From cf98a8a2212f168f2bc81d3844faf4a8efc8acb4 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Tue, 7 Jan 2025 11:31:43 +0100 Subject: [PATCH] more sysd hardening --- hardening/systemd/NetworkManager.nix | 10 +++--- hardening/systemd/acpid.nix | 17 +++++----- hardening/systemd/ask-password.nix | 41 ++++++++++++++++++++++++ hardening/systemd/auditd.nix | 9 +++--- hardening/systemd/bluetooth.nix | 46 +++++++++++++++++++++++++++ hardening/systemd/cups.nix | 19 +++++------ hardening/systemd/default.nix | 18 ++++------- hardening/systemd/global/clock.nix | 37 +++++++++++++++++++++ hardening/systemd/global/default.nix | 6 ++++ hardening/systemd/global/hostname.nix | 29 +++++++++++++++++ hardening/systemd/tty.nix | 32 +++++++++++++++++++ hardening/systemd/wpa_supplicant.nix | 5 ++- 12 files changed, 225 insertions(+), 44 deletions(-) create mode 100644 hardening/systemd/ask-password.nix create mode 100644 hardening/systemd/bluetooth.nix create mode 100644 hardening/systemd/global/clock.nix create mode 100644 hardening/systemd/global/default.nix create mode 100644 hardening/systemd/global/hostname.nix create mode 100644 hardening/systemd/tty.nix diff --git a/hardening/systemd/NetworkManager.nix b/hardening/systemd/NetworkManager.nix index bd18efa..a1b4c45 100644 --- a/hardening/systemd/NetworkManager.nix +++ b/hardening/systemd/NetworkManager.nix @@ -25,9 +25,8 @@ # PrivateUsers = true; # BAD # ProtectKernelTunables = true; # BAD - ProtectHostname=true; - ProcSubset="pid"; - ProtectSystem=true; + ProcSubset = "pid"; + ProtectSystem = true; }; NetworkManager-dispatcher.serviceConfig = { @@ -55,9 +54,8 @@ # PrivateUsers = true; # BAD # ProtectKernelTunables = true; # BAD - ProtectHostname=true; - ProcSubset="pid"; - ProtectSystem=true; + ProcSubset = "pid"; + ProtectSystem = true; }; }; } diff --git a/hardening/systemd/acpid.nix b/hardening/systemd/acpid.nix index 2b5f259..bc5ca16 100644 --- a/hardening/systemd/acpid.nix +++ b/hardening/systemd/acpid.nix @@ -3,8 +3,8 @@ config.systemd.services = lib.mkIf (config.specialisation != { }) { acpid.serviceConfig = { CapabilityBoundingSet = [ - "" - ]; + "" + ]; NoNewPrivileges = true; RestrictNamespaces = "pid"; ProtectControlGroups = true; @@ -15,13 +15,12 @@ SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; LockPersonality = true; - ProtectHostname=true; - ProtectSystem=true; - PrivateUsers=true; - PrivateNetwork=true; - RestrictRealtime=true; - IPAddressAllow=[]; - RestrictAddressFamilies="AF_NETLINK AF_UNIX"; + ProtectSystem = true; + PrivateUsers = true; + PrivateNetwork = true; + RestrictRealtime = true; + IPAddressAllow = [ ]; + RestrictAddressFamilies = "AF_NETLINK AF_UNIX"; }; }; } diff --git a/hardening/systemd/ask-password.nix b/hardening/systemd/ask-password.nix new file mode 100644 index 0000000..249c1dc --- /dev/null +++ b/hardening/systemd/ask-password.nix @@ -0,0 +1,41 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + systemd-ask-password-console.serviceConfig = { + CapabilityBoundingSet = [ + "" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + PrivateUsers = true; + }; + systemd-ask-password-wall.serviceConfig = { + CapabilityBoundingSet = [ + "" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + PrivateUsers = true; + }; + }; +} diff --git a/hardening/systemd/auditd.nix b/hardening/systemd/auditd.nix index 4d650c7..2228b67 100644 --- a/hardening/systemd/auditd.nix +++ b/hardening/systemd/auditd.nix @@ -12,13 +12,12 @@ SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; LockPersonality = true; - ProtectHostname=true; - ProtectSystem=true; + ProtectSystem = true; # PrivateUsers=true; # PrivateNetwork=true; - RestrictRealtime=true; - IPAddressAllow=[]; - RestrictAddressFamilies="AF_NETLINK"; + RestrictRealtime = true; + IPAddressAllow = [ ]; + RestrictAddressFamilies = "AF_NETLINK"; }; }; } diff --git a/hardening/systemd/bluetooth.nix b/hardening/systemd/bluetooth.nix new file mode 100644 index 0000000..a8aab2a --- /dev/null +++ b/hardening/systemd/bluetooth.nix @@ -0,0 +1,46 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + bluetooth.serviceConfig = { + CapabilityBoundingSet = [ + "" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + + PrivateUsers = true; + }; + + blueman-mechanism.serviceConfig = { + CapabilityBoundingSet = [ + "" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + + PrivateUsers = true; + }; + }; +} diff --git a/hardening/systemd/cups.nix b/hardening/systemd/cups.nix index bf75cbc..e758d2b 100644 --- a/hardening/systemd/cups.nix +++ b/hardening/systemd/cups.nix @@ -2,12 +2,13 @@ { config.systemd.services = lib.mkIf (config.specialisation != { }) { cups.serviceConfig = { - #CapabilityBoundingSet = [ - # "" - #]; + + CapabilityBoundingSet = [ + "CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID" + ]; NoNewPrivileges = true; RestrictNamespaces = "pid"; - + ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; @@ -16,12 +17,12 @@ SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; LockPersonality = true; - ProtectHostname=true; - RestrictRealtime=true; - + RestrictRealtime = true; + ProtectProc = "invisible"; + # PrivateUsers=true; - # PrivateNetwork=true; - # RestrictAddressFamilies="AF_UNIX"; + PrivateNetwork = true; + RestrictAddressFamilies = "AF_UNIX"; # ProtectSystem=true; }; }; diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index 9422df7..c6400cc 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -18,6 +18,11 @@ in ./auditd.nix ./acpid.nix ./cups.nix + ./bluetooth.nix + ./tty.nix + ./ask-password.nix + + ./global ]; options.systemd.services = lib.mkOption { @@ -38,8 +43,6 @@ in mkIf (osConfig.specialisation != { }) ( { ProtectHome = mkDefault true; - ProtectClock = mkDefault true; - # ProtectHostname = mkDefault true; # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH! } // (lib.optionalAttrs shouldMakeIntrusive { @@ -65,6 +68,7 @@ in sshd.serviceConfig.ProtectHome = false; display-manager.serviceConfig.ProtectHome = "read-only"; dbus-broker.serviceConfig.ProtectHome = "read-only"; + systemd-logind.serviceConfig.ProtectHome = false; nix-daemon.serviceConfig.ProtectHome = false; @@ -86,16 +90,6 @@ in display-manager.serviceConfig.SystemCallFilter = ""; sshd.serviceConfig.SystemCallFilter = ""; rtkit-daemon.serviceConfig.SystemCallFilter = ""; - - systemd-timesync.serviceConfig = { - ProtectClock = false; - SystemCallFilter = "@system-service @clock"; - }; - - save-hwclock.serviceConfig = { - ProtectClock = false; - SystemCallFilter = "@system-service @clock"; - }; }; }; } diff --git a/hardening/systemd/global/clock.nix b/hardening/systemd/global/clock.nix new file mode 100644 index 0000000..6ffcb2e --- /dev/null +++ b/hardening/systemd/global/clock.nix @@ -0,0 +1,37 @@ +{ lib, config, ... }: +let + inherit (lib) mkDefault types mkIf; +in +{ + options.systemd.services = lib.mkOption { + type = + let + osConfig = config; + in + types.attrsOf ( + lib.types.submodule ( + { config, name, ... }: + { + config.serviceConfig = mkIf (osConfig.specialisation != { }) { + ProtectClock = mkDefault true; + }; + } + ) + ); + }; + + config = mkIf (config.specialisation != { }) { + + systemd.services = { + systemd-timesyncd.serviceConfig = { + ProtectClock = false; + SystemCallFilter = "@system-service @clock"; + }; + + save-hwclock.serviceConfig = { + ProtectClock = false; + SystemCallFilter = "@system-service @clock"; + }; + }; + }; +} diff --git a/hardening/systemd/global/default.nix b/hardening/systemd/global/default.nix new file mode 100644 index 0000000..d232675 --- /dev/null +++ b/hardening/systemd/global/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./hostname.nix + ./clock.nix + ]; +} diff --git a/hardening/systemd/global/hostname.nix b/hardening/systemd/global/hostname.nix new file mode 100644 index 0000000..6ef5e25 --- /dev/null +++ b/hardening/systemd/global/hostname.nix @@ -0,0 +1,29 @@ +{ lib, config, ... }: +let + inherit (lib) types mkIf mkDefault; +in +{ + options.systemd.services = lib.mkOption { + type = + let + osConfig = config; + in + types.attrsOf ( + lib.types.submodule ( + { config, name, ... }: + { + config.serviceConfig = mkIf (osConfig.specialisation != { }) { + ProtectHostname = mkDefault true; + }; + } + ) + ); + }; + + config = mkIf (config.specialisation != { }) { + systemd.services = { + systemd-hostnamed.serviceConfig.ProtectHostname = false; + nix-daemon.serviceConfig.ProtectHostname = false; + }; + }; +} diff --git a/hardening/systemd/tty.nix b/hardening/systemd/tty.nix new file mode 100644 index 0000000..a677428 --- /dev/null +++ b/hardening/systemd/tty.nix @@ -0,0 +1,32 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + "getty@".serviceConfig = { + + #CapabilityBoundingSet =[ + # "CAP_SYS_TTY_CONFIGCAP_LEASE" + #]; + + # NoNewPrivileges = true; + RestrictNamespaces = "pid"; + + ProtectControlGroups = true; + ProtectHome = false; + ProtectClock = false; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + # RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = lib.mkForce "@system-service"; + LockPersonality = true; + #RestrictRealtime=true; + ProtectProc = "invisible"; + + # PrivateUsers=true; + PrivateNetwork = true; + RestrictAddressFamilies = "AF_UNIX"; + # ProtectSystem=true; + }; + }; +} diff --git a/hardening/systemd/wpa_supplicant.nix b/hardening/systemd/wpa_supplicant.nix index 5fdfcb7..008fadd 100644 --- a/hardening/systemd/wpa_supplicant.nix +++ b/hardening/systemd/wpa_supplicant.nix @@ -22,9 +22,8 @@ SystemCallFilter = "@system-service"; LockPersonality = true; - ProtectHostname=true; - ProcSubset="pid"; - ProtectSystem=true; + ProcSubset = "pid"; + ProtectSystem = true; }; }; }