From ac8475706ecd471e59a7514dce6e200bd6dd0ff6 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Mon, 5 Feb 2024 13:42:06 +0800 Subject: [PATCH] nixos: apply more hardening --- .../common/core/hardening/default.nix | 5 + .../common/core/hardening/systemd.nix | 212 ++++++++++++++++++ 2 files changed, 217 insertions(+) create mode 100644 nixos/profiles/common/core/hardening/systemd.nix diff --git a/nixos/profiles/common/core/hardening/default.nix b/nixos/profiles/common/core/hardening/default.nix index b7a5438..1961e0b 100644 --- a/nixos/profiles/common/core/hardening/default.nix +++ b/nixos/profiles/common/core/hardening/default.nix @@ -4,6 +4,7 @@ # ref: https://madaidans-insecurities.github.io/guides/linux-hardening.html imports = [ ./sysctl.nix + ./systemd.nix ]; environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id @@ -14,8 +15,12 @@ boot.blacklistedKernelModules = [ # Obscure network protocols "ax25" + "dccp" "netrom" + "rds" "rose" + "stcp" + "tipc" # Old or rare or insufficiently audited filesystems "adfs" diff --git a/nixos/profiles/common/core/hardening/systemd.nix b/nixos/profiles/common/core/hardening/systemd.nix new file mode 100644 index 0000000..72db39b --- /dev/null +++ b/nixos/profiles/common/core/hardening/systemd.nix @@ -0,0 +1,212 @@ +# Stolen from https://github.com/CPlusPatch/infra/blob/main/traits/hardening/systemd.nix +{ + systemd.services = { + NetworkManager.serviceConfig = { + RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX"; + ProtectHome = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ReadWritePaths = "/etc -/proc/sys/net -/var/lib/NetworkManager/"; + PrivateTmp = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + CapabilityBoundingSet = "~CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_SYS_CHROOT"; + NoNewPrivileges = true; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallFilter = "@system-service @privileged"; + SystemCallArchitectures = "native"; + }; + + bluetooth.serviceConfig = { + RestrictAddressFamilies = "AF_UNIX AF_BLUETOOTH"; + IPAddressDeny = "any"; + ProtectSystem = "strict"; + ReadWritePaths = "-/var/lib/bluetooth -/run/systemd/unit-root"; + PrivateTmp = true; + ProtectProc = "ptraceable"; + ProcSubset = "pid"; + DevicePolicy = "closed"; + DeviceAllow = ["/dev/rfkill rw" "/dev/uinput rw"]; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + NoNewPrivileges = true; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallFilter = ["@system-service" "~@resources @privileged"]; + SystemCallArchitectures = "native"; + }; + + cups.serviceConfig = { + RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX"; + IPAddressDeny = "any"; + IPAddressAllow = ["localhost" "192.168.1.0/8" "172.16.1.0/8" "10.0.1.0/8"]; + ProtectHome = true; + ProtectSystem = "strict"; + ReadWritePaths = "/etc/cups /etc/printcap /var/cache/cups /var/spool/cups"; + LogsDirectory = "cups"; + RuntimeDirectory = "cups"; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + CapabilityBoundingSet = "CAP_CHOWN CAP_AUDIT_WRITE CAP_DAC_OVERRIDE CAP_FSETID CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; + }; + + systemd-networkd.serviceConfig = { + After = "apparmor.service systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service"; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + + auditd.serviceConfig = { + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + + NetworkManager-dispatcher.serviceConfig = { + ProtectHome = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + + emergency.serviceConfig = { + ProtectHome = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + SystemCallFilter = "~@clock @cpu-emulation @obsolete @module @raw-io @swap"; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + + logrotate.serviceConfig = { + ProtectHome = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + + power-profiles-daemon.serviceConfig = { + ProtectHome = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @swap"; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + + ncsd.serviceConfig = { + ProtectHome = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + + reload-systemd-vconsole-setup.serviceConfig = { + ProtectHome = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + + rescue.serviceConfig = { + ProtectHome = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; +}