From 8e5f8672521a8d92df33d5305e8a492af0baf593 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 11 Jan 2025 11:54:34 +0100 Subject: [PATCH] improve hardening rules --- flake.lock | 55 +++++++++++--------------------- hardening/opensnitch/default.nix | 7 ++-- hardening/systemd/cups.nix | 5 +-- hardening/systemd/default.nix | 6 ++-- hardening/systemd/nix-daemon.nix | 1 + 5 files changed, 31 insertions(+), 43 deletions(-) diff --git a/flake.lock b/flake.lock index 3b2daf8..dd14202 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1734971839, - "narHash": "sha256-LrhWr5Smmd1aFyK7OkTonrsaKYOOapxZd7hp4JPebXk=", + "lastModified": 1736590503, + "narHash": "sha256-w69DFuUM6F92rQMl5mcnsx9Zv7Pk8ozcLffIYfOa2LI=", "owner": "LordGrimmauld", "repo": "aa-alias-manager", - "rev": "813f7a2886c12086f896814816378d3ac6f39d6d", + "rev": "72da6960bac5f84804a2ea36a90dbd25ed1bbf93", "type": "github" }, "original": { @@ -140,11 +140,11 @@ ] }, "locked": { - "lastModified": 1736112920, - "narHash": "sha256-MME0HoMWJtk67vW4lop1eTK4//EXJB/hefo6+JbdHZs=", + "lastModified": 1736524793, + "narHash": "sha256-UEbNwGorRiNLtzhshxe/2J2BmwGI1cDCDhSYtY8qREU=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "aa7b9944e164d9284939b78d05b8cf8df319a5d5", + "rev": "38844e9b3e17948a66b0dea0ce0bcc0355d6d876", "type": "github" }, "original": { @@ -342,11 +342,11 @@ ] }, "locked": { - "lastModified": 1736066484, - "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=", + "lastModified": 1736421950, + "narHash": "sha256-RyrX0WFXxFrYvzHNLTIyuk3NcNl3UBykuYru/P0zW5E=", "owner": "nix-community", "repo": "home-manager", - "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0", + "rev": "d4aebb947a301b8da8654a804979a738c5c5da50", "type": "github" }, "original": { @@ -383,11 +383,11 @@ ] }, "locked": { - "lastModified": 1735931035, - "narHash": "sha256-f3WRxasPYVKzrvAlLq+/3FRHQVfxVf5xxf0WWwnO99k=", + "lastModified": 1736409493, + "narHash": "sha256-XezBEaGENmXgndx2gsVxQ0JoHUeQs9OSUZvVx/GDqyQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "7e530766a5fd9b7577296fedd655f3255f7495d8", + "rev": "9a958cc0aa5241ea3badf44a063a4b0389dc0110", "type": "github" }, "original": { @@ -536,22 +536,6 @@ "type": "indirect" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1730741070, - "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat", @@ -559,15 +543,14 @@ "nixpkgs": [ "aa-alias-manager", "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1732021966, - "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", + "lastModified": 1735882644, + "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", + "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656", "type": "github" }, "original": { @@ -597,11 +580,11 @@ ] }, "locked": { - "lastModified": 1732674798, - "narHash": "sha256-oM1gjCv9R4zxDFO3as9wqQ4FI3+pDA9MKZ72L7tTIII=", + "lastModified": 1736572187, + "narHash": "sha256-it8mU8UkbaeVup7GpCI6n2cWPJ/O4U980CxKAMKUGF0=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "1d569430326b0a7807ccffdb2a188b814091976c", + "rev": "06871d5c5f78b0ae846c5758702531b4cabfab9b", "type": "github" }, "original": { diff --git a/hardening/opensnitch/default.nix b/hardening/opensnitch/default.nix index f1df335..2b8e6cb 100644 --- a/hardening/opensnitch/default.nix +++ b/hardening/opensnitch/default.nix @@ -43,13 +43,16 @@ in config = mkIf (enable && tooling.enable && network) { environment.systemPackages = optional graphical pkgs.opensnitch-ui; grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; + networking.nftables.enable = true; + # security.audit.enable = true; + systemd.services.opensnitchd.path = lib.optional (config.services.opensnitch.settings.ProcMonitorMethod == "audit") pkgs.audit.bin; + services.opensnitch = { enable = true; settings = { DefaultAction = "deny"; - Firewall = "iptables"; - LogLevel = 1; + Firewall = if config.networking.nftables.enable then "nftables" else "iptables"; ProcMonitorMethod = "ftrace"; # ProcMonitorMethod = "audit"; }; diff --git a/hardening/systemd/cups.nix b/hardening/systemd/cups.nix index e758d2b..961cf9a 100644 --- a/hardening/systemd/cups.nix +++ b/hardening/systemd/cups.nix @@ -4,7 +4,7 @@ cups.serviceConfig = { CapabilityBoundingSet = [ - "CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID" + "CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN" ]; NoNewPrivileges = true; RestrictNamespaces = "pid"; @@ -15,10 +15,11 @@ MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = "@system-service"; + SystemCallFilter = "@system-service @privileged"; LockPersonality = true; RestrictRealtime = true; ProtectProc = "invisible"; + ReadWritePaths = "/var/run/cups"; # PrivateUsers=true; PrivateNetwork = true; diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index b2e112c..b6593eb 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -49,11 +49,11 @@ in # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH! } // (lib.optionalAttrs shouldMakeIntrusive { - PrivateTmp = mkDefault true; + # PrivateTmp = mkDefault true; # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service"); - ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true); - # SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native"); + # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true); + SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native"); }) ); } diff --git a/hardening/systemd/nix-daemon.nix b/hardening/systemd/nix-daemon.nix index 0798174..09c1dee 100644 --- a/hardening/systemd/nix-daemon.nix +++ b/hardening/systemd/nix-daemon.nix @@ -15,6 +15,7 @@ "AF_UNIX" "AF_INET" "AF_INET6" + "AF_NETLINK" # needed for some checks ]; # needed to download sources and caches RestrictNamespaces = [ "user"