System hardening

2023-09-18 21:45:32 +00:00 · 2023-09-18 21:45:32 +00:00 · cb2b785688
commit cb2b785688
parent f8845321fe
8 changed files with 81 additions and 51 deletions
--- a/hosts/aluminium/hardware-configuration.nix
+++ b/hosts/aluminium/hardware-configuration.nix
@ -59,33 +59,32 @@
    bootloader = "grub2";
  };

-  fileSystems."/" =
-    {
+  fileSystems = {
+    "/" = {
      device = "/dev/disk/by-uuid/2c5b0de0-c55f-4327-bd60-1aee6c8ae234";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
-
-  fileSystems."/home" =
-    {
+    "/proc" = {
+      device = "/proc";
+      options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
+    };
+    "/home" = {
      device = "/dev/disk/by-uuid/2c5b0de0-c55f-4327-bd60-1aee6c8ae234";
      fsType = "btrfs";
-      options = [ "subvol=home" ];
+      options = [ "subvol=home" "nodev" "nosuid" ];
    };
-
-  fileSystems."/nix" =
-    {
+    "/nix" = {
      device = "/dev/disk/by-uuid/2c5b0de0-c55f-4327-bd60-1aee6c8ae234";
      fsType = "btrfs";
-      options = [ "subvol=nix" ];
+      options = [ "subvol=nix" "nodev" ];
    };
-
-  fileSystems."/boot" =
-    {
+    "/boot" = {
      device = "/dev/disk/by-uuid/695df89b-948d-4659-8f57-335e8b25a8c5";
      fsType = "ext2";
+      options = [ "nodev" "nosuid" "noexec" ];
    };
-
+  };
  swapDevices = [ ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
--- a/hosts/cadmium/hardware-configuration.nix
+++ b/hosts/cadmium/hardware-configuration.nix
@ -42,11 +42,13 @@
    "/boot" = {
      device = "/dev/disk/by-uuid/D384-54D8";
      fsType = "vfat";
+      options = [ "nodev" "nosuid" "noexec" ];
    };
    "/home" = {
      device = "/dev/disk/by-uuid/f14ae966-ac3f-467f-9263-ba9136967782";
      fsType = "ext4";
      noCheck = true;
+      options = [ "nodev" "nosuid" ];
    };
  };

--- a/hosts/hafnium/hardware-configuration.nix
+++ b/hosts/hafnium/hardware-configuration.nix
@ -33,6 +33,7 @@
    "/boot" = {
      device = "/dev/disk/by-uuid/564E-26B4";
      fsType = "vfat";
+      options = [ "nodev" "nosuid" "noexec" ];
    };
  };

--- a/hosts/iron/configuration.nix
+++ b/hosts/iron/configuration.nix
@ -152,31 +152,37 @@ with lib; {
      ];
    };

-    fileSystems = mkMerge (mapAttrsToList
-      (dataset: mountpoint: {
-        "${mountpoint}" = {
-          device = "${dataset}";
-          fsType = "zfs";
-          options = [ "X-mount.mkdir" "noatime" ];
-          neededForBoot = true;
-        };
-      })
-      datasets ++ map
-      (esp: {
-        "/boot/efis/${esp}" = {
-          device = "${devNodes}/${esp}";
-          fsType = "vfat";
-          options = [
-            "x-systemd.idle-timeout=1min"
-            "x-systemd.automount"
-            "noauto"
-            "nofail"
-            "noatime"
-            "X-mount.mkdir"
-          ];
-        };
-      })
-      efiSystemPartitions);
+    fileSystems = mkMerge
+      (mapAttrsToList
+        (dataset: mountpoint: {
+          "${mountpoint}" = {
+            device = "${dataset}";
+            fsType = "zfs";
+            options = [ "X-mount.mkdir" "noatime" ];
+            neededForBoot = true;
+          };
+        })
+        datasets ++ map
+        (esp: {
+          "/boot/efis/${esp}" = {
+            device = "${devNodes}/${esp}";
+            fsType = "vfat";
+            options = [
+              "x-systemd.idle-timeout=1min"
+              "x-systemd.automount"
+              "noauto"
+              "nofail"
+              "noatime"
+              "X-mount.mkdir"
+            ];
+          };
+        })
+        efiSystemPartitions) // {
+      "/proc" = {
+        device = "/proc";
+        options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
+      };
+    };

    hardware.enableRedistributableFirmware = true;

--- a/hosts/jalr-t520/hardware-configuration.nix
+++ b/hosts/jalr-t520/hardware-configuration.nix
@ -39,6 +39,7 @@
    "/boot" = {
      device = "/dev/disk/by-uuid/c4df83d7-8985-47df-b5cd-bf18bd490a50";
      fsType = "ext2";
+      options = [ "nodev" "nosuid" "noexec" ];
    };
  };

--- a/hosts/magnesium/hardware-configuration.nix
+++ b/hosts/magnesium/hardware-configuration.nix
@ -11,8 +11,8 @@
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    {
+  fileSystems = {
+    "/" = {
      device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a";
      fsType = "btrfs";
      options = [
@ -20,33 +20,36 @@
        "compress=zstd"
      ];
    };
-
-  fileSystems."/home" =
-    {
+    "/proc" = {
+      device = "/proc";
+      options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
+    };
+    "/home" = {
      device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a";
      fsType = "btrfs";
      options = [
        "subvol=home"
        "compress=zstd"
+        "nodev"
+        "nosuid"
      ];
    };
-
-  fileSystems."/nix" =
-    {
+    "/nix" = {
      device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a";
      fsType = "btrfs";
      options = [
        "subvol=nix"
        "compress=zstd"
        "noatime"
+        "nodev"
      ];
    };
-
-  fileSystems."/boot" =
-    {
+    "/boot" = {
      device = "/dev/disk/by-uuid/7836-0C48";
      fsType = "vfat";
+      options = [ "nodev" "nosuid" "noexec" ];
    };
+  };

  swapDevices = [ ];

--- a/hosts/weinturm-pretix-prod/hardware-configuration.nix
+++ b/hosts/weinturm-pretix-prod/hardware-configuration.nix
@ -16,12 +16,18 @@
        "compress=zstd"
      ];
    };
+    "/proc" = {
+      device = "/proc";
+      options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
+    };
    "/home" = {
      device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
      fsType = "btrfs";
      options = [
        "subvol=home"
        "compress=zstd"
+        "nodev"
+        "nosuid"
      ];
    };
    "/nix" = {
@ -31,11 +37,13 @@
        "subvol=nix"
        "compress=zstd"
        "noatime"
+        "nodev"
      ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/A586-15AC";
      fsType = "vfat";
+      options = [ "nodev" "nosuid" "noexec" ];
    };
  };

--- a/modules/default.nix
+++ b/modules/default.nix
@ -43,7 +43,17 @@
  ];

  config = {
-    boot.tmp.cleanOnBoot = true;
+    boot = {
+      tmp.cleanOnBoot = true;
+      kernel.sysctl = {
+        "kernel.kptr_restrict" = 1;
+        "kernel.yama.ptrace_scope" = 1;
+        "kernel.kexec_load_disabled" = 1;
+      };
+      kernelParams = [
+        "lockdown=integrity"
+      ];
+    };

    security.polkit.enable = true;