diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix b/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix index b4307a76e1b0..b3665b66ba40 100644 --- a/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix +++ b/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix @@ -32,9 +32,15 @@ in ${escapeShellArgs cfg.extraFlags} ''; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; DynamicUser = true; NoNewPrivileges = true; + MemoryDenyWriteExecute = true; + + LockPersonality = true; + ProtectProc = "invisible"; ProtectSystem = "strict"; ProtectHome = "tmpfs"; @@ -43,6 +49,8 @@ in PrivateDevices = true; PrivateIPC = true; + ProcSubset = "pid"; + ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; @@ -50,7 +58,10 @@ in ProtectKernelLogs = true; ProtectControlGroups = true; + Restart = "on-failure"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixos/modules/services/monitoring/prometheus/alertmanager.nix index d1d8f2caaf63..f40ac3c9138f 100644 --- a/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -181,15 +181,57 @@ in { -i "${alertmanagerYml}" ''; serviceConfig = { - Restart = "always"; - StateDirectory = "alertmanager"; - DynamicUser = true; # implies PrivateTmp - EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; - WorkingDirectory = "/tmp"; ExecStart = "${cfg.package}/bin/alertmanager" + optionalString (length cmdlineArgs != 0) (" \\\n " + concatStringsSep " \\\n " cmdlineArgs); ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; + + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + DynamicUser = true; + NoNewPrivileges = true; + + MemoryDenyWriteExecute = true; + + LockPersonality = true; + + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + + ProcSubset = "pid"; + + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + + Restart = "always"; + + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + StateDirectory = "alertmanager"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@privileged" + "~@reboot" + "~@setuid" + "~@swap" + ]; + + WorkingDirectory = "/tmp"; }; }; }) diff --git a/nixos/modules/services/monitoring/prometheus/pushgateway.nix b/nixos/modules/services/monitoring/prometheus/pushgateway.nix index 80e2339f5925..d4f9c4a29f38 100644 --- a/nixos/modules/services/monitoring/prometheus/pushgateway.nix +++ b/nixos/modules/services/monitoring/prometheus/pushgateway.nix @@ -147,12 +147,52 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - Restart = "always"; - DynamicUser = true; ExecStart = "${cfg.package}/bin/pushgateway" + optionalString (length cmdlineArgs != 0) (" \\\n " + concatStringsSep " \\\n " cmdlineArgs); + + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + DynamicUser = true; + NoNewPrivileges = true; + + MemoryDenyWriteExecute = true; + + LockPersonality = true; + + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + + ProcSubset = "pid"; + + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + + Restart = "always"; + + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + StateDirectory = if cfg.persistMetrics then cfg.stateDir else null; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@privileged" + "~@reboot" + "~@setuid" + "~@swap" + ]; }; }; }; diff --git a/nixos/tests/prometheus/alertmanager.nix b/nixos/tests/prometheus/alertmanager.nix index feda8d8fc2bc..6301db6df62e 100644 --- a/nixos/tests/prometheus/alertmanager.nix +++ b/nixos/tests/prometheus/alertmanager.nix @@ -144,5 +144,9 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: logger.wait_until_succeeds( "journalctl -o cat -u alertmanager-webhook-logger.service | grep '\"alertname\":\"InstanceDown\"'" ) + + logger.log(logger.succeed("systemd-analyze security alertmanager-webhook-logger.service | grep -v '✓'")) + + alertmanager.log(alertmanager.succeed("systemd-analyze security alertmanager.service | grep -v '✓'")) ''; }) diff --git a/nixos/tests/prometheus/pushgateway.nix b/nixos/tests/prometheus/pushgateway.nix index 7904c8bf45b0..261c41598eb0 100644 --- a/nixos/tests/prometheus/pushgateway.nix +++ b/nixos/tests/prometheus/pushgateway.nix @@ -90,5 +90,7 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: "curl -sf 'http://127.0.0.1:9090/api/v1/query?query=absent(some_metric)' | " + "jq '.data.result[0].value[1]' | grep '\"1\"'" ) + + pushgateway.log(pushgateway.succeed("systemd-analyze security pushgateway.service | grep -v '✓'")) ''; })