From d6c70f5ae29fe3917a65c31bfd1106f087ea9ef5 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 5 Jan 2025 13:27:12 +0100 Subject: [PATCH] systemd network hardening --- common/tooling/nix.nix | 2 +- flake.lock | 146 +++--------------- flake.nix | 12 +- hardening/default.nix | 2 +- hardening/systemd/NetworkManager.nix | 63 ++++++++ .../{systemd.nix => systemd/default.nix} | 68 +++----- hardening/systemd/wpa_supplicant.nix | 30 ++++ overlays/default.nix | 2 +- result-man | 1 + 9 files changed, 146 insertions(+), 180 deletions(-) create mode 100644 hardening/systemd/NetworkManager.nix rename hardening/{systemd.nix => systemd/default.nix} (53%) create mode 100644 hardening/systemd/wpa_supplicant.nix create mode 120000 result-man diff --git a/common/tooling/nix.nix b/common/tooling/nix.nix index d53e9fe..5964d4b 100644 --- a/common/tooling/nix.nix +++ b/common/tooling/nix.nix @@ -20,7 +20,7 @@ nvd vulnix nix-init - inputs.nixpkgs-update.packages."${system}".default + # inputs.nixpkgs-update.packages."${system}".default ]; environment.sessionVariables = diff --git a/flake.lock b/flake.lock index 82a5590..0a5c366 100644 --- a/flake.lock +++ b/flake.lock @@ -140,11 +140,11 @@ ] }, "locked": { - "lastModified": 1735566338, - "narHash": "sha256-9sYGJZCGeb11WBVsE2u0gwuTk8LpbOgnrJvyDbHpOoY=", + "lastModified": 1735943654, + "narHash": "sha256-rXmcRRQfXXYAKOa5IXlrMISTwgScA2Dx04JpONXRA+Q=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "446ad45313df3dbc93ad9e9d8dd6d094b16f6fb4", + "rev": "5edcf7fb24c73ff9665f299461af33fa6171836f", "type": "github" }, "original": { @@ -342,11 +342,11 @@ ] }, "locked": { - "lastModified": 1734622215, - "narHash": "sha256-OOfI0XhSJGHblfdNDhfnn8QnZxng63rWk9eeJ2tCbiI=", + "lastModified": 1735774425, + "narHash": "sha256-C73gLFnEh8ZI0uDijUgCDWCd21T6I6tsaWgIBHcfAXg=", "owner": "nix-community", "repo": "home-manager", - "rev": "1395379a7a36e40f2a76e7b9936cc52950baa1be", + "rev": "5f6aa268e419d053c3d5025da740e390b12ac936", "type": "github" }, "original": { @@ -362,10 +362,10 @@ ] }, "locked": { - "dirtyRev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84-dirty", - "dirtyShortRev": "35b98d20-dirty", - "lastModified": 1735053786, - "narHash": "sha256-HOjO2DoyhxGy0nA1Bk816WjsHKtOACVKVtkjHo4CbXI=", + "dirtyRev": "0d7908bd09165db6699908b7e3970f137327cbf0-dirty", + "dirtyShortRev": "0d7908bd-dirty", + "lastModified": 1736013363, + "narHash": "sha256-1UN8758BA6XDgte9AfHu5fZ35zqVPPq3GGuca3JJOZU=", "type": "git", "url": "file:///home/grimmauld/coding/home-manager" }, @@ -396,28 +396,6 @@ "type": "github" } }, - "mmdoc": { - "inputs": { - "nixpkgs": [ - "nixpkgs-update", - "nixpkgs" - ], - "systems": "systems_4" - }, - "locked": { - "lastModified": 1710694589, - "narHash": "sha256-5wa+Jzxr+LygoxSZuZg0YU81jgdnx2IY/CqDIJMOgec=", - "owner": "ryantm", - "repo": "mmdoc", - "rev": "b6ddf748b1d1c01ca582bb1b3dafd6bc3a4c83a6", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "mmdoc", - "type": "github" - } - }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -514,11 +492,11 @@ ] }, "locked": { - "lastModified": 1727410897, - "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=", + "lastModified": 1735857245, + "narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=", "owner": "dali99", "repo": "nixos-matrix-modules", - "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c", + "rev": "da9dc0479ffe22362793c87dc089035facf6ec4d", "type": "github" }, "original": { @@ -529,16 +507,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1735801820, - "narHash": "sha256-tOAdzu1ck58BA3hZItecyqrhe2fdoQgJiWm4iyUyhgc=", + "lastModified": 1735834308, + "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3da6bd3e69891c1e20bbf083a1c8738d6c814060", + "rev": "6df24922a1400241dae323af55f30e4318a6ca65", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable-small", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -574,41 +552,6 @@ "type": "github" } }, - "nixpkgs-update": { - "inputs": { - "mmdoc": "mmdoc", - "nixpkgs": "nixpkgs_2", - "runtimeDeps": "runtimeDeps", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1734559477, - "narHash": "sha256-Jwvow0ri+ZgCdP6jpNQVjxub14Pxs1kyjvDV3BbvNzE=", - "owner": "nix-community", - "repo": "nixpkgs-update", - "rev": "7f089591e8f595011323c8a7370b195fa3dfe0b7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs-update", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1672428209, - "narHash": "sha256-eejhqkDz2cb2vc5VeaWphJz8UXNuoNoM8/Op8eWv2tQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "293a28df6d7ff3dec1e61e37cc4ee6e6c0fb0847", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat", @@ -643,24 +586,7 @@ "home-manager": "home-manager_3", "nixos-mailserver": "nixos-mailserver", "nixos-matrix-modules": "nixos-matrix-modules", - "nixpkgs": "nixpkgs", - "nixpkgs-update": "nixpkgs-update" - } - }, - "runtimeDeps": { - "locked": { - "lastModified": 1714247354, - "narHash": "sha256-6dFKqP/aCKIdpOgqgIQUrRT0NOfVc14ftNcdELa4Pu4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c8d7c8a78fb516c0842cc65346506a565c88014d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" + "nixpkgs": "nixpkgs" } }, "rust-overlay": { @@ -749,42 +675,6 @@ "repo": "default", "type": "github" } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs-update", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1711963903, - "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 3d60558..83ef999 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ inputs = { nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-unstable-small"; + url = "github:NixOS/nixpkgs/nixos-unstable"; # url = "git+file:///home/grimmauld/coding/nixpkgs"; }; chaotic = { @@ -32,10 +32,10 @@ url = "github:LordGrimmauld/aa-alias-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixpkgs-update = { - url = "github:nix-community/nixpkgs-update"; - # inputs.nixpkgs.follows = "nixpkgs"; - }; +# nixpkgs-update = { +# url = "github:nix-community/nixpkgs-update"; +# # inputs.nixpkgs.follows = "nixpkgs"; +# }; apparmor-dev = { url = "github:LordGrimmauld/apparmor-dev"; inputs.nixpkgs.follows = "nixpkgs"; @@ -60,7 +60,7 @@ nixos-mailserver, nixos-matrix-modules, aa-alias-manager, - nixpkgs-update, + # nixpkgs-update, apparmor-dev, home-manager, ... diff --git a/hardening/default.nix b/hardening/default.nix index 65e5bd8..3195442 100644 --- a/hardening/default.nix +++ b/hardening/default.nix @@ -1,7 +1,7 @@ { lib, config, ... }: { imports = [ - # ./systemd.nix + ./systemd ./ssh-as-sudo.nix ]; diff --git a/hardening/systemd/NetworkManager.nix b/hardening/systemd/NetworkManager.nix new file mode 100644 index 0000000..bd18efa --- /dev/null +++ b/hardening/systemd/NetworkManager.nix @@ -0,0 +1,63 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + NetworkManager.serviceConfig = { + CapabilityBoundingSet = [ + "" + (lib.concatStringsSep " " [ + "cap_net_bind_service" + "cap_net_admin" + "cap_net_raw" + ]) + ]; + NoNewPrivileges = true; + RestrictNamespaces = "net uts"; + ProtectControlGroups = true; + ProtectKernelModules = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + ProtectProc = "invisible"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + + PrivateDevices = true; + LockPersonality = true; + # PrivateUsers = true; # BAD + # ProtectKernelTunables = true; # BAD + + ProtectHostname=true; + ProcSubset="pid"; + ProtectSystem=true; + }; + + NetworkManager-dispatcher.serviceConfig = { + CapabilityBoundingSet = [ + "" + (lib.concatStringsSep " " [ + "cap_net_bind_service" + "cap_net_admin" + "cap_net_raw" + ]) + ]; + UMask = "0700"; + NoNewPrivileges = true; + RestrictNamespaces = "net uts"; + ProtectControlGroups = true; + ProtectKernelModules = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + ProtectProc = "invisible"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + + PrivateDevices = true; + LockPersonality = true; + # PrivateUsers = true; # BAD + # ProtectKernelTunables = true; # BAD + + ProtectHostname=true; + ProcSubset="pid"; + ProtectSystem=true; + }; + }; +} diff --git a/hardening/systemd.nix b/hardening/systemd/default.nix similarity index 53% rename from hardening/systemd.nix rename to hardening/systemd/default.nix index 6dbf4c9..4b17dce 100644 --- a/hardening/systemd.nix +++ b/hardening/systemd/default.nix @@ -12,6 +12,11 @@ let noPred (lib.tail preds) x; in { + imports = [ + ./NetworkManager.nix + ./wpa_supplicant.nix + ]; + options.systemd.services = lib.mkOption { type = let @@ -27,17 +32,21 @@ in noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name ); in - mkIf (osConfig.specialisation != { }) { - ProtectHome = mkDefault true; - # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical - PrivateTmp = mkIf shouldMakeIntrusive (mkDefault true); - # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service"); - ProtectClock = mkDefault true; - # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true); - # SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native"); - ProtectHostname = mkDefault true; - # LockPersonality = mkDefault true; - }; + mkIf (osConfig.specialisation != { }) ( + { + ProtectHome = mkDefault true; + ProtectClock = mkDefault true; + # ProtectHostname = mkDefault true; + # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH! + } + // (lib.optionalAttrs shouldMakeIntrusive { + PrivateTmp = mkDefault true; + # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical + # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service"); + ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true); + # SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native"); + }) + ); } ) ); @@ -54,47 +63,24 @@ in display-manager.serviceConfig.ProtectHome = "read-only"; dbus-broker.serviceConfig.ProtectHome = "read-only"; + nix-daemon.serviceConfig.ProtectHome = false; + zfs-mount.serviceConfig.PrivateTmp = false; kmod-static-nodes.serviceConfig.PrivateTmp = false; mount-pstore.serviceConfig.PrivateTmp = false; # todo: tpm things - # "user@".serviceConfig.PrivateTmp = false; # make sddm happy - # "user-runtime-dir@".serviceConfig.PrivateTmp = false; # make sddm happy - - polkit.serviceConfig.NoNewPrivileges = false; - "getty@".serviceConfig.NoNewPrivileges = false; - "user@".serviceConfig.NoNewPrivileges = false; + #polkit.serviceConfig.NoNewPrivileges = false; + #"getty@".serviceConfig.NoNewPrivileges = false; + #"user@".serviceConfig.NoNewPrivileges = false; # todo: dbus? - NetworkManager.serviceConfig = { - CapabilityBoundingSet = [ - "" - (lib.concatStringsSep " " [ - "cap_net_bind_service" - "cap_net_admin" - "cap_net_raw" - ]) - ]; - UMask = "0022"; - NoNewPrivileges = true; - RestrictNamespaces = "net uts"; - ProtectControlGroups = true; - # PrivateDevices - ProtectKernelModules = true; - MemoryDenyWriteExecute = true; - RestrictSUIDSGID = true; - }; - auditd.serviceConfig.ProtectKernelLogs = false; audit.serviceConfig.ProtectKernelLogs = false; "getty@".serviceConfig.SystemCallFilter = ""; - # "user@".serviceConfig.SystemCallFilter = ""; - # "user-runtime-dir@".serviceConfig.SystemCallFilter = ""; display-manager.serviceConfig.SystemCallFilter = ""; - # nix-daemon.serviceConfig.SystemCallFilter = ""; sshd.serviceConfig.SystemCallFilter = ""; rtkit-daemon.serviceConfig.SystemCallFilter = ""; @@ -103,10 +89,6 @@ in SystemCallFilter = "@system-service @clock"; }; - pipewire.serviceConfig = { - LockPersonality = false; - }; - save-hwclock.serviceConfig = { ProtectClock = false; SystemCallFilter = "@system-service @clock"; diff --git a/hardening/systemd/wpa_supplicant.nix b/hardening/systemd/wpa_supplicant.nix new file mode 100644 index 0000000..5fdfcb7 --- /dev/null +++ b/hardening/systemd/wpa_supplicant.nix @@ -0,0 +1,30 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + wpa_supplicant.serviceConfig = { + CapabilityBoundingSet = [ + "" + (lib.concatStringsSep " " [ + "cap_net_bind_service" + "cap_net_admin" + "cap_net_raw" + "cap_net_broadcast" + ]) + ]; + NoNewPrivileges = true; + RestrictNamespaces = "net"; + ProtectControlGroups = true; + ProtectKernelModules = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + ProtectProc = "invisible"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + + ProtectHostname=true; + ProcSubset="pid"; + ProtectSystem=true; + }; + }; +} diff --git a/overlays/default.nix b/overlays/default.nix index 3b81762..40e346b 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -39,6 +39,6 @@ ./factorio.nix ./ranger.nix # ./ncspot.nix - ./grpcio-tools.nix + # ./grpcio-tools.nix ]; } diff --git a/result-man b/result-man new file mode 120000 index 0000000..5b1e78b --- /dev/null +++ b/result-man @@ -0,0 +1 @@ +/nix/store/vb62k4zn31h6angn81biw3avkscjva9s-perl-5.40.0-man \ No newline at end of file