Price/dots
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Price:57320bc80e75eba88fa4280393b92e5970c49cf5
Branches Tags
Price:Development
Price:main
..
compare: Price:f95b8f164ebd98914c83173037d448d98279183a
Branches Tags
Price:Development
Price:main

No commits in common. "57320bc80e75eba88fa4280393b92e5970c49cf5" and "f95b8f164ebd98914c83173037d448d98279183a" have entirely different histories.
57320bc80e ... f95b8f164e

4 changed files with 9 additions and 52 deletions
Show Stats Expand all files Collapse all files

6
hosts/orion/modules/polkit.nix Normal file
View File

@ -0,0 +1,6 @@
{ ... }:
{
security.polkit = {
enable = true;
};
}

49
hosts/orion/modules/security.nix
View File

@ -1,49 +0,0 @@
{ ... }:
{
security = {
polkit = {
enable = true;
};
sudo.execWheelOnly = true;
auditd.enable = true;
audit = {
enable = true;
rules = [
# Program Executions
"-a exit,always -F arch=b64 -S execve -F key=progexec"
# Home path access/modification
"-a always,exit -F arch=b64 -F dir=/home -F perm=war -F key=homeaccess"
# Kexec usage
"-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC"
# Root directory access/modification
"-a always,exit -F arch=b64 -F dir=/root -F key=roothomeaccess -F perm=war"
# Failed Modifications of critcal paths
"-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/persist -F success=0 -F key=unauthedfileaccess"
# File deletion events by users
"-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
# Root command executions
"-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
];
};
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.log_martions" = true;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.log_martions" = true;
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
};
}

1
hosts/orion/os/boot.nix
View File

@ -39,6 +39,7 @@ in
}; };
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
kernelParams = [ "audit=1" ];
extraModulePackages = [ ]; extraModulePackages = [ ];
initrd = { initrd = {
availableKernelModules = [ availableKernelModules = [

1
hosts/orion/os/fs.nix
View File

@ -72,7 +72,6 @@ in
name = "crypted"; name = "crypted";
settings = { settings = {
allowDiscards = true; allowDiscards = true;
bypassWorkqueues = true;
}; };
content = { content = {
type = "btrfs"; type = "btrfs";