Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

systemd network hardening

Browse source
This commit is contained in:
Grimmauld 2025-01-05 13:27:12 +01:00
parent 35c4b42d3e
commit d6c70f5ae2
No known key found for this signature in database
9 changed files with 146 additions and 180 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/tooling/nix.nix
View file

@ -20,7 +20,7 @@
nvd nvd
vulnix vulnix
nix-init nix-init
inputs.nixpkgs-update.packages."${system}".default # inputs.nixpkgs-update.packages."${system}".default
]; ];
environment.sessionVariables = environment.sessionVariables =

146
flake.lock
View file

@ -140,11 +140,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735566338, "lastModified": 1735943654,
"narHash": "sha256-9sYGJZCGeb11WBVsE2u0gwuTk8LpbOgnrJvyDbHpOoY=", "narHash": "sha256-rXmcRRQfXXYAKOa5IXlrMISTwgScA2Dx04JpONXRA+Q=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "446ad45313df3dbc93ad9e9d8dd6d094b16f6fb4", "rev": "5edcf7fb24c73ff9665f299461af33fa6171836f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -342,11 +342,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1734622215, "lastModified": 1735774425,
"narHash": "sha256-OOfI0XhSJGHblfdNDhfnn8QnZxng63rWk9eeJ2tCbiI=", "narHash": "sha256-C73gLFnEh8ZI0uDijUgCDWCd21T6I6tsaWgIBHcfAXg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "1395379a7a36e40f2a76e7b9936cc52950baa1be", "rev": "5f6aa268e419d053c3d5025da740e390b12ac936",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -362,10 +362,10 @@
] ]
}, },
"locked": { "locked": {
"dirtyRev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84-dirty", "dirtyRev": "0d7908bd09165db6699908b7e3970f137327cbf0-dirty",
"dirtyShortRev": "35b98d20-dirty", "dirtyShortRev": "0d7908bd-dirty",
"lastModified": 1735053786, "lastModified": 1736013363,
"narHash": "sha256-HOjO2DoyhxGy0nA1Bk816WjsHKtOACVKVtkjHo4CbXI=", "narHash": "sha256-1UN8758BA6XDgte9AfHu5fZ35zqVPPq3GGuca3JJOZU=",
"type": "git", "type": "git",
"url": "file:///home/grimmauld/coding/home-manager" "url": "file:///home/grimmauld/coding/home-manager"
}, },
@ -396,28 +396,6 @@
"type": "github" "type": "github"
} }
}, },
"mmdoc": {
"inputs": {
"nixpkgs": [
"nixpkgs-update",
"nixpkgs"
],
"systems": "systems_4"
},
"locked": {
"lastModified": 1710694589,
"narHash": "sha256-5wa+Jzxr+LygoxSZuZg0YU81jgdnx2IY/CqDIJMOgec=",
"owner": "ryantm",
"repo": "mmdoc",
"rev": "b6ddf748b1d1c01ca582bb1b3dafd6bc3a4c83a6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "mmdoc",
"type": "github"
}
},
"nix-github-actions": { "nix-github-actions": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -514,11 +492,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1727410897, "lastModified": 1735857245,
"narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=", "narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=",
"owner": "dali99", "owner": "dali99",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c", "rev": "da9dc0479ffe22362793c87dc089035facf6ec4d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -529,16 +507,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1735801820, "lastModified": 1735834308,
"narHash": "sha256-tOAdzu1ck58BA3hZItecyqrhe2fdoQgJiWm4iyUyhgc=", "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3da6bd3e69891c1e20bbf083a1c8738d6c814060", "rev": "6df24922a1400241dae323af55f30e4318a6ca65",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-unstable-small", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -574,41 +552,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-update": {
"inputs": {
"mmdoc": "mmdoc",
"nixpkgs": "nixpkgs_2",
"runtimeDeps": "runtimeDeps",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1734559477,
"narHash": "sha256-Jwvow0ri+ZgCdP6jpNQVjxub14Pxs1kyjvDV3BbvNzE=",
"owner": "nix-community",
"repo": "nixpkgs-update",
"rev": "7f089591e8f595011323c8a7370b195fa3dfe0b7",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs-update",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1672428209,
"narHash": "sha256-eejhqkDz2cb2vc5VeaWphJz8UXNuoNoM8/Op8eWv2tQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "293a28df6d7ff3dec1e61e37cc4ee6e6c0fb0847",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"pre-commit-hooks": { "pre-commit-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -643,24 +586,7 @@
"home-manager": "home-manager_3", "home-manager": "home-manager_3",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixos-matrix-modules": "nixos-matrix-modules", "nixos-matrix-modules": "nixos-matrix-modules",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs"
"nixpkgs-update": "nixpkgs-update"
}
},
"runtimeDeps": {
"locked": {
"lastModified": 1714247354,
"narHash": "sha256-6dFKqP/aCKIdpOgqgIQUrRT0NOfVc14ftNcdELa4Pu4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c8d7c8a78fb516c0842cc65346506a565c88014d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
} }
}, },
"rust-overlay": { "rust-overlay": {
@ -749,42 +675,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs-update",
"nixpkgs"
]
},
"locked": {
"lastModified": 1711963903,
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

