From cb2b7856889238bdb92a617b7d5629f60a8df5f7 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Mon, 18 Sep 2023 21:45:32 +0000 Subject: [PATCH] System hardening --- hosts/aluminium/hardware-configuration.nix | 27 +++++---- hosts/cadmium/hardware-configuration.nix | 2 + hosts/hafnium/hardware-configuration.nix | 1 + hosts/iron/configuration.nix | 56 ++++++++++--------- hosts/jalr-t520/hardware-configuration.nix | 1 + hosts/magnesium/hardware-configuration.nix | 25 +++++---- .../hardware-configuration.nix | 8 +++ modules/default.nix | 12 +++- 8 files changed, 81 insertions(+), 51 deletions(-) diff --git a/hosts/aluminium/hardware-configuration.nix b/hosts/aluminium/hardware-configuration.nix index dcdb4c2..f146835 100644 --- a/hosts/aluminium/hardware-configuration.nix +++ b/hosts/aluminium/hardware-configuration.nix @@ -59,33 +59,32 @@ bootloader = "grub2"; }; - fileSystems."/" = - { + fileSystems = { + "/" = { device = "/dev/disk/by-uuid/2c5b0de0-c55f-4327-bd60-1aee6c8ae234"; fsType = "btrfs"; options = [ "subvol=root" ]; }; - - fileSystems."/home" = - { + "/proc" = { + device = "/proc"; + options = [ "nosuid" "noexec" "nodev" "hidepid=2" ]; + }; + "/home" = { device = "/dev/disk/by-uuid/2c5b0de0-c55f-4327-bd60-1aee6c8ae234"; fsType = "btrfs"; - options = [ "subvol=home" ]; + options = [ "subvol=home" "nodev" "nosuid" ]; }; - - fileSystems."/nix" = - { + "/nix" = { device = "/dev/disk/by-uuid/2c5b0de0-c55f-4327-bd60-1aee6c8ae234"; fsType = "btrfs"; - options = [ "subvol=nix" ]; + options = [ "subvol=nix" "nodev" ]; }; - - fileSystems."/boot" = - { + "/boot" = { device = "/dev/disk/by-uuid/695df89b-948d-4659-8f57-335e8b25a8c5"; fsType = "ext2"; + options = [ "nodev" "nosuid" "noexec" ]; }; - + }; swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking diff --git a/hosts/cadmium/hardware-configuration.nix b/hosts/cadmium/hardware-configuration.nix index ba6a7f2..1a85863 100644 --- a/hosts/cadmium/hardware-configuration.nix +++ b/hosts/cadmium/hardware-configuration.nix @@ -42,11 +42,13 @@ "/boot" = { device = "/dev/disk/by-uuid/D384-54D8"; fsType = "vfat"; + options = [ "nodev" "nosuid" "noexec" ]; }; "/home" = { device = "/dev/disk/by-uuid/f14ae966-ac3f-467f-9263-ba9136967782"; fsType = "ext4"; noCheck = true; + options = [ "nodev" "nosuid" ]; }; }; diff --git a/hosts/hafnium/hardware-configuration.nix b/hosts/hafnium/hardware-configuration.nix index a9bc65c..5e2c719 100644 --- a/hosts/hafnium/hardware-configuration.nix +++ b/hosts/hafnium/hardware-configuration.nix @@ -33,6 +33,7 @@ "/boot" = { device = "/dev/disk/by-uuid/564E-26B4"; fsType = "vfat"; + options = [ "nodev" "nosuid" "noexec" ]; }; }; diff --git a/hosts/iron/configuration.nix b/hosts/iron/configuration.nix index 44f26e8..c13e729 100644 --- a/hosts/iron/configuration.nix +++ b/hosts/iron/configuration.nix @@ -152,31 +152,37 @@ with lib; { ]; }; - fileSystems = mkMerge (mapAttrsToList - (dataset: mountpoint: { - "${mountpoint}" = { - device = "${dataset}"; - fsType = "zfs"; - options = [ "X-mount.mkdir" "noatime" ]; - neededForBoot = true; - }; - }) - datasets ++ map - (esp: { - "/boot/efis/${esp}" = { - device = "${devNodes}/${esp}"; - fsType = "vfat"; - options = [ - "x-systemd.idle-timeout=1min" - "x-systemd.automount" - "noauto" - "nofail" - "noatime" - "X-mount.mkdir" - ]; - }; - }) - efiSystemPartitions); + fileSystems = mkMerge + (mapAttrsToList + (dataset: mountpoint: { + "${mountpoint}" = { + device = "${dataset}"; + fsType = "zfs"; + options = [ "X-mount.mkdir" "noatime" ]; + neededForBoot = true; + }; + }) + datasets ++ map + (esp: { + "/boot/efis/${esp}" = { + device = "${devNodes}/${esp}"; + fsType = "vfat"; + options = [ + "x-systemd.idle-timeout=1min" + "x-systemd.automount" + "noauto" + "nofail" + "noatime" + "X-mount.mkdir" + ]; + }; + }) + efiSystemPartitions) // { + "/proc" = { + device = "/proc"; + options = [ "nosuid" "noexec" "nodev" "hidepid=2" ]; + }; + }; hardware.enableRedistributableFirmware = true; diff --git a/hosts/jalr-t520/hardware-configuration.nix b/hosts/jalr-t520/hardware-configuration.nix index b744c59..7de2199 100644 --- a/hosts/jalr-t520/hardware-configuration.nix +++ b/hosts/jalr-t520/hardware-configuration.nix @@ -39,6 +39,7 @@ "/boot" = { device = "/dev/disk/by-uuid/c4df83d7-8985-47df-b5cd-bf18bd490a50"; fsType = "ext2"; + options = [ "nodev" "nosuid" "noexec" ]; }; }; diff --git a/hosts/magnesium/hardware-configuration.nix b/hosts/magnesium/hardware-configuration.nix index b4eba9e..2c6ccd7 100644 --- a/hosts/magnesium/hardware-configuration.nix +++ b/hosts/magnesium/hardware-configuration.nix @@ -11,8 +11,8 @@ boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { + fileSystems = { + "/" = { device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a"; fsType = "btrfs"; options = [ @@ -20,33 +20,36 @@ "compress=zstd" ]; }; - - fileSystems."/home" = - { + "/proc" = { + device = "/proc"; + options = [ "nosuid" "noexec" "nodev" "hidepid=2" ]; + }; + "/home" = { device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a"; fsType = "btrfs"; options = [ "subvol=home" "compress=zstd" + "nodev" + "nosuid" ]; }; - - fileSystems."/nix" = - { + "/nix" = { device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a"; fsType = "btrfs"; options = [ "subvol=nix" "compress=zstd" "noatime" + "nodev" ]; }; - - fileSystems."/boot" = - { + "/boot" = { device = "/dev/disk/by-uuid/7836-0C48"; fsType = "vfat"; + options = [ "nodev" "nosuid" "noexec" ]; }; + }; swapDevices = [ ]; diff --git a/hosts/weinturm-pretix-prod/hardware-configuration.nix b/hosts/weinturm-pretix-prod/hardware-configuration.nix index c96eb20..ba13c46 100644 --- a/hosts/weinturm-pretix-prod/hardware-configuration.nix +++ b/hosts/weinturm-pretix-prod/hardware-configuration.nix @@ -16,12 +16,18 @@ "compress=zstd" ]; }; + "/proc" = { + device = "/proc"; + options = [ "nosuid" "noexec" "nodev" "hidepid=2" ]; + }; "/home" = { device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f"; fsType = "btrfs"; options = [ "subvol=home" "compress=zstd" + "nodev" + "nosuid" ]; }; "/nix" = { @@ -31,11 +37,13 @@ "subvol=nix" "compress=zstd" "noatime" + "nodev" ]; }; "/boot" = { device = "/dev/disk/by-uuid/A586-15AC"; fsType = "vfat"; + options = [ "nodev" "nosuid" "noexec" ]; }; }; diff --git a/modules/default.nix b/modules/default.nix index 732071f..567bfcb 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -43,7 +43,17 @@ ]; config = { - boot.tmp.cleanOnBoot = true; + boot = { + tmp.cleanOnBoot = true; + kernel.sysctl = { + "kernel.kptr_restrict" = 1; + "kernel.yama.ptrace_scope" = 1; + "kernel.kexec_load_disabled" = 1; + }; + kernelParams = [ + "lockdown=integrity" + ]; + }; security.polkit.enable = true;