diff --git a/modules/hardening.nix b/modules/hardening.nix new file mode 100644 index 0000000..1a63353 --- /dev/null +++ b/modules/hardening.nix @@ -0,0 +1,752 @@ +{ config, lib, pkgs, ... }: { + systemd.services.systemd-rfkill = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + SystemCallFilter = [ + "write" + "read" + "openat" + "close" + "brk" + "fstat" + "lseek" + "mmap" + "mprotect" + "munmap" + "rt_sigaction" + "rt_sigprocmask" + "ioctl" + "nanosleep" + "select" + "access" + "execve" + "getuid" + "arch_prctl" + "set_tid_address" + "set_robust_list" + "prlimit64" + "pread64" + "getrandom" + ]; + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; + }; + }; + systemd.services.syslog = { + serviceConfig = { + PrivateNetwork = true; + CapabilityBoundingSet = + [ "CAP_DAC_READ_SEARCH" "CAP_SYSLOG" "CAP_NET_BIND_SERVICE" ]; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + PrivateMounts = true; + SystemCallArchitectures = "native"; + MemoryDenyWriteExecute = true; + LockPersonality = true; + ProtectKernelTunables = true; + RestrictRealtime = true; + PrivateUsers = true; + PrivateTmp = true; + UMask = "0077"; + RestrictNamespace = true; + ProtectProc = "invisible"; + ProtectHome = true; + DeviceAllow = false; + ProtectSystem = "full"; + }; + }; + + systemd.services.systemd-journald = { + serviceConfig = { + UMask = 77; + PrivateNetwork = true; + ProtectHostname = true; + ProtectKernelModules = true; + }; + }; + systemd.services.auto-cpufreq = { + serviceConfig = { + CapabilityBoundingSet = ""; + ProtectSystem = "full"; + ProtectHome = true; + PrivateNetwork = true; + IPAddressDeny = "any"; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectHostname = false; + MemoryDenyWriteExecute = true; + ProtectClock = true; + RestrictNamespaces = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectProc = true; + ReadOnlyPaths = [ "/" ]; + InaccessiblePaths = [ "/home" "/root" "/proc" ]; + SystemCallFilter = [ "@system-service" ]; + SystemCallArchitectures = "native"; + UMask = "0077"; + }; + }; + systemd.services.NetworkManager-dispatcher = { + serviceConfig = { + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateUsers = true; + PrivateDevices = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET"; + RestrictNamespaces = true; + SystemCallFilter = [ + "write" + "read" + "openat" + "close" + "brk" + "fstat" + "lseek" + "mmap" + "mprotect" + "munmap" + "rt_sigaction" + "rt_sigprocmask" + "ioctl" + "nanosleep" + "select" + "access" + "execve" + "getuid" + "arch_prctl" + "set_tid_address" + "set_robust_list" + "prlimit64" + "pread64" + "getrandom" + ]; + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; + }; + }; + systemd.services.display-manager = { + serviceConfig = { + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; # so we won't need all of this + }; + }; + systemd.services.emergency = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; # Might need adjustment for emergency access + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET"; + RestrictNamespaces = true; + SystemCallFilter = [ + "write" + "read" + "openat" + "close" + "brk" + "fstat" + "lseek" + "mmap" + "mprotect" + "munmap" + "rt_sigaction" + "rt_sigprocmask" + "ioctl" + "nanosleep" + "select" + "access" + "execve" + "getuid" + "arch_prctl" + "set_tid_address" + "set_robust_list" + "prlimit64" + "pread64" + "getrandom" + ]; + UMask = "0077"; + IPAddressDeny = "any"; + }; + }; + systemd.services."getty@tty1" = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET"; + RestrictNamespaces = true; + SystemCallFilter = [ + "write" + "read" + "openat" + "close" + "brk" + "fstat" + "lseek" + "mmap" + "mprotect" + "munmap" + "rt_sigaction" + "rt_sigprocmask" + "ioctl" + "nanosleep" + "select" + "access" + "execve" + "getuid" + "arch_prctl" + "set_tid_address" + "set_robust_list" + "prlimit64" + "pread64" + "getrandom" + ]; + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; + }; + }; + systemd.services."getty@tty7" = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET"; + RestrictNamespaces = true; + SystemCallFilter = [ + "write" + "read" + "openat" + "close" + "brk" + "fstat" + "lseek" + "mmap" + "mprotect" + "munmap" + "rt_sigaction" + "rt_sigprocmask" + "ioctl" + "nanosleep" + "select" + "access" + "execve" + "getuid" + "arch_prctl" + "set_tid_address" + "set_robust_list" + "prlimit64" + "pread64" + "getrandom" + ]; + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; + }; + }; + systemd.services.NetworkManager = { + serviceConfig = { + NoNewPrivileges = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + SystemCallArchitectures = "native"; + MemoryDenyWriteExecute = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictNamespaces = true; + ProtectKernelTunables = true; + ProtectHome = true; + PrivateTmp = true; + UMask = "0077"; + }; + }; + systemd.services."nixos-rebuild-switch-to-configuration" = { + serviceConfig = { + ProtectHome = true; + NoNewPrivileges = true; # Prevent gaining new privileges + }; + }; + systemd.services."dbus" = { + serviceConfig = { + PrivateTmp = true; + PrivateNetwork = true; + ProtectSystem = "full"; + ProtectHome = true; + SystemCallFilter = + "~@clock @cpu-emulation @module @mount @obsolete @raw-io @reboot @swap"; + ProtectKernelTunables = true; + NoNewPrivileges = true; + CapabilityBoundingSet = [ + "~CAP_SYS_TIME" + "~CAP_SYS_PACCT" + "~CAP_KILL" + "~CAP_WAKE_ALARM" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_LEASE" + "~CAP_MKNOD" + "~CAP_NET_ADMIN" + "~CAP_SYS_ADMIN" + "~CAP_SYSLOG" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_AUDIT_WRITE" + "~CAP_AUDIT_CONTROL" + "~CAP_SYS_RAWIO" + "~CAP_SYS_NICE" + "~CAP_SYS_RESOURCE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_MODULE" + "~CAP_IPC_LOCK" + "~CAP_LINUX_IMMUTABLE" + "~CAP_BLOCK_SUSPEND" + "~CAP_MAC_*" + "~CAP_DAC_*" + "~CAP_FOWNER" + "~CAP_IPC_OWNER" + "~CAP_SYS_PTRACE" + "~CAP_SETUID" + "~CAP_SETGID" + "~CAP_SETPCAP" + "~CAP_FSETID" + "~CAP_SETFCAP" + "~CAP_CHOWN" + ]; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + MemoryDenyWriteExecute = true; + RestrictAddressFamilies = [ "~AF_PACKET" "~AF_NETLINK" ]; + ProtectHostname = true; + LockPersonality = true; + RestrictRealtime = true; + PrivateUsers = true; + }; + }; + systemd.services.nix-daemon = { + serviceConfig = { + ProtectHome = true; + PrivateUsers = false; + }; + }; + systemd.services.reload-systemd-vconsole-setup = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + PrivateUsers = true; + PrivateDevices = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictNamespaces = true; + UMask = "0077"; + IPAddressDeny = "any"; + }; + }; + systemd.services.rescue = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; # Might need adjustment for rescue operations + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = + "AF_INET AF_INET6"; # Networking might be necessary in rescue mode + RestrictNamespaces = true; + SystemCallFilter = [ + "write" + "read" + "openat" + "close" + "brk" + "fstat" + "lseek" + "mmap" + "mprotect" + "munmap" + "rt_sigaction" + "rt_sigprocmask" + "ioctl" + "nanosleep" + "select" + "access" + "execve" + "getuid" + "arch_prctl" + "set_tid_address" + "set_robust_list" + "prlimit64" + "pread64" + "getrandom" + ]; + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = + "any"; # May need to be relaxed for network troubleshooting in rescue mode + }; + }; + systemd.services."systemd-ask-password-console" = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; # May need adjustment for console access + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + SystemCallFilter = [ "@system-service" ]; # A more permissive filter + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; + }; + }; + systemd.services."systemd-ask-password-wall" = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + SystemCallFilter = [ "@system-service" ]; # A more permissive filter + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; + }; + }; + systemd.services.thermald = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; # Necessary for adjusting cooling policies + ProtectKernelModules = true; # May need adjustment for module control + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; # May require access to specific hardware devices + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + CapabilityBoundingSet = ""; + RestrictNamespaces = true; + SystemCallFilter = [ "@system-service" ]; + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; + DeviceAllow = [ ]; + RestrictAddressFamilies = [ ]; + }; + }; + systemd.services."user@1000" = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; # Be cautious, as this may restrict user operations + PrivateDevices = true; + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + SystemCallFilter = [ "@system-service" ]; # Adjust based on user needs + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; + }; + }; + systemd.services.virtlockd = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; # May need adjustment for accessing VM resources + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + SystemCallFilter = [ "@system-service" ]; # Adjust as necessary + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; # May need adjustment for network operations + }; + }; + systemd.services.virtlogd = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; # May need adjustment for accessing VM logs + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + SystemCallFilter = + [ "@system-service" ]; # Adjust based on log management needs + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = + "any"; # May need to be relaxed for network-based log collection + }; + }; + systemd.services.virtlxcd = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; # Necessary for container management + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = + true; # Be cautious, might need adjustment for container user management + PrivateDevices = true; # Containers might require broader device access + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = + "AF_INET AF_INET6"; # Necessary for networked containers + RestrictNamespaces = true; + SystemCallFilter = + [ "@system-service" ]; # Adjust based on container operations + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; # May need to be relaxed for network functionality + }; + }; + systemd.services.virtqemud = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; # Necessary for VM management + ProtectKernelModules = + true; # May need adjustment for VM hardware emulation + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = + true; # Be cautious, might need adjustment for VM user management + PrivateDevices = true; # VMs might require broader device access + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = + "AF_INET AF_INET6"; # Necessary for networked VMs + RestrictNamespaces = true; + SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; # May need to be relaxed for network functionality + }; + }; + systemd.services.virtvboxd = { + serviceConfig = { + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; # Required for some VM management tasks + ProtectKernelModules = true; # May need adjustment for module handling + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + PrivateTmp = true; + PrivateUsers = + true; # Be cautious, might need adjustment for VM user management + PrivateDevices = true; # VMs may require access to certain devices + PrivateIPC = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = + "AF_INET AF_INET6"; # Necessary for networked VMs + RestrictNamespaces = true; + SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations + SystemCallArchitectures = "native"; + UMask = "0077"; + IPAddressDeny = "any"; # May need to be relaxed for network functionality + }; + }; +}