12
flake.nix
View file

@ -3,7 +3,7 @@
inputs = { inputs = {
nixpkgs = { nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable-small"; url = "github:NixOS/nixpkgs/nixos-unstable";
# url = "git+file:///home/grimmauld/coding/nixpkgs"; # url = "git+file:///home/grimmauld/coding/nixpkgs";
}; };
chaotic = { chaotic = {
@ -32,10 +32,10 @@
url = "github:LordGrimmauld/aa-alias-manager"; url = "github:LordGrimmauld/aa-alias-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixpkgs-update = { # nixpkgs-update = {
url = "github:nix-community/nixpkgs-update"; # url = "github:nix-community/nixpkgs-update";
# inputs.nixpkgs.follows = "nixpkgs"; # # inputs.nixpkgs.follows = "nixpkgs";
}; # };
apparmor-dev = { apparmor-dev = {
url = "github:LordGrimmauld/apparmor-dev"; url = "github:LordGrimmauld/apparmor-dev";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -60,7 +60,7 @@
nixos-mailserver, nixos-mailserver,
nixos-matrix-modules, nixos-matrix-modules,
aa-alias-manager, aa-alias-manager,
nixpkgs-update, # nixpkgs-update,
apparmor-dev, apparmor-dev,
home-manager, home-manager,
... ...

2
hardening/default.nix
View file

@ -1,7 +1,7 @@
{ lib, config, ... }: { lib, config, ... }:
{ {
imports = [ imports = [
# ./systemd.nix ./systemd
./ssh-as-sudo.nix ./ssh-as-sudo.nix
]; ];

63
hardening/systemd/NetworkManager.nix Normal file
View file

@ -0,0 +1,63 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
NetworkManager.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProtectHostname=true;
ProcSubset="pid";
ProtectSystem=true;
};
NetworkManager-dispatcher.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
UMask = "0700";
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProtectHostname=true;
ProcSubset="pid";
ProtectSystem=true;
};
};
}

