Package: prometheus Severity: wishlist I'm working with the Puppet community to maintain a Prometheus Puppet module that's available here:
https://github.com/voxpupuli/puppet-prometheus/ We recently introduced a new feature where the systemd unit file is hardened. I think it would be a great addition to the Debian package as well, considering that it seems to work for us. Here's the magic incantation that was added: NoNewPrivileges=true ProtectHome=true ProtectSystem=full ProtectHostname=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true LockPersonality=true RestrictRealtime=yes RestrictNamespaces=yes MemoryDenyWriteExecute=yes PrivateDevices=yes CapabilityBoundingSet= This was brought in from Arch Linux, where those settings are apparently in place as well: https://github.com/voxpupuli/puppet-prometheus/pull/415 -- System Information: Debian Release: 10.2 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages prometheus depends on: ii adduser 3.118 ii daemon 0.6.4-1+b2 ii debconf [debconf-2.0] 1.5.71 ii fonts-glyphicons-halflings 1.009~3.4.1+dfsg-1 ii init-system-helpers 1.56+nmu1 ii libc6 2.28-10 ii libjs-bootstrap 3.4.1+dfsg-1 pn libjs-bootstrap4 <none> pn libjs-eonasdan-bootstrap-datetimepicker <none> ii libjs-jquery 3.3.1~dfsg-3 ii libjs-jquery-hotkeys 0~20130707+git2d51e3a9+dfsg-2 ii libjs-moment 2.24.0+ds-1 pn libjs-moment-timezone <none> pn libjs-mustache <none> pn libjs-popper.js <none> pn libjs-rickshaw <none> ii systemd-sysv 241-7~deb10u2 Versions of packages prometheus recommends: ii prometheus-node-exporter 0.17.0+ds-3+b11 prometheus suggests no packages.
