Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

systemd network hardening

Browse source
This commit is contained in:
Grimmauld 2025-01-05 13:27:12 +01:00
parent 35c4b42d3e
commit d6c70f5ae2
No known key found for this signature in database
9 changed files with 146 additions and 180 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/tooling/nix.nix
View file

@ -20,7 +20,7 @@
nvd
vulnix
nix-init
inputs.nixpkgs-update.packages."${system}".default
# inputs.nixpkgs-update.packages."${system}".default
];
environment.sessionVariables =

146
flake.lock
View file

@ -140,11 +140,11 @@
]
},
"locked": {
"lastModified": 1735566338,
"narHash": "sha256-9sYGJZCGeb11WBVsE2u0gwuTk8LpbOgnrJvyDbHpOoY=",
"lastModified": 1735943654,
"narHash": "sha256-rXmcRRQfXXYAKOa5IXlrMISTwgScA2Dx04JpONXRA+Q=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "446ad45313df3dbc93ad9e9d8dd6d094b16f6fb4",
"rev": "5edcf7fb24c73ff9665f299461af33fa6171836f",
"type": "github"
},
"original": {
@ -342,11 +342,11 @@
]
},
"locked": {
"lastModified": 1734622215,
"narHash": "sha256-OOfI0XhSJGHblfdNDhfnn8QnZxng63rWk9eeJ2tCbiI=",
"lastModified": 1735774425,
"narHash": "sha256-C73gLFnEh8ZI0uDijUgCDWCd21T6I6tsaWgIBHcfAXg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "1395379a7a36e40f2a76e7b9936cc52950baa1be",
"rev": "5f6aa268e419d053c3d5025da740e390b12ac936",
"type": "github"
},
"original": {
@ -362,10 +362,10 @@
]
},
"locked": {
"dirtyRev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84-dirty",
"dirtyShortRev": "35b98d20-dirty",
"lastModified": 1735053786,
"narHash": "sha256-HOjO2DoyhxGy0nA1Bk816WjsHKtOACVKVtkjHo4CbXI=",
"dirtyRev": "0d7908bd09165db6699908b7e3970f137327cbf0-dirty",
"dirtyShortRev": "0d7908bd-dirty",
"lastModified": 1736013363,
"narHash": "sha256-1UN8758BA6XDgte9AfHu5fZ35zqVPPq3GGuca3JJOZU=",
"type": "git",
"url": "file:///home/grimmauld/coding/home-manager"
},
@ -396,28 +396,6 @@
"type": "github"
}
},
"mmdoc": {
"inputs": {
"nixpkgs": [
"nixpkgs-update",
"nixpkgs"
],
"systems": "systems_4"
},
"locked": {
"lastModified": 1710694589,
"narHash": "sha256-5wa+Jzxr+LygoxSZuZg0YU81jgdnx2IY/CqDIJMOgec=",
"owner": "ryantm",
"repo": "mmdoc",
"rev": "b6ddf748b1d1c01ca582bb1b3dafd6bc3a4c83a6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "mmdoc",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
@ -514,11 +492,11 @@
]
},
"locked": {
"lastModified": 1727410897,
"narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
"lastModified": 1735857245,
"narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
"rev": "da9dc0479ffe22362793c87dc089035facf6ec4d",
"type": "github"
},
"original": {
@ -529,16 +507,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1735801820,
"narHash": "sha256-tOAdzu1ck58BA3hZItecyqrhe2fdoQgJiWm4iyUyhgc=",
"lastModified": 1735834308,
"narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3da6bd3e69891c1e20bbf083a1c8738d6c814060",
"rev": "6df24922a1400241dae323af55f30e4318a6ca65",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -574,41 +552,6 @@
"type": "github"
}
},
"nixpkgs-update": {
"inputs": {
"mmdoc": "mmdoc",
"nixpkgs": "nixpkgs_2",
"runtimeDeps": "runtimeDeps",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1734559477,
"narHash": "sha256-Jwvow0ri+ZgCdP6jpNQVjxub14Pxs1kyjvDV3BbvNzE=",
"owner": "nix-community",
"repo": "nixpkgs-update",
"rev": "7f089591e8f595011323c8a7370b195fa3dfe0b7",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs-update",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1672428209,
"narHash": "sha256-eejhqkDz2cb2vc5VeaWphJz8UXNuoNoM8/Op8eWv2tQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "293a28df6d7ff3dec1e61e37cc4ee6e6c0fb0847",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
@ -643,24 +586,7 @@
"home-manager": "home-manager_3",
"nixos-mailserver": "nixos-mailserver",
"nixos-matrix-modules": "nixos-matrix-modules",
"nixpkgs": "nixpkgs",
"nixpkgs-update": "nixpkgs-update"
}
},
"runtimeDeps": {
"locked": {
"lastModified": 1714247354,
"narHash": "sha256-6dFKqP/aCKIdpOgqgIQUrRT0NOfVc14ftNcdELa4Pu4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c8d7c8a78fb516c0842cc65346506a565c88014d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
"nixpkgs": "nixpkgs"
}
},
"rust-overlay": {
@ -749,42 +675,6 @@
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs-update",
"nixpkgs"
]
},
"locked": {
"lastModified": 1711963903,
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

