feat(hosts/orion): improve security options

2024-09-27 02:36:09 -05:00 · 2024-09-27 02:36:09 -05:00 · 24ae20c854
commit 24ae20c854
parent f95b8f164e
3 changed files with 50 additions and 8 deletions
--- a/hosts/orion/modules/polkit.nix
+++ b/hosts/orion/modules/polkit.nix
@ -1,6 +0,0 @@
-{ ... }:
-{
-  security.polkit = {
-    enable = true;
-  };
-}
--- a/hosts/orion/modules/security.nix
+++ b/hosts/orion/modules/security.nix
@ -0,0 +1,49 @@
+{ ... }:
+{
+  security = {
+    polkit = {
+      enable = true;
+    };
+    sudo.execWheelOnly = true;
+    auditd.enable = true;
+    audit = {
+      enable = true;
+      rules = [
+        # Program Executions
+        "-a exit,always -F arch=b64 -S execve -F key=progexec"
+
+        # Home path access/modification
+        "-a always,exit -F arch=b64 -F dir=/home -F perm=war -F key=homeaccess"
+
+        # Kexec usage
+        "-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC"
+
+        # Root directory access/modification
+        "-a always,exit -F arch=b64 -F dir=/root -F key=roothomeaccess -F perm=war"
+
+        # Failed Modifications of critcal paths
+        "-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/persist -F success=0 -F key=unauthedfileaccess"
+
+        # File deletion events by users
+        "-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
+
+        # Root command executions
+        "-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
+      ];
+    };
+  };
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.log_martions" = true;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.log_martions" = true;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+  };
+}
--- a/hosts/orion/os/boot.nix
+++ b/hosts/orion/os/boot.nix
@ -39,7 +39,6 @@ in
    };
    kernelPackages = pkgs.linuxPackages_latest;
    kernelModules = [ "kvm-intel" ];
-    kernelParams = [ "audit=1" ];
    extraModulePackages = [ ];
    initrd = {
      availableKernelModules = [
@ -56,4 +55,4 @@ in
      };
    };
  };
-}
+}