Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

improve hardening rules

Browse source
This commit is contained in:
Grimmauld 2025-01-11 11:54:34 +01:00
parent 68529879d2
commit 8e5f867252
No known key found for this signature in database
5 changed files with 31 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
flake.lock
View file

@ -10,11 +10,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1734971839,
"narHash": "sha256-LrhWr5Smmd1aFyK7OkTonrsaKYOOapxZd7hp4JPebXk=",
"lastModified": 1736590503,
"narHash": "sha256-w69DFuUM6F92rQMl5mcnsx9Zv7Pk8ozcLffIYfOa2LI=",
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"rev": "813f7a2886c12086f896814816378d3ac6f39d6d",
"rev": "72da6960bac5f84804a2ea36a90dbd25ed1bbf93",
"type": "github"
},
"original": {
@ -140,11 +140,11 @@
]
},
"locked": {
"lastModified": 1736112920,
"narHash": "sha256-MME0HoMWJtk67vW4lop1eTK4//EXJB/hefo6+JbdHZs=",
"lastModified": 1736524793,
"narHash": "sha256-UEbNwGorRiNLtzhshxe/2J2BmwGI1cDCDhSYtY8qREU=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "aa7b9944e164d9284939b78d05b8cf8df319a5d5",
"rev": "38844e9b3e17948a66b0dea0ce0bcc0355d6d876",
"type": "github"
},
"original": {
@ -342,11 +342,11 @@
]
},
"locked": {
"lastModified": 1736066484,
"narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=",
"lastModified": 1736421950,
"narHash": "sha256-RyrX0WFXxFrYvzHNLTIyuk3NcNl3UBykuYru/P0zW5E=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0",
"rev": "d4aebb947a301b8da8654a804979a738c5c5da50",
"type": "github"
},
"original": {
@ -383,11 +383,11 @@
]
},
"locked": {
"lastModified": 1735931035,
"narHash": "sha256-f3WRxasPYVKzrvAlLq+/3FRHQVfxVf5xxf0WWwnO99k=",
"lastModified": 1736409493,
"narHash": "sha256-XezBEaGENmXgndx2gsVxQ0JoHUeQs9OSUZvVx/GDqyQ=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "7e530766a5fd9b7577296fedd655f3255f7495d8",
"rev": "9a958cc0aa5241ea3badf44a063a4b0389dc0110",
"type": "github"
},
"original": {
@ -536,22 +536,6 @@
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
@ -559,15 +543,14 @@
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
]
},
"locked": {
"lastModified": 1732021966,
"narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=",
"lastModified": 1735882644,
"narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "3308484d1a443fc5bc92012435d79e80458fe43c",
"rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github"
},
"original": {
@ -597,11 +580,11 @@
]
},
"locked": {
"lastModified": 1732674798,
"narHash": "sha256-oM1gjCv9R4zxDFO3as9wqQ4FI3+pDA9MKZ72L7tTIII=",
"lastModified": 1736572187,
"narHash": "sha256-it8mU8UkbaeVup7GpCI6n2cWPJ/O4U980CxKAMKUGF0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "1d569430326b0a7807ccffdb2a188b814091976c",
"rev": "06871d5c5f78b0ae846c5758702531b4cabfab9b",
"type": "github"
},
"original": {

7
hardening/opensnitch/default.nix
View file

@ -43,13 +43,16 @@ in
config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
networking.nftables.enable = true;
# security.audit.enable = true;
systemd.services.opensnitchd.path = lib.optional (config.services.opensnitch.settings.ProcMonitorMethod == "audit") pkgs.audit.bin;
services.opensnitch = {
enable = true;
settings = {
DefaultAction = "deny";
Firewall = "iptables";
LogLevel = 1;
Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit";
};

5
hardening/systemd/cups.nix
View file

@ -4,7 +4,7 @@
cups.serviceConfig = {
CapabilityBoundingSet = [
"CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID"
"CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN"
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
@ -15,10 +15,11 @@
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
SystemCallFilter = "@system-service @privileged";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
ReadWritePaths = "/var/run/cups";
# PrivateUsers=true;
PrivateNetwork = true;

6
hardening/systemd/default.nix
View file

@ -49,11 +49,11 @@ in
# LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
}
// (lib.optionalAttrs shouldMakeIntrusive {
PrivateTmp = mkDefault true;
# PrivateTmp = mkDefault true;
# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
# SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
# ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
})
);
}

1
hardening/systemd/nix-daemon.nix
View file

@ -15,6 +15,7 @@
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK" # needed for some checks
]; # needed to download sources and caches
RestrictNamespaces = [
"user"