From 9f69faf1fc30cd60bafc87f11e337c95b016ce44 Mon Sep 17 00:00:00 2001
From: thomas <12238590+thomasrahimi@users.noreply.github.com>
Date: Fri, 6 Mar 2026 10:35:05 +0100
Subject: [PATCH] Added restrictions to the systemd service example

Added restrictions to the systemd service example to increase runtime security of node_exporter on systemd enabled Linux systems. The options have been tested in my environment and are conformant to the documentation of the systemd project (cp. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html?__goaway_challenge=meta-refresh&__goaway_id=6b170467973a444f062cf79f399a6a98)

Signed-off-by: thomas <12238590+thomasrahimi@users.noreply.github.com>
---
 examples/systemd/node_exporter.service | 39 ++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/examples/systemd/node_exporter.service b/examples/systemd/node_exporter.service
index 1ef24442d2..a4a5e7cae1 100644
--- a/examples/systemd/node_exporter.service
+++ b/examples/systemd/node_exporter.service
@@ -8,6 +8,45 @@ User=node_exporter
 Environment=OPTIONS=
 EnvironmentFile=-/etc/sysconfig/node_exporter
 ExecStart=/usr/sbin/node_exporter --web.systemd-socket $OPTIONS
+ProtectClock=true
+ProtectHome=read-only
+ProtectSystem=true
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+CapabilityBoundingSet=~CAP_KILL
+CapabilityBoundingSet=~CAP_SYS_MODULE
+CapabilityBoundingSet=~CAP_SYS_BOOT
+CapabilityBoundingSet=~CAP_SYSLOG
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
+CapabilityBoundingSet=~CAP_SYS_PTRACE
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_NET_ADMIN
+CapabilityBoundingSet=~CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=~CAP_NET_RAW
+CapabilityBoundingSet=~CAP_CHOWN
+CapabilityBoundingSet=~CAP_SETFCAP
+CapabilityBoundingSet=~CAP_SETUID
+CapabilityBoundingSet=~CAP_SETGID
+CapabilityBoundingSet=~CAP_SETPCAP
+CapabilityBoundingSet=~CAP_FSETID
+CapabilityBoundingSet=~CAP_NET_BROADCAST
+CapabilityBoundingSet=~CAP_BPF
+CapabilityBoundingSet=~CAP_SYS_RAWIO
+CapabilityBoundingSet=~CAP_SYS_PACCT
+ProtectHostname=true
+SystemCallFilter=~@mount
+SystemCallFilter=~@swap
+SystemCallFilter=~@debug
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@reboot
+SystemCallFilter=~@module
+SystemCallFilter=~@cpu-emulation
+PrivateTmp=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+SystemCallArchitectures=native
+RestrictSUIDSGID=true
 
 [Install]
 WantedBy=multi-user.target