Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

improve hardening rules

Browse source
This commit is contained in:
Grimmauld 2025-01-11 11:54:34 +01:00
parent 68529879d2
commit 8e5f867252
No known key found for this signature in database
5 changed files with 31 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
flake.lock
View file

@ -10,11 +10,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1734971839, "lastModified": 1736590503,
"narHash": "sha256-LrhWr5Smmd1aFyK7OkTonrsaKYOOapxZd7hp4JPebXk=", "narHash": "sha256-w69DFuUM6F92rQMl5mcnsx9Zv7Pk8ozcLffIYfOa2LI=",
"owner": "LordGrimmauld", "owner": "LordGrimmauld",
"repo": "aa-alias-manager", "repo": "aa-alias-manager",
"rev": "813f7a2886c12086f896814816378d3ac6f39d6d", "rev": "72da6960bac5f84804a2ea36a90dbd25ed1bbf93",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -140,11 +140,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736112920, "lastModified": 1736524793,
"narHash": "sha256-MME0HoMWJtk67vW4lop1eTK4//EXJB/hefo6+JbdHZs=", "narHash": "sha256-UEbNwGorRiNLtzhshxe/2J2BmwGI1cDCDhSYtY8qREU=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "aa7b9944e164d9284939b78d05b8cf8df319a5d5", "rev": "38844e9b3e17948a66b0dea0ce0bcc0355d6d876",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -342,11 +342,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736066484, "lastModified": 1736421950,
"narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=", "narHash": "sha256-RyrX0WFXxFrYvzHNLTIyuk3NcNl3UBykuYru/P0zW5E=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0", "rev": "d4aebb947a301b8da8654a804979a738c5c5da50",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -383,11 +383,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735931035, "lastModified": 1736409493,
"narHash": "sha256-f3WRxasPYVKzrvAlLq+/3FRHQVfxVf5xxf0WWwnO99k=", "narHash": "sha256-XezBEaGENmXgndx2gsVxQ0JoHUeQs9OSUZvVx/GDqyQ=",
"owner": "Jovian-Experiments", "owner": "Jovian-Experiments",
"repo": "Jovian-NixOS", "repo": "Jovian-NixOS",
"rev": "7e530766a5fd9b7577296fedd655f3255f7495d8", "rev": "9a958cc0aa5241ea3badf44a063a4b0389dc0110",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -536,22 +536,6 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": { "pre-commit-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -559,15 +543,14 @@
"nixpkgs": [ "nixpkgs": [
"aa-alias-manager", "aa-alias-manager",
"nixpkgs" "nixpkgs"
], ]
"nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1732021966, "lastModified": 1735882644,
"narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -597,11 +580,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1732674798, "lastModified": 1736572187,
"narHash": "sha256-oM1gjCv9R4zxDFO3as9wqQ4FI3+pDA9MKZ72L7tTIII=", "narHash": "sha256-it8mU8UkbaeVup7GpCI6n2cWPJ/O4U980CxKAMKUGF0=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "1d569430326b0a7807ccffdb2a188b814091976c", "rev": "06871d5c5f78b0ae846c5758702531b4cabfab9b",
"type": "github" "type": "github"
}, },
"original": { "original": {

7
hardening/opensnitch/default.nix
View file

@ -43,13 +43,16 @@ in
config = mkIf (enable && tooling.enable && network) { config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui; environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
networking.nftables.enable = true;
# security.audit.enable = true;
systemd.services.opensnitchd.path = lib.optional (config.services.opensnitch.settings.ProcMonitorMethod == "audit") pkgs.audit.bin;
services.opensnitch = { services.opensnitch = {
enable = true; enable = true;
settings = { settings = {
DefaultAction = "deny"; DefaultAction = "deny";
Firewall = "iptables"; Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
LogLevel = 1;
ProcMonitorMethod = "ftrace"; ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit"; # ProcMonitorMethod = "audit";
}; };

5
hardening/systemd/cups.nix
View file

@ -4,7 +4,7 @@
cups.serviceConfig = { cups.serviceConfig = {
CapabilityBoundingSet = [ CapabilityBoundingSet = [
"CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID" "CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN"
]; ];
NoNewPrivileges = true; NoNewPrivileges = true;
RestrictNamespaces = "pid"; RestrictNamespaces = "pid";
@ -15,10 +15,11 @@
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = "@system-service"; SystemCallFilter = "@system-service @privileged";
LockPersonality = true; LockPersonality = true;
RestrictRealtime = true; RestrictRealtime = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ReadWritePaths = "/var/run/cups";
# PrivateUsers=true; # PrivateUsers=true;
PrivateNetwork = true; PrivateNetwork = true;

6
hardening/systemd/default.nix
View file

@ -49,11 +49,11 @@ in
# LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH! # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
} }
// (lib.optionalAttrs shouldMakeIntrusive { // (lib.optionalAttrs shouldMakeIntrusive {
PrivateTmp = mkDefault true; # PrivateTmp = mkDefault true;
# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service"); # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true); # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
# SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native"); SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
}) })
); );
} }

1
hardening/systemd/nix-daemon.nix
View file

@ -15,6 +15,7 @@
"AF_UNIX" "AF_UNIX"
"AF_INET" "AF_INET"
"AF_INET6" "AF_INET6"
"AF_NETLINK" # needed for some checks
]; # needed to download sources and caches ]; # needed to download sources and caches
RestrictNamespaces = [ RestrictNamespaces = [
"user" "user"