68
hardening/systemd.nix → hardening/systemd/default.nix
View file

@ -12,6 +12,11 @@ let
noPred (lib.tail preds) x; noPred (lib.tail preds) x;
in in
{ {
imports = [
./NetworkManager.nix
./wpa_supplicant.nix
];
options.systemd.services = lib.mkOption { options.systemd.services = lib.mkOption {
type = type =
let let
@ -27,17 +32,21 @@ in
noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
); );
in in
mkIf (osConfig.specialisation != { }) { mkIf (osConfig.specialisation != { }) (
ProtectHome = mkDefault true; {
# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical ProtectHome = mkDefault true;
PrivateTmp = mkIf shouldMakeIntrusive (mkDefault true); ProtectClock = mkDefault true;
# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service"); # ProtectHostname = mkDefault true;
ProtectClock = mkDefault true; # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
# ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true); }
# SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native"); // (lib.optionalAttrs shouldMakeIntrusive {
ProtectHostname = mkDefault true; PrivateTmp = mkDefault true;
# LockPersonality = mkDefault true; # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
}; # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
# SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
})
);
} }
) )
); );
@ -54,47 +63,24 @@ in
display-manager.serviceConfig.ProtectHome = "read-only"; display-manager.serviceConfig.ProtectHome = "read-only";
dbus-broker.serviceConfig.ProtectHome = "read-only"; dbus-broker.serviceConfig.ProtectHome = "read-only";
nix-daemon.serviceConfig.ProtectHome = false;
zfs-mount.serviceConfig.PrivateTmp = false; zfs-mount.serviceConfig.PrivateTmp = false;
kmod-static-nodes.serviceConfig.PrivateTmp = false; kmod-static-nodes.serviceConfig.PrivateTmp = false;
mount-pstore.serviceConfig.PrivateTmp = false; mount-pstore.serviceConfig.PrivateTmp = false;
# todo: tpm things # todo: tpm things
# "user@".serviceConfig.PrivateTmp = false; # make sddm happy #polkit.serviceConfig.NoNewPrivileges = false;
# "user-runtime-dir@".serviceConfig.PrivateTmp = false; # make sddm happy #"getty@".serviceConfig.NoNewPrivileges = false;
#"user@".serviceConfig.NoNewPrivileges = false;
polkit.serviceConfig.NoNewPrivileges = false;
"getty@".serviceConfig.NoNewPrivileges = false;
"user@".serviceConfig.NoNewPrivileges = false;
# todo: dbus? # todo: dbus?
NetworkManager.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
UMask = "0022";
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
# PrivateDevices
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
};
auditd.serviceConfig.ProtectKernelLogs = false; auditd.serviceConfig.ProtectKernelLogs = false;
audit.serviceConfig.ProtectKernelLogs = false; audit.serviceConfig.ProtectKernelLogs = false;
"getty@".serviceConfig.SystemCallFilter = ""; "getty@".serviceConfig.SystemCallFilter = "";
# "user@".serviceConfig.SystemCallFilter = "";
# "user-runtime-dir@".serviceConfig.SystemCallFilter = "";
display-manager.serviceConfig.SystemCallFilter = ""; display-manager.serviceConfig.SystemCallFilter = "";
# nix-daemon.serviceConfig.SystemCallFilter = "";
sshd.serviceConfig.SystemCallFilter = ""; sshd.serviceConfig.SystemCallFilter = "";
rtkit-daemon.serviceConfig.SystemCallFilter = ""; rtkit-daemon.serviceConfig.SystemCallFilter = "";
@ -103,10 +89,6 @@ in
SystemCallFilter = "@system-service @clock"; SystemCallFilter = "@system-service @clock";
}; };
pipewire.serviceConfig = {
LockPersonality = false;
};
save-hwclock.serviceConfig = { save-hwclock.serviceConfig = {
ProtectClock = false; ProtectClock = false;
SystemCallFilter = "@system-service @clock"; SystemCallFilter = "@system-service @clock";

30
hardening/systemd/wpa_supplicant.nix Normal file
View file

@ -0,0 +1,30 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
wpa_supplicant.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
"cap_net_broadcast"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectHostname=true;
ProcSubset="pid";
ProtectSystem=true;
};
};
}

2
overlays/default.nix
View file

@ -39,6 +39,6 @@
./factorio.nix ./factorio.nix
./ranger.nix ./ranger.nix
# ./ncspot.nix # ./ncspot.nix
./grpcio-tools.nix # ./grpcio-tools.nix
]; ];
} }

1
result-man Symbolic link
View file

@ -0,0 +1 @@
/nix/store/vb62k4zn31h6angn81biw3avkscjva9s-perl-5.40.0-man