improve getty coverage

This commit is contained in:
Grimmauld 2025-01-11 14:41:03 +01:00
parent 8e5f867252
commit dbbe60d0d2
No known key found for this signature in database
5 changed files with 54 additions and 9 deletions
hardening
specific/grimm-nixos-ssd

View file

@ -46,7 +46,9 @@ in
networking.nftables.enable = true; networking.nftables.enable = true;
# security.audit.enable = true; # security.audit.enable = true;
systemd.services.opensnitchd.path = lib.optional (config.services.opensnitch.settings.ProcMonitorMethod == "audit") pkgs.audit.bin; systemd.services.opensnitchd.path = lib.optional (
config.services.opensnitch.settings.ProcMonitorMethod == "audit"
) pkgs.audit.bin;
services.opensnitch = { services.opensnitch = {
enable = true; enable = true;

View file

@ -2,5 +2,6 @@
imports = [ imports = [
./hostname.nix ./hostname.nix
./clock.nix ./clock.nix
./realtime.nix
]; ];
} }

View file

@ -0,0 +1,27 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
RestrictRealtime = mkDefault true;
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
rtkit-daemon.serviceConfig.RestrictRealtime = false;
};
};
}

View file

@ -3,16 +3,32 @@
config.systemd.services = lib.mkIf (config.specialisation != { }) { config.systemd.services = lib.mkIf (config.specialisation != { }) {
"getty@".serviceConfig = { "getty@".serviceConfig = {
#CapabilityBoundingSet =[ CapabilityBoundingSet = [
# "CAP_SYS_TTY_CONFIGCAP_LEASE" "CAP_CHOWN"
#]; "CAP_FOWNER"
"CAP_FSETID"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_NICE"
"CAP_SYS_RESOURCE"
"CAP_SYS_TTY_CONFIG"
];
# NoNewPrivileges = true; # NoNewPrivileges = true;
RestrictNamespaces = "pid";
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = false; ProtectHome = false;
ProtectClock = false; # ProtectClock = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
@ -20,7 +36,6 @@
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = lib.mkForce "@system-service"; SystemCallFilter = lib.mkForce "@system-service";
LockPersonality = true; LockPersonality = true;
#RestrictRealtime=true;
ProtectProc = "invisible"; ProtectProc = "invisible";
# PrivateUsers=true; # PrivateUsers=true;

View file

@ -30,7 +30,7 @@
grimmShared = { grimmShared = {
tooling = { tooling = {
enable = true; enable = true;
# pass = true; # pass = true;
}; };
gaming = true; gaming = true;
portals = true; portals = true;