12
flake.nix
View file

@ -3,7 +3,7 @@
inputs = {
nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable-small";
url = "github:NixOS/nixpkgs/nixos-unstable";
# url = "git+file:///home/grimmauld/coding/nixpkgs";
};
chaotic = {
@ -32,10 +32,10 @@
url = "github:LordGrimmauld/aa-alias-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs-update = {
url = "github:nix-community/nixpkgs-update";
# inputs.nixpkgs.follows = "nixpkgs";
};
# nixpkgs-update = {
# url = "github:nix-community/nixpkgs-update";
# # inputs.nixpkgs.follows = "nixpkgs";
# };
apparmor-dev = {
url = "github:LordGrimmauld/apparmor-dev";
inputs.nixpkgs.follows = "nixpkgs";
@ -60,7 +60,7 @@
nixos-mailserver,
nixos-matrix-modules,
aa-alias-manager,
nixpkgs-update,
# nixpkgs-update,
apparmor-dev,
home-manager,
...

2
hardening/default.nix
View file

@ -1,7 +1,7 @@
{ lib, config, ... }:
{
imports = [
# ./systemd.nix
./systemd
./ssh-as-sudo.nix
];

63
hardening/systemd/NetworkManager.nix Normal file
View file

@ -0,0 +1,63 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
NetworkManager.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProtectHostname=true;
ProcSubset="pid";
ProtectSystem=true;
};
NetworkManager-dispatcher.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
UMask = "0700";
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProtectHostname=true;
ProcSubset="pid";
ProtectSystem=true;
};
};
}

68
hardening/systemd.nix → hardening/systemd/default.nix
View file

@ -12,6 +12,11 @@ let
noPred (lib.tail preds) x;
in
{
imports = [
./NetworkManager.nix
./wpa_supplicant.nix
];
options.systemd.services = lib.mkOption {
type =
let
@ -27,17 +32,21 @@ in
noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
);
in
mkIf (osConfig.specialisation != { }) {
ProtectHome = mkDefault true;
# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
PrivateTmp = mkIf shouldMakeIntrusive (mkDefault true);
# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
ProtectClock = mkDefault true;
# ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
# SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
ProtectHostname = mkDefault true;
# LockPersonality = mkDefault true;
};
mkIf (osConfig.specialisation != { }) (
{
ProtectHome = mkDefault true;
ProtectClock = mkDefault true;
# ProtectHostname = mkDefault true;
# LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
}
// (lib.optionalAttrs shouldMakeIntrusive {
PrivateTmp = mkDefault true;
# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
# SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
})
);
}
)
);
@ -54,47 +63,24 @@ in
display-manager.serviceConfig.ProtectHome = "read-only";
dbus-broker.serviceConfig.ProtectHome = "read-only";
nix-daemon.serviceConfig.ProtectHome = false;
zfs-mount.serviceConfig.PrivateTmp = false;
kmod-static-nodes.serviceConfig.PrivateTmp = false;
mount-pstore.serviceConfig.PrivateTmp = false;
# todo: tpm things
# "user@".serviceConfig.PrivateTmp = false; # make sddm happy
# "user-runtime-dir@".serviceConfig.PrivateTmp = false; # make sddm happy
polkit.serviceConfig.NoNewPrivileges = false;
"getty@".serviceConfig.NoNewPrivileges = false;
"user@".serviceConfig.NoNewPrivileges = false;
#polkit.serviceConfig.NoNewPrivileges = false;
#"getty@".serviceConfig.NoNewPrivileges = false;
#"user@".serviceConfig.NoNewPrivileges = false;
# todo: dbus?
NetworkManager.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
UMask = "0022";
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
# PrivateDevices
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
};
auditd.serviceConfig.ProtectKernelLogs = false;
audit.serviceConfig.ProtectKernelLogs = false;
"getty@".serviceConfig.SystemCallFilter = "";
# "user@".serviceConfig.SystemCallFilter = "";
# "user-runtime-dir@".serviceConfig.SystemCallFilter = "";
display-manager.serviceConfig.SystemCallFilter = "";
# nix-daemon.serviceConfig.SystemCallFilter = "";
sshd.serviceConfig.SystemCallFilter = "";
rtkit-daemon.serviceConfig.SystemCallFilter = "";
@ -103,10 +89,6 @@ in
SystemCallFilter = "@system-service @clock";
};
pipewire.serviceConfig = {
LockPersonality = false;
};
save-hwclock.serviceConfig = {
ProtectClock = false;
SystemCallFilter = "@system-service @clock";

30
hardening/systemd/wpa_supplicant.nix Normal file
View file

@ -0,0 +1,30 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
wpa_supplicant.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
"cap_net_broadcast"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectHostname=true;
ProcSubset="pid";
ProtectSystem=true;
};
};
}

2
overlays/default.nix
View file

@ -39,6 +39,6 @@
./factorio.nix
./ranger.nix
# ./ncspot.nix
./grpcio-tools.nix
# ./grpcio-tools.nix
];
}

1
result-man Symbolic link
View file

@ -0,0 +1 @@
/nix/store/vb62k4zn31h6angn81biw3avkscjva9s-perl-5.40.0-man