BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #133189 from erdnaxe/prometheus-hardening

Browse source
This commit is contained in:
Martin Weinelt 2021-10-07 10:48:13 +02:00 committed by GitHub
commit 71dcb5ec27
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 65 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
nixos/modules/services/monitoring/prometheus/exporters.nix
View file

@ -185,6 +185,28 @@ let
serviceConfig.DynamicUser = mkDefault enableDynamicUser;
serviceConfig.User = mkDefault conf.user;
serviceConfig.Group = conf.group;
# Hardening
serviceConfig.CapabilityBoundingSet = mkDefault [ "" ];
serviceConfig.DeviceAllow = [ "" ];
serviceConfig.LockPersonality = true;
serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.NoNewPrivileges = true;
serviceConfig.PrivateDevices = true;
serviceConfig.ProtectClock = true;
serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectHostname = true;
serviceConfig.ProtectKernelLogs = true;
serviceConfig.ProtectKernelModules = true;
serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectSystem = mkDefault "strict";
serviceConfig.RemoveIPC = true;
serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
serviceConfig.RestrictNamespaces = true;
serviceConfig.RestrictRealtime = true;
serviceConfig.RestrictSUIDSGID = true;
serviceConfig.SystemCallArchitectures = "native";
serviceConfig.UMask = "0077";
} serviceOpts ]);
};
in

4
nixos/modules/services/monitoring/prometheus/exporters/bird.nix
View file

@ -41,6 +41,10 @@ in
-format.new=${if cfg.newMetricFormat then "true" else "false"} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
];
};
};
}

4
nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix
View file

@ -83,6 +83,10 @@ in
--dovecot.scopes ${concatStringsSep "," cfg.scopes} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
];
};
};
}

4
nixos/modules/services/monitoring/prometheus/exporters/kea.nix
View file

@ -34,6 +34,10 @@ in {
${concatStringsSep " \\n" cfg.controlSocketPaths}
'';
SupplementaryGroups = [ "kea" ];
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
];
};
};
}

4
nixos/modules/services/monitoring/prometheus/exporters/knot.nix
View file

@ -45,6 +45,10 @@ in {
${concatStringsSep " \\\n " cfg.extraFlags}
'';
SupplementaryGroups = [ "knot" ];
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
];
};
};
}

4
nixos/modules/services/monitoring/prometheus/exporters/modemmanager.nix
View file

@ -28,6 +28,10 @@ in
-rate ${cfg.refreshRate} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
];
};
};
}

4
nixos/modules/services/monitoring/prometheus/exporters/postgres.nix
View file

@ -79,6 +79,10 @@ in
--web.telemetry-path ${cfg.telemetryPath} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
];
};
};
}

1
nixos/modules/services/monitoring/prometheus/exporters/smokeping.nix
View file

@ -45,6 +45,7 @@ in
serviceOpts = {
serviceConfig = {
AmbientCapabilities = [ "CAP_NET_RAW" ];
CapabilityBoundingSet = [ "CAP_NET_RAW" ];
ExecStart = ''
${pkgs.prometheus-smokeping-prober}/bin/smokeping_prober \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

4
nixos/modules/services/monitoring/prometheus/exporters/sql.nix
View file

@ -99,6 +99,10 @@ in
-config.file ${configFile} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
];
};
};
}

4
nixos/modules/services/monitoring/prometheus/exporters/systemd.nix
View file

@ -13,6 +13,10 @@ in {
${pkgs.prometheus-systemd-exporter}/bin/systemd_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port}
'';
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
];
};
};
}

4
nixos/modules/services/monitoring/prometheus/exporters/unbound.nix
View file

@ -49,6 +49,10 @@ in
${optionalString (cfg.controlInterface != null) "--control-interface ${cfg.controlInterface}"} \
${toString cfg.extraFlags}
'';
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
];
};
}] ++ [
(mkIf config.services.unbound.enable {

5
nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix
View file

@ -52,6 +52,7 @@ in {
serviceConfig = {
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
ExecStart = ''
${pkgs.prometheus-wireguard-exporter}/bin/prometheus_wireguard_exporter \
-p ${toString cfg.port} \
@ -61,6 +62,10 @@ in {
${optionalString cfg.withRemoteIp "-r"} \
${optionalString (cfg.wireguardConfig != null) "-n ${escapeShellArg cfg.wireguardConfig}"}
'';
RestrictAddressFamilies = [
# Need AF_NETLINK to collect data
"AF_NETLINK"
];
};
};
}

1
pkgs/servers/monitoring/prometheus/openvpn-exporter.nix
View file

@ -16,6 +16,7 @@ buildGoModule rec {
meta = with lib; {
inherit (src.meta) homepage;
description = "Prometheus exporter for OpenVPN";
broken = true;
license = licenses.asl20;
maintainers = with maintainers; [ fpletz globin ];
};