aviallon/nixos-lib
1
0
Fork 0
mirror of https://github.com/aviallon/nixos-lib.git synced 2026-04-06 01:38:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[Hardening] Add config option to enable hardcore hardening, and enable basic hardening by default

Browse source
This commit is contained in:
Antoine Viallon 2022-01-25 11:54:34 +01:00
parent 824e773310
commit 0a5045300e
Signed by: aviallon
GPG key ID: 186FC35EDEB25716
1 changed files with 44 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

51
hardening.nix
View file

@ -7,24 +7,32 @@ in
{ {
options.aviallon.hardening = { options.aviallon.hardening = {
enable = mkOption { enable = mkOption {
default = !desktopCfg.enable; # It usually conflicts with desktop use. default = true;
example = desktopCfg.enable; example = false;
description = "Enable aviallon's hardening"; description = "Enable aviallon's hardening";
type = types.bool; type = types.bool;
}; };
hardcore = mkOption {
default = !desktopCfg.enable;
example = desktopCfg.enable;
description = "Enable hardcore hardening, which might break things.";
type = types.bool;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# imports = [ # imports = [
# (modulesPath + "/profiles/hardened.nix") # (modulesPath + "/profiles/hardened.nix")
# ]; # ];
boot.kernelPackages = pkgs.linuxPackages_hardened; boot.kernelPackages = mkIf cfg.hardcore pkgs.linuxPackages_hardened;
security.lockKernelModules = mkOverride 500 true; security.lockKernelModules = mkIf cfg.hardcore (mkOverride 500 true);
security.protectKernelImage = mkOverride 500 false; # needed for kexec security.protectKernelImage = mkIf cfg.hardcore (mkOverride 500 false); # needed for kexec
security.apparmor.enable = true; security.apparmor.enable = true;
services.dbus.apparmor = "enabled"; services.dbus.apparmor = "enabled";
boot.kernelParams = [ boot.kernelParams = [
# Slab/slub sanity checks, redzoning, and poisoning # Slab/slub sanity checks, redzoning, and poisoning
"slub_debug=FZP" "slub_debug=FZP"
@ -34,6 +42,9 @@ in
# Enable page allocator randomization # Enable page allocator randomization
"page_alloc.shuffle=1" "page_alloc.shuffle=1"
# Apparmor https://wiki.archlinux.org/title/AppArmor#Installation
"lsm=landlock,lockdown,yama,apparmor,bpf"
]; ];
boot.kernel.sysctl = { boot.kernel.sysctl = {
@ -48,7 +59,7 @@ in
security.allowUserNamespaces = mkDefault true; security.allowUserNamespaces = mkDefault true;
boot.blacklistedKernelModules = mkForce [ ]; boot.blacklistedKernelModules = mkForce [ ];
nix.allowedUsers = [ "@wheel" ]; nix.allowedUsers = mkIf cfg.hardcore [ "@wheel" ];
security.audit.enable = true; security.audit.enable = true;
security.auditd.enable = true; security.auditd.enable = true;
@ -56,6 +67,32 @@ in
security.audit.rules = [ security.audit.rules = [
"-a exit,always -F arch=b64 -S execve" "-a exit,always -F arch=b64 -S execve"
]; ];
# systemd.services.udisks2.confinement.enable = true;
systemd.services.dbus.serviceConfig = {
# Hardening
CapabilityBoundingSet = [ "CAP_SETGID" "CAP_SETUID" "CAP_SETPCAP" "CAP_SYS_RESOURCE" "CAP_AUDIT_WRITE" ];
DeviceAllow = [ "/dev/null rw" "/dev/urandom r" ];
DevicePolicy = "strict";
IPAddressDeny = "any";
LimitMEMLOCK = 0;
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ReadOnlyPaths = [ "-/" ];
RestrictAddressFamilies = [ "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@chown" "~@clock" "~@cpu-emulation" "~@debug" "~@module" "~@mount" "~@obsolete" "~@raw-io" "~@reboot" "~@resources" "~@swap" "~memfd_create" "~mincore" "~mlock" "~mlockall" "~personality" ];
UMask = "0077";
};
}; };
} }