From a78a902603cffd08d463d2333e87e30b52433955 Mon Sep 17 00:00:00 2001
From: Linus Wallgren <linus.wallgren@gmail.com>
Date: Tue, 8 Jan 2019 19:18:41 +0100
Subject: [PATCH] Lock down systemd service

To be on the safe side, restrict what the service can do.
---
 tasks/preflight.yml                |  8 ++++++++
 templates/node_exporter.service.j2 | 13 +++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/tasks/preflight.yml b/tasks/preflight.yml
index 3a8f9e8..afa27cd 100644
--- a/tasks/preflight.yml
+++ b/tasks/preflight.yml
@@ -15,6 +15,14 @@
   when: item in node_exporter_enabled_collectors
   with_items: "{{ node_exporter_disabled_collectors }}"
 
+- name: Get systemd version
+  shell: systemctl --version | awk '$1 == "systemd" {print $2}'
+  changed_when: false
+  check_mode: false
+  register: node_exporter_systemd_version
+  tags:
+    - skip_ansible_lint
+
 - name: Get checksum list from github
   set_fact:
     _checksums: "{{ lookup('url', 'https://github.com/prometheus/node_exporter/releases/download/v' + node_exporter_version + '/sha256sums.txt', wantlist=True) | list }}"
diff --git a/templates/node_exporter.service.j2 b/templates/node_exporter.service.j2
index bff4ccd..e8d0535 100644
--- a/templates/node_exporter.service.j2
+++ b/templates/node_exporter.service.j2
@@ -27,5 +27,18 @@ ExecStart=/usr/local/bin/node_exporter \
 SyslogIdentifier=node_exporter
 Restart=always
 
+PrivateTmp=yes
+ProtectHome=yes
+NoNewPrivileges=yes
+
+{% if node_exporter_systemd_version.stdout | int >= 232 %}
+ProtectSystem=strict
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=yes
+{% else %}
+ProtectSystem=full
+{% endif %}
+
 [Install]
 WantedBy=multi-user.target