more sysd hardening
This commit is contained in:
parent
8f68278465
commit
cf98a8a221
12 changed files with 225 additions and 44 deletions
|
@ -25,9 +25,8 @@
|
|||
# PrivateUsers = true; # BAD
|
||||
# ProtectKernelTunables = true; # BAD
|
||||
|
||||
ProtectHostname=true;
|
||||
ProcSubset="pid";
|
||||
ProtectSystem=true;
|
||||
ProcSubset = "pid";
|
||||
ProtectSystem = true;
|
||||
};
|
||||
|
||||
NetworkManager-dispatcher.serviceConfig = {
|
||||
|
@ -55,9 +54,8 @@
|
|||
# PrivateUsers = true; # BAD
|
||||
# ProtectKernelTunables = true; # BAD
|
||||
|
||||
ProtectHostname=true;
|
||||
ProcSubset="pid";
|
||||
ProtectSystem=true;
|
||||
ProcSubset = "pid";
|
||||
ProtectSystem = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -15,13 +15,12 @@
|
|||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
LockPersonality = true;
|
||||
ProtectHostname=true;
|
||||
ProtectSystem=true;
|
||||
PrivateUsers=true;
|
||||
PrivateNetwork=true;
|
||||
RestrictRealtime=true;
|
||||
IPAddressAllow=[];
|
||||
RestrictAddressFamilies="AF_NETLINK AF_UNIX";
|
||||
ProtectSystem = true;
|
||||
PrivateUsers = true;
|
||||
PrivateNetwork = true;
|
||||
RestrictRealtime = true;
|
||||
IPAddressAllow = [ ];
|
||||
RestrictAddressFamilies = "AF_NETLINK AF_UNIX";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
41
hardening/systemd/ask-password.nix
Normal file
41
hardening/systemd/ask-password.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{ lib, config, ... }:
|
||||
{
|
||||
config.systemd.services = lib.mkIf (config.specialisation != { }) {
|
||||
systemd-ask-password-console.serviceConfig = {
|
||||
CapabilityBoundingSet = [
|
||||
""
|
||||
];
|
||||
NoNewPrivileges = true;
|
||||
RestrictNamespaces = "pid";
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
ProtectProc = "invisible";
|
||||
PrivateUsers = true;
|
||||
};
|
||||
systemd-ask-password-wall.serviceConfig = {
|
||||
CapabilityBoundingSet = [
|
||||
""
|
||||
];
|
||||
NoNewPrivileges = true;
|
||||
RestrictNamespaces = "pid";
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
ProtectProc = "invisible";
|
||||
PrivateUsers = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -12,13 +12,12 @@
|
|||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
LockPersonality = true;
|
||||
ProtectHostname=true;
|
||||
ProtectSystem=true;
|
||||
ProtectSystem = true;
|
||||
# PrivateUsers=true;
|
||||
# PrivateNetwork=true;
|
||||
RestrictRealtime=true;
|
||||
IPAddressAllow=[];
|
||||
RestrictAddressFamilies="AF_NETLINK";
|
||||
RestrictRealtime = true;
|
||||
IPAddressAllow = [ ];
|
||||
RestrictAddressFamilies = "AF_NETLINK";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
46
hardening/systemd/bluetooth.nix
Normal file
46
hardening/systemd/bluetooth.nix
Normal file
|
@ -0,0 +1,46 @@
|
|||
{ lib, config, ... }:
|
||||
{
|
||||
config.systemd.services = lib.mkIf (config.specialisation != { }) {
|
||||
bluetooth.serviceConfig = {
|
||||
CapabilityBoundingSet = [
|
||||
""
|
||||
];
|
||||
NoNewPrivileges = true;
|
||||
RestrictNamespaces = "pid";
|
||||
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
ProtectProc = "invisible";
|
||||
|
||||
PrivateUsers = true;
|
||||
};
|
||||
|
||||
blueman-mechanism.serviceConfig = {
|
||||
CapabilityBoundingSet = [
|
||||
""
|
||||
];
|
||||
NoNewPrivileges = true;
|
||||
RestrictNamespaces = "pid";
|
||||
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
ProtectProc = "invisible";
|
||||
|
||||
PrivateUsers = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -2,9 +2,10 @@
|
|||
{
|
||||
config.systemd.services = lib.mkIf (config.specialisation != { }) {
|
||||
cups.serviceConfig = {
|
||||
#CapabilityBoundingSet = [
|
||||
# ""
|
||||
#];
|
||||
|
||||
CapabilityBoundingSet = [
|
||||
"CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID"
|
||||
];
|
||||
NoNewPrivileges = true;
|
||||
RestrictNamespaces = "pid";
|
||||
|
||||
|
@ -16,12 +17,12 @@
|
|||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
LockPersonality = true;
|
||||
ProtectHostname=true;
|
||||
RestrictRealtime=true;
|
||||
RestrictRealtime = true;
|
||||
ProtectProc = "invisible";
|
||||
|
||||
# PrivateUsers=true;
|
||||
# PrivateNetwork=true;
|
||||
# RestrictAddressFamilies="AF_UNIX";
|
||||
PrivateNetwork = true;
|
||||
RestrictAddressFamilies = "AF_UNIX";
|
||||
# ProtectSystem=true;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -18,6 +18,11 @@ in
|
|||
./auditd.nix
|
||||
./acpid.nix
|
||||
./cups.nix
|
||||
./bluetooth.nix
