From 0ca50e4e41eb2f42a536e0f883d32120c1520e26 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Fri, 24 Jun 2016 16:54:24 -0400 Subject: Harden the netdata systemd service Netdata runs as the "netdata" user (not root), all capabilities are stripped, a private /tmp is used, and most of the file system is made read only. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html --- system/netdata.service.in | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'system/netdata.service.in') diff --git a/system/netdata.service.in b/system/netdata.service.in index 65e33cec29..0dd6eba38d 100644 --- a/system/netdata.service.in +++ b/system/netdata.service.in @@ -5,13 +5,23 @@ After=network.target httpd.service squid.service nfs-server.service mysqld.servi [Service] Type=forking WorkingDirectory=/tmp -User=root -Group=root -PIDFile=@localstatedir_POST@/run/netdata.pid -ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata.pid +User=netdata +Group=netdata +RuntimeDirectory=netdata +PIDFile=@localstatedir_POST@/run/netdata/netdata.pid +ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid KillMode=mixed KillSignal=SIGTERM TimeoutStopSec=30 +#Hardening +AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE +PrivateTmp=true +ProtectSystem=full +ProtectHome=read-only +#NoNewPrivileges=true is implicitly set by the MemoryDenyWriteExecute=true +MemoryDenyWriteExecute=true + [Install] WantedBy=multi-user.target -- cgit v1.2.3