aviallon/nixos-lib
1
0
Fork 0
mirror of https://github.com/aviallon/nixos-lib.git synced 2026-04-06 01:38:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[Hardening] More fine-grained hardening. Disable dbus hardening on HP Elitebook

Browse source
This commit is contained in:
Antoine Viallon 2022-02-08 12:04:23 +01:00
parent 3482fbb35f
commit 44ba32bab0
Signed by: aviallon
GPG key ID: 186FC35EDEB25716
1 changed files with 33 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

48
hardening.nix
View file

@ -16,9 +16,25 @@ in
hardcore = mkOption { hardcore = mkOption {
default = !desktopCfg.enable; default = !desktopCfg.enable;
example = desktopCfg.enable; example = desktopCfg.enable;
description = "Enable hardcore hardening, which might break things."; description = "Enable hardcore hardening, which might break things. Forces expensive hardening.";
type = types.bool; type = types.bool;
}; };
expensive = mkOption {
default = cfg.hardcore || !desktopCfg.enable;
example = desktopCfg.enable;
description = "Enable expensive hardening option (reduces performance)";
type = types.bool;
};
services = {
dbus = mkOption rec {
default = cfg.hardcore;
example = !default;
description = "Enable dbus service hardening";
type = types.bool;
};
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -27,33 +43,35 @@ in
# ]; # ];
boot.kernelPackages = mkIf cfg.hardcore pkgs.linuxPackages_hardened; boot.kernelPackages = mkIf cfg.hardcore pkgs.linuxPackages_hardened;
security.lockKernelModules = mkIf cfg.hardcore (mkOverride 500 true); security.lockKernelModules = mkIf cfg.hardcore (mkOverride 500 true);
security.protectKernelImage = mkIf cfg.hardcore (mkOverride 500 false); # needed for kexec # security.protectKernelImage = mkIf cfg.hardcore (mkOverride 500 false); # needed for kexec
aviallon.hardening.expensive = mkForce cfg.hardcore;
security.apparmor.enable = true; security.apparmor.enable = true;
services.dbus.apparmor = "enabled"; services.dbus.apparmor = "enabled";
boot.kernelParams = [ boot.kernelParams = concatLists [
# Slab/slub sanity checks, redzoning, and poisoning # Slab/slub sanity checks, redzoning, and poisoning
"slub_debug=FZP" (optional cfg.expensive "slub_debug=FZP")
# Overwrite free'd memory # Overwrite free'd memory
"page_poison=1" (optional cfg.expensive "page_poison=1")
# Enable page allocator randomization # Enable page allocator randomization
"page_alloc.shuffle=1" [ "page_alloc.shuffle=1" ]
# Apparmor https://wiki.archlinux.org/title/AppArmor#Installation # Apparmor https://wiki.archlinux.org/title/AppArmor#Installation
"lsm=landlock,lockdown,yama,apparmor,bpf" (optional cfg.expensive "lsm=landlock,lockdown,yama,apparmor,bpf")
]; ];
boot.kernel.sysctl = { boot.kernel.sysctl = {
"kernel.yama.ptrace_scope" = lib.mkOverride 500 1; "kernel.yama.ptrace_scope" = mkOverride 500 1;
"kernel.kptr_restrict" = lib.mkOverride 500 2; "kernel.kptr_restrict" = mkOverride 500 2;
"net.core.bpf_jit_enable" = lib.mkOverride 500 false; "net.core.bpf_jit_enable" = mkIf cfg.expensive (mkOverride 500 false);
"kernel.ftrace_enabled" = lib.mkOverride 500 false; "kernel.ftrace_enabled" = mkOverride 500 false;
}; };
security.allowUserNamespaces = mkDefault true; security.allowUserNamespaces = mkDefault true;
@ -62,14 +80,14 @@ in
nix.allowedUsers = mkIf cfg.hardcore [ "@wheel" ]; nix.allowedUsers = mkIf cfg.hardcore [ "@wheel" ];
security.audit.enable = true; security.audit.enable = true;
security.auditd.enable = true; security.auditd.enable = mkIf cfg.expensive true;
security.audit.rules = [ security.audit.rules = concatLists [
"-a exit,always -F arch=b64 -S execve" (optional cfg.expensive "-a exit,always -F arch=b64 -S execve")
]; ];
systemd.services.dbus.serviceConfig = { systemd.services.dbus.serviceConfig = mkIf cfg.services.dbus {
# Hardening # Hardening
CapabilityBoundingSet = [ "CAP_SETGID" "CAP_SETUID" "CAP_SETPCAP" "CAP_SYS_RESOURCE" "CAP_AUDIT_WRITE" ]; CapabilityBoundingSet = [ "CAP_SETGID" "CAP_SETUID" "CAP_SETPCAP" "CAP_SYS_RESOURCE" "CAP_AUDIT_WRITE" ];
DeviceAllow = [ "/dev/null rw" "/dev/urandom r" ]; DeviceAllow = [ "/dev/null rw" "/dev/urandom r" ];