|
||||
./tty.nix
|
||||
./ask-password.nix
|
||||
|
||||
./global
|
||||
];
|
||||
|
||||
options.systemd.services = lib.mkOption {
|
||||
|
@ -38,8 +43,6 @@ in
|
|||
mkIf (osConfig.specialisation != { }) (
|
||||
{
|
||||
ProtectHome = mkDefault true;
|
||||
ProtectClock = mkDefault true;
|
||||
# ProtectHostname = mkDefault true;
|
||||
# LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
|
||||
}
|
||||
// (lib.optionalAttrs shouldMakeIntrusive {
|
||||
|
@ -65,6 +68,7 @@ in
|
|||
sshd.serviceConfig.ProtectHome = false;
|
||||
display-manager.serviceConfig.ProtectHome = "read-only";
|
||||
dbus-broker.serviceConfig.ProtectHome = "read-only";
|
||||
systemd-logind.serviceConfig.ProtectHome = false;
|
||||
|
||||
nix-daemon.serviceConfig.ProtectHome = false;
|
||||
|
||||
|
@ -86,16 +90,6 @@ in
|
|||
display-manager.serviceConfig.SystemCallFilter = "";
|
||||
sshd.serviceConfig.SystemCallFilter = "";
|
||||
rtkit-daemon.serviceConfig.SystemCallFilter = "";
|
||||
|
||||
systemd-timesync.serviceConfig = {
|
||||
ProtectClock = false;
|
||||
SystemCallFilter = "@system-service @clock";
|
||||
};
|
||||
|
||||
save-hwclock.serviceConfig = {
|
||||
ProtectClock = false;
|
||||
SystemCallFilter = "@system-service @clock";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
37
hardening/systemd/global/clock.nix
Normal file
37
hardening/systemd/global/clock.nix
Normal file
|
@ -0,0 +1,37 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
inherit (lib) mkDefault types mkIf;
|
||||
in
|
||||
{
|
||||
options.systemd.services = lib.mkOption {
|
||||
type =
|
||||
let
|
||||
osConfig = config;
|
||||
in
|
||||
types.attrsOf (
|
||||
lib.types.submodule (
|
||||
{ config, name, ... }:
|
||||
{
|
||||
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
|
||||
ProtectClock = mkDefault true;
|
||||
};
|
||||
}
|
||||
)
|
||||
);
|
||||
};
|
||||
|
||||
config = mkIf (config.specialisation != { }) {
|
||||
|
||||
systemd.services = {
|
||||
systemd-timesyncd.serviceConfig = {
|
||||
ProtectClock = false;
|
||||
SystemCallFilter = "@system-service @clock";
|
||||
};
|
||||
|
||||
save-hwclock.serviceConfig = {
|
||||
ProtectClock = false;
|
||||
SystemCallFilter = "@system-service @clock";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
6
hardening/systemd/global/default.nix
Normal file
6
hardening/systemd/global/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
imports = [
|
||||
./hostname.nix
|
||||
./clock.nix
|
||||
];
|
||||
}
|
29
hardening/systemd/global/hostname.nix
Normal file
29
hardening/systemd/global/hostname.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
inherit (lib) types mkIf mkDefault;
|
||||
in
|
||||
{
|
||||
options.systemd.services = lib.mkOption {
|
||||
type =
|
||||
let
|
||||
osConfig = config;
|
||||
in
|
||||
types.attrsOf (
|
||||
lib.types.submodule (
|
||||
{ config, name, ... }:
|
||||
{
|
||||
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
|
||||
ProtectHostname = mkDefault true;
|
||||
};
|
||||
}
|
||||
)
|
||||
);
|
||||
};
|
||||
|
||||
config = mkIf (config.specialisation != { }) {
|
||||
systemd.services = {
|
||||
systemd-hostnamed.serviceConfig.ProtectHostname = false;
|
||||
nix-daemon.serviceConfig.ProtectHostname = false;
|
||||
};
|
||||
};
|
||||
}
|
32
hardening/systemd/tty.nix
Normal file
32
hardening/systemd/tty.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ lib, config, ... }:
|
||||
{
|
||||
config.systemd.services = lib.mkIf (config.specialisation != { }) {
|
||||
"getty@".serviceConfig = {
|
||||
|
||||
#CapabilityBoundingSet =[
|
||||
# "CAP_SYS_TTY_CONFIGCAP_LEASE"
|
||||
#];
|
||||
|
||||
# NoNewPrivileges = true;
|
||||
RestrictNamespaces = "pid";
|
||||
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = false;
|
||||
ProtectClock = false;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
# RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = lib.mkForce "@system-service";
|
||||
LockPersonality = true;
|
||||
#RestrictRealtime=true;
|
||||
ProtectProc = "invisible";
|
||||
|
||||
# PrivateUsers=true;
|
||||
PrivateNetwork = true;
|
||||
RestrictAddressFamilies = "AF_UNIX";
|
||||
# ProtectSystem=true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -22,9 +22,8 @@
|
|||
SystemCallFilter = "@system-service";
|
||||
LockPersonality = true;
|
||||
|
||||
ProtectHostname=true;
|
||||
ProcSubset="pid";
|
||||
ProtectSystem=true;
|
||||
ProcSubset = "pid";
|
||||
ProtectSystem = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue