From 8f586ed65bcde5f63d9f4ed6736e14d9edd5d1b0 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sun, 20 Nov 2022 09:24:02 +0100 Subject: [PATCH] Document systemd unit for normal users (#97) --- README.md | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5f7d668..f62a149 100644 --- a/README.md +++ b/README.md @@ -262,7 +262,7 @@ wireguard_latest_handshake_seconds{interface="wg0",public_key="wTjv6hS6fKfNK+SzO ### Systemd service file -Now add the exporter to the Prometheus exporters as usual. I recommend to start it as a service. It's necessary to run it as root (if there is a non-root way to call `wg show all dump` please let me know). My systemd service file is like this one: +Now add the exporter to the Prometheus exporters as usual. I recommend to start it as a service. It's necessary to run it as root or configure a sudo rule (if there is a non-root way to call `wg show all dump` please let me know). My systemd service file is like this one: ```ini [Unit] @@ -280,6 +280,46 @@ ExecStart=/usr/local/bin/prometheus_wireguard_exporter -n /etc/wireguard/peers.c WantedBy=multi-user.target ``` +Running it as normal user + hardening: + +```ini +[Unit] +Description=Prometheus WireGuard Exporter +Wants=network-online.target +After=network-online.target + +[Service] +User=wireguard_exporter +Group=wireguard_exporter +Type=simple +Restart=on-failure +EnvironmentFile=-/etc/conf.d/prometheus-wireguard-exporter +ExecStart=/usr/local/bin/prometheus-wireguard-exporter $WIREGUARD_EXPORTER_ARGS +PrivateTmp=yes +ProtectHome=yes +ProtectControlGroups=yes +UMask=077 +RemoveIPC=yes +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout +ProtectSystem=strict +ProtectProc=noaccess + +[Install] +WantedBy=multi-user.target +``` + +Most of the other systemd hardening options won't work because they block sudo. With the above unit, you can use the following sudo rule: + +``` +wireguard_exporter ALL=(root) NOPASSWD: /usr/bin/wg +``` + +If you're interested in more hardening, you can analyze the unit with: + +``` +systemd-analyze security prometheus-wireguard-exporter.service +``` + ## Development ### Locally