From 9fea6d4c8551b7c8783f23e011a2ba113c95d0dd Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 8 Aug 2021 16:48:49 +0200 Subject: [PATCH 1/2] nixos/prometheus: systemd unit hardening of exporters --- .../monitoring/prometheus/exporters.nix | 22 +++++++++++++++++++ .../monitoring/prometheus/exporters/bird.nix | 4 ++++ .../prometheus/exporters/dovecot.nix | 4 ++++ .../monitoring/prometheus/exporters/kea.nix | 4 ++++ .../monitoring/prometheus/exporters/knot.nix | 4 ++++ .../prometheus/exporters/modemmanager.nix | 4 ++++ .../prometheus/exporters/postgres.nix | 4 ++++ .../prometheus/exporters/smokeping.nix | 1 + .../monitoring/prometheus/exporters/sql.nix | 4 ++++ .../prometheus/exporters/systemd.nix | 4 ++++ .../prometheus/exporters/unbound.nix | 4 ++++ .../prometheus/exporters/wireguard.nix | 5 +++++ 12 files changed, 64 insertions(+) diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 99dfea6daa70..b40d6b3ca004 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -185,6 +185,28 @@ let serviceConfig.DynamicUser = mkDefault enableDynamicUser; serviceConfig.User = mkDefault conf.user; serviceConfig.Group = conf.group; + # Hardening + serviceConfig.CapabilityBoundingSet = mkDefault [ "" ]; + serviceConfig.DeviceAllow = [ "" ]; + serviceConfig.LockPersonality = true; + serviceConfig.MemoryDenyWriteExecute = true; + serviceConfig.NoNewPrivileges = true; + serviceConfig.PrivateDevices = true; + serviceConfig.ProtectClock = true; + serviceConfig.ProtectControlGroups = true; + serviceConfig.ProtectHome = true; + serviceConfig.ProtectHostname = true; + serviceConfig.ProtectKernelLogs = true; + serviceConfig.ProtectKernelModules = true; + serviceConfig.ProtectKernelTunables = true; + serviceConfig.ProtectSystem = mkDefault "strict"; + serviceConfig.RemoveIPC = true; + serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + serviceConfig.RestrictNamespaces = true; + serviceConfig.RestrictRealtime = true; + serviceConfig.RestrictSUIDSGID = true; + serviceConfig.SystemCallArchitectures = "native"; + serviceConfig.UMask = "0077"; } serviceOpts ]); }; in diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bird.nix b/nixos/modules/services/monitoring/prometheus/exporters/bird.nix index d8a526eafcea..1ef264fc86e5 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/bird.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/bird.nix @@ -41,6 +41,10 @@ in -format.new=${if cfg.newMetricFormat then "true" else "false"} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix index 472652fe8a7a..092ac6fea7d7 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -83,6 +83,10 @@ in --dovecot.scopes ${concatStringsSep "," cfg.scopes} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix index 0571325c5d9a..27aeb9096243 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -34,6 +34,10 @@ in { ${concatStringsSep " \\n" cfg.controlSocketPaths} ''; SupplementaryGroups = [ "kea" ]; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/knot.nix b/nixos/modules/services/monitoring/prometheus/exporters/knot.nix index 2acaac293b6f..29e543f1013b 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/knot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/knot.nix @@ -45,6 +45,10 @@ in { ${concatStringsSep " \\\n " cfg.extraFlags} ''; SupplementaryGroups = [ "knot" ]; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/modemmanager.nix b/nixos/modules/services/monitoring/prometheus/exporters/modemmanager.nix index 86ea98b94e4c..afd03f6c270e 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/modemmanager.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/modemmanager.nix @@ -28,6 +28,10 @@ in -rate ${cfg.refreshRate} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix b/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix index dd3bec8ec16c..3f9a32ef3995 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix @@ -79,6 +79,10 @@ in --web.telemetry-path ${cfg.telemetryPath} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/smokeping.nix b/nixos/modules/services/monitoring/prometheus/exporters/smokeping.nix index 0a7bb9c27be2..0181c341a7ef 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/smokeping.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/smokeping.nix @@ -45,6 +45,7 @@ in serviceOpts = { serviceConfig = { AmbientCapabilities = [ "CAP_NET_RAW" ]; + CapabilityBoundingSet = [ "CAP_NET_RAW" ]; ExecStart = '' ${pkgs.prometheus-smokeping-prober}/bin/smokeping_prober \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/sql.nix b/nixos/modules/services/monitoring/prometheus/exporters/sql.nix index d9be724ebc03..3496fd9541f3 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/sql.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/sql.nix @@ -99,6 +99,10 @@ in -config.file ${configFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/systemd.nix b/nixos/modules/services/monitoring/prometheus/exporters/systemd.nix index 0514469b8a61..c0a50f07d717 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/systemd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/systemd.nix @@ -13,6 +13,10 @@ in { ${pkgs.prometheus-systemd-exporter}/bin/systemd_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix index 56a559531c14..cf0efddd340a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix @@ -49,6 +49,10 @@ in ${optionalString (cfg.controlInterface != null) "--control-interface ${cfg.controlInterface}"} \ ${toString cfg.extraFlags} ''; + RestrictAddressFamilies = [ + # Need AF_UNIX to collect data + "AF_UNIX" + ]; }; }] ++ [ (mkIf config.services.unbound.enable { diff --git a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix index 04421fc2d25a..d4aa69629ec8 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix @@ -52,6 +52,7 @@ in { serviceConfig = { AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; ExecStart = '' ${pkgs.prometheus-wireguard-exporter}/bin/prometheus_wireguard_exporter \ -p ${toString cfg.port} \ @@ -61,6 +62,10 @@ in { ${optionalString cfg.withRemoteIp "-r"} \ ${optionalString (cfg.wireguardConfig != null) "-n ${escapeShellArg cfg.wireguardConfig}"} ''; + RestrictAddressFamilies = [ + # Need AF_NETLINK to collect data + "AF_NETLINK" + ]; }; }; } From 0b6148fae9e2fb8e849591aace726de769051241 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Wed, 25 Aug 2021 18:05:22 +0200 Subject: [PATCH 2/2] prometheus-openvpn-exporter: mark as broken Prometheus OpenVPN exporter has been broken since OpenVPN 2.5.0 changed the format of the datetime to ISO8601. After submitting an issue to upstream, the upstream decided to no longer maintain this exporter. --- pkgs/servers/monitoring/prometheus/openvpn-exporter.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/servers/monitoring/prometheus/openvpn-exporter.nix b/pkgs/servers/monitoring/prometheus/openvpn-exporter.nix index 42a8187214ed..78224bcfaa82 100644 --- a/pkgs/servers/monitoring/prometheus/openvpn-exporter.nix +++ b/pkgs/servers/monitoring/prometheus/openvpn-exporter.nix @@ -16,6 +16,7 @@ buildGoModule rec { meta = with lib; { inherit (src.meta) homepage; description = "Prometheus exporter for OpenVPN"; + broken = true; license = licenses.asl20; maintainers = with maintainers; [ fpletz globin ]; };