Harden the netdata systemd service

Netdata runs as the "netdata" user (not root), all capabilities are stripped, a private /tmp is used, and most of the file system is made read only. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
author: Craig Andrews <candrews@integralblue.com> 2016-06-24 16:54:24 -0400
committer: Craig Andrews <candrews@integralblue.com> 2016-08-02 15:25:37 -0400
commit: 0ca50e4e41eb2f42a536e0f883d32120c1520e26 (patch)
tree: d68c8840d407ca1c7127fc2dc03c0eacd9d3486b /system/netdata.service.in
parent: ab052b57d1cd38770fbc61ef581b85086b6ba465 (diff)
1 files changed, 14 insertions, 4 deletions
diff --git a/system/netdata.service.in b/system/netdata.service.in
index 65e33cec29..0dd6eba38d 100644
--- a/system/netdata.service.in
+++ b/system/netdata.service.in
@@ -5,13 +5,23 @@ After=network.target httpd.service squid.service nfs-server.service mysqld.servi
 [Service]
 Type=forking
 WorkingDirectory=/tmp
-User=root
-Group=root
-PIDFile=@localstatedir_POST@/run/netdata.pid
-ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata.pid
+User=netdata
+Group=netdata
+RuntimeDirectory=netdata
+PIDFile=@localstatedir_POST@/run/netdata/netdata.pid
+ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid
 KillMode=mixed
 KillSignal=SIGTERM
 TimeoutStopSec=30
 
+#Hardening
+AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+PrivateTmp=true
+ProtectSystem=full
+ProtectHome=read-only
+#NoNewPrivileges=true is implicitly set by the MemoryDenyWriteExecute=true
+MemoryDenyWriteExecute=true
+
 [Install]
 WantedBy=multi-user.target
author	Craig Andrews <candrews@integralblue.com>	2016-06-24 16:54:24 -0400
committer	Craig Andrews <candrews@integralblue.com>	2016-08-02 15:25:37 -0400
commit	0ca50e4e41eb2f42a536e0f883d32120c1520e26 (patch)
tree	d68c8840d407ca1c7127fc2dc03c0eacd9d3486b /system/netdata.service.in
parent	ab052b57d1cd38770fbc61ef581b85086b6ba465 (diff)