSet=

This was brought in from Arch Linux, where those settings are
apparently in place as well:

https://github.com/voxpupuli/puppet-prometheus/pull/415

-- System Information:
Debian Release: 10.2
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages prometheus depends on:
ii  adduser                                  3.118
ii  daemon                                   0.6.4-1+b2
ii  debconf [debconf-2.0]                    1.5.71
ii  fonts-glyphicons-halflings               1.009~3.4.1+dfsg-1
ii  init-system-helpers                      1.56+nmu1
ii  libc6                                    2.28-10
ii  libjs-bootstrap                          3.4.1+dfsg-1
pn  libjs-bootstrap4                         <none>
pn  libjs-eonasdan-bootstrap-datetimepicker  <none>
ii  libjs-jquery                             3.3.1~dfsg-3
ii  libjs-jquery-hotkeys                     0~20130707+git2d51e3a9+dfsg-2
ii  libjs-moment                             2.24.0+ds-1
pn  libjs-moment-timezone                    <none>
pn  libjs-mustache                           <none>
pn  libjs-popper.js                          <none>
pn  libjs-rickshaw                           <none>
ii  systemd-sysv                             241-7~deb10u2

Versions of packages prometheus recommends:
ii  prometheus-node-exporter  0.17.0+ds-3+b11

prometheus suggests no packages.

More information about the Pkg-go-maintainers mailing list