feat(hosts/orion): improve security options
This commit is contained in:
parent
f95b8f164e
commit
24ae20c854
@ -1,6 +0,0 @@
|
||||
{ ... }:
|
||||
{
|
||||
security.polkit = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
49
hosts/orion/modules/security.nix
Normal file
49
hosts/orion/modules/security.nix
Normal file
@ -0,0 +1,49 @@
|
||||
{ ... }:
|
||||
{
|
||||
security = {
|
||||
polkit = {
|
||||
enable = true;
|
||||
};
|
||||
sudo.execWheelOnly = true;
|
||||
auditd.enable = true;
|
||||
audit = {
|
||||
enable = true;
|
||||
rules = [
|
||||
# Program Executions
|
||||
"-a exit,always -F arch=b64 -S execve -F key=progexec"
|
||||
|
||||
# Home path access/modification
|
||||
"-a always,exit -F arch=b64 -F dir=/home -F perm=war -F key=homeaccess"
|
||||
|
||||
# Kexec usage
|
||||
"-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC"
|
||||
|
||||
# Root directory access/modification
|
||||
"-a always,exit -F arch=b64 -F dir=/root -F key=roothomeaccess -F perm=war"
|
||||
|
||||
# Failed Modifications of critcal paths
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/persist -F success=0 -F key=unauthedfileaccess"
|
||||
|
||||
# File deletion events by users
|
||||
"-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
|
||||
|
||||
# Root command executions
|
||||
"-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
|
||||
];
|
||||
};
|
||||
};
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.log_martions" = true;
|
||||
"net.ipv4.conf.all.rp_filter" = 1;
|
||||
"net.ipv4.conf.default.log_martions" = true;
|
||||
"net.ipv4.conf.default.rp_filter" = 1;
|
||||
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
|
||||
};
|
||||
}
|
@ -39,7 +39,6 @@ in
|
||||
};
|
||||
kernelPackages = pkgs.linuxPackages_latest;
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
kernelParams = [ "audit=1" ];
|
||||
extraModulePackages = [ ];
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
|
Loading…
Reference in New Issue
Block a user