improve getty coverage

2025-01-11 14:41:03 +01:00 · 2025-01-11 14:41:03 +01:00 · dbbe60d0d2
commit dbbe60d0d2
parent 8e5f867252
5 changed files with 54 additions and 9 deletions
--- a/hardening/opensnitch/default.nix
+++ b/hardening/opensnitch/default.nix
@ -46,8 +46,10 @@ in
    networking.nftables.enable = true;

    # security.audit.enable = true;
-    systemd.services.opensnitchd.path = lib.optional (config.services.opensnitch.settings.ProcMonitorMethod == "audit") pkgs.audit.bin;
-    
+    systemd.services.opensnitchd.path = lib.optional (
+      config.services.opensnitch.settings.ProcMonitorMethod == "audit"
+    ) pkgs.audit.bin;
+
    services.opensnitch = {
      enable = true;
      settings = {
--- a/hardening/systemd/global/default.nix
+++ b/hardening/systemd/global/default.nix
@ -2,5 +2,6 @@
  imports = [
    ./hostname.nix
    ./clock.nix
+    ./realtime.nix
  ];
 }
--- a/hardening/systemd/global/realtime.nix
+++ b/hardening/systemd/global/realtime.nix
@ -0,0 +1,27 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkDefault types mkIf;
+in
+{
+  options.systemd.services = lib.mkOption {
+    type =
+      let
+        osConfig = config;
+      in
+      types.attrsOf (
+        lib.types.submodule {
+          config.serviceConfig = mkIf (osConfig.specialisation != { }) {
+            RestrictRealtime = mkDefault true;
+          };
+        }
+
+      );
+  };
+
+  config = mkIf (config.specialisation != { }) {
+
+    systemd.services = {
+      rtkit-daemon.serviceConfig.RestrictRealtime = false;
+    };
+  };
+}
--- a/hardening/systemd/tty.nix
+++ b/hardening/systemd/tty.nix
@ -3,16 +3,32 @@
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    "getty@".serviceConfig = {

-      #CapabilityBoundingSet =[
-      #  "CAP_SYS_TTY_CONFIGCAP_LEASE"
-      #];
+      CapabilityBoundingSet = [
+        "CAP_CHOWN"
+        "CAP_FOWNER"
+        "CAP_FSETID"
+        "CAP_SETGID"
+        "CAP_SETUID"
+        "CAP_SYS_NICE"
+        "CAP_SYS_RESOURCE"
+        "CAP_SYS_TTY_CONFIG"
+      ];

      # NoNewPrivileges = true;
-      RestrictNamespaces = "pid";
+
+      RestrictNamespaces = [
+        "~pid"
+        "~user"
+        "~net"
+        "~uts"
+        "~mnt"
+        "~cgroup"
+        "~ipc"
+      ];

      ProtectControlGroups = true;
      ProtectHome = false;
-      ProtectClock = false;
+      #      ProtectClock = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      MemoryDenyWriteExecute = true;
@ -20,7 +36,6 @@
      SystemCallArchitectures = "native";
      SystemCallFilter = lib.mkForce "@system-service";
      LockPersonality = true;
-      #RestrictRealtime=true;
      ProtectProc = "invisible";

      # PrivateUsers=true;
--- a/specific/grimm-nixos-ssd/configuration.nix
+++ b/specific/grimm-nixos-ssd/configuration.nix
@ -30,7 +30,7 @@
  grimmShared = {
    tooling = {
      enable = true;
-#      pass = true;
+      #      pass = true;
    };
    gaming = true;
    portals = true;