Harden the netdata systemd service

author Craig Andrews <candrews@integralblue.com>

Fri, 24 Jun 2016 20:54:24 +0000 (16:54 -0400)

committer Craig Andrews <candrews@integralblue.com>

Tue, 2 Aug 2016 19:25:37 +0000 (15:25 -0400)
author Craig Andrews <candrews@integralblue.com>
Fri, 24 Jun 2016 20:54:24 +0000 (16:54 -0400)
committer Craig Andrews <candrews@integralblue.com>
Tue, 2 Aug 2016 19:25:37 +0000 (15:25 -0400)
diff --git a/system/netdata.service.in b/system/netdata.service.in

index 65e33cec29f476c92e7e5f0960e724a231815991..0dd6eba38d9f18aa4f3d8ee922a3b00390c2e495 100644 (file)
--- a/system/netdata.service.in
+++ b/system/netdata.service.in
@@ -5,13 +5,23 @@ After=network.target httpd.service squid.service nfs-server.service mysqld.servi
  [Service]
  Type=forking
  WorkingDirectory=/tmp
-User=root
-Group=root
-PIDFile=@localstatedir_POST@/run/netdata.pid
-ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata.pid
+User=netdata
+Group=netdata
+RuntimeDirectory=netdata
+PIDFile=@localstatedir_POST@/run/netdata/netdata.pid
+ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid
  KillMode=mixed
  KillSignal=SIGTERM
  TimeoutStopSec=30
  
+#Hardening
+AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+PrivateTmp=true
+ProtectSystem=full
+ProtectHome=read-only
+#NoNewPrivileges=true is implicitly set by the MemoryDenyWriteExecute=true
+MemoryDenyWriteExecute=true
+
  [Install]
  WantedBy=multi-user.target
author	Craig Andrews <candrews@integralblue.com>
	Fri, 24 Jun 2016 20:54:24 +0000 (16:54 -0400)
committer	Craig Andrews <candrews@integralblue.com>
	Tue, 2 Aug 2016 19:25:37 +0000 (15:25 -0400)