security options update

- use icons for jailed firefox and chromium from icon pack - users options set to default in all VMs - KASLR option removed as it is by default enabled in kernel - sysrq disabled only in release build - fail2ban enabled in net-vm only Signed-off-by: Ganga Ram <[email protected]>
tiiuae · Jun 14, 2024 · 74afc89 · 74afc89
1 parent a5ffa7b
commit 74afc89
Show file tree

Hide file tree

Showing 10 changed files with 12 additions and 58 deletions.
diff --git a/assets/icons/png/chromium.png b/assets/icons/png/chromium.png
diff --git a/assets/icons/png/firefox.png b/assets/icons/png/firefox.png
diff --git a/modules/common/security/firejail/default.nix b/modules/common/security/firejail/default.nix
@@ -39,7 +39,7 @@ in {
   };
 
   ## Enable Firejail sandboxing
-  config = {
+  config = lib.mkIf cfg.enable {
     ghaf.graphics = lib.mkIf config.ghaf.profiles.graphics.enable {
       demo-apps = lib.mkMerge [
         (lib.mkIf cfg.apps.firefox.enable {
@@ -52,18 +52,18 @@ in {
 
       launchers =
         lib.optional cfg.apps.firefox.enable {
-          name = "firefox-safe";
+          name = "Firefox-safe";
           path = "/run/current-system/sw/bin/firefox";
-          icon = "${../../../assets/icons/png/firefox.png}";
+          icon = "${pkgs.icon-pack}/firefox.svg";
         }
         ++ lib.optional cfg.apps.chromium.enable {
-          name = "chromium";
+          name = "Chromium-safe";
           path = "/run/current-system/sw/bin/chromium";
-          icon = "${../../../assets/icons/png/chromium.png}";
+          icon = "${pkgs.icon-pack}/chromium.svg";
         };
     };
 
-    programs.firejail = lib.mkIf cfg.enable {
+    programs.firejail = {
       enable = true;
       wrappedBinaries = {
         # Firefox profile

diff --git a/modules/common/security/system.nix b/modules/common/security/system.nix
@@ -16,7 +16,7 @@ in {
             Enforce Strong password for each user.
           '';
           type = lib.types.bool;
-          default = false;
+          default = true;
         };
 
         min-passwd-len = lib.mkOption {
@@ -28,14 +28,6 @@ in {
         };
       };
 
-      encrypt_home.enable = lib.mkOption {
-        description = ''
-          Enable encryption of user's data stored in 'Home' directory.
-        '';
-        type = lib.types.bool;
-        default = false;
-      };
-
       root.enable = lib.mkOption {
         description = ''
           Disable root login.
@@ -123,16 +115,6 @@ in {
           type = lib.types.bool;
           default = false;
         };
-        enableASLR = lib.mkOption {
-          description = ''
-            Randomize user virtual address space. It disrupts the
-            predictability of memory layouts and makes it harder for
-            attackers to exploit memory related vulnerabilities.
-            May slightly impact performance, may increase boot time.
-          '';
-          type = lib.types.bool;
-          default = false;
-        };
         randomizePageFreeList = lib.mkOption {
           description = ''
             Randomize free memory pages managed by the page allocator.
@@ -167,7 +149,7 @@ in {
 
       # There is no possible string to hash to just “!”
       users.users.root = lib.mkIf (!cfg.users.root.enable) {
-        hashedPassword = lib.mkForce "!";
+        shell = "${pkgs.shadow}/bin/nologin";
       };
 
       # Enforce strong password
@@ -187,9 +169,6 @@ in {
             '';
           };
         };
-
-        # Encrypt user's data stored in 'Home' directory
-        enableFscrypt = cfg.users.encrypt_home.enable;
       };
 
       ## sudo administartion
@@ -249,9 +228,6 @@ in {
         # Disable ftrace
         "kernel.ftrace_enabled" = lib.mkDefault false;
 
-        # Randomize address space including heap
-        "kernel.randomize_va_space" = lib.mkIf (cfg.system-security.misc.enableASLR || cfg.system-security.misc.enable-all) (lib.mkForce 2);
-
         # Restrict core dump
         "fs.suid_dumpable" = lib.mkForce 0;
 
@@ -262,7 +238,7 @@ in {
         "vm.unprivileged_userfaultfd" = lib.mkForce 0;
 
         # Disable SysRq key
-        "kernel.sysrq" = lib.mkForce 0;
+        "kernel.sysrq" = lib.mkIf config.ghaf.profiles.release.enable (lib.mkForce 0);
 
         # Disable loading of line descipline kernel module of TTY device
         # The line descipline module provides an interface between the low-level driver handling a TTY device
@@ -271,7 +247,7 @@ in {
 
         # This will avoid unintentional writes to an attacker-controlled FIFO/Regular file.
         # Extend the restriction to group sticky directories
-        "fs.protected_fifos" = lib.mkForce 0;
+        "fs.protected_fifos" = lib.mkForce 2;
         "fs.protected_regular" = lib.mkForce 2;
 
         # Allow only root to access perf events
@@ -310,7 +286,8 @@ in {
       boot.kernelParams =
         [
           # Fill freed pages and heap objects with zeroes
-          "init_memory=0"
+          "init_on_free=1"
+          "init_on_alloc=1"
 
           # Panic on any uncorrectable errors through the machine check exception system
           "mce=0"

diff --git a/modules/microvm/virtualization/microvm/adminvm.nix b/modules/microvm/virtualization/microvm/adminvm.nix
@@ -33,14 +33,10 @@
             withDebug = configHost.ghaf.profiles.debug.enable;
           };
           security = {
-            users.strong-password.enable = true;
-            users.root.enable = false;
-            users.sudo.enable = true;
             system-security.enable = true;
             system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
             network.ipsecurity.enable = true;
             network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-            fail2ban.enable = true;
           };
         };
 

diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix
@@ -66,14 +66,10 @@
               withHardenedConfigs = true;
             };
             security = {
-              users.strong-password.enable = true;
-              users.root.enable = false;
-              users.sudo.enable = true;
               system-security.enable = true;
               system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
               network.ipsecurity.enable = true;
               network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-              fail2ban.enable = true;
             };
           };
 

diff --git a/modules/microvm/virtualization/microvm/audiovm.nix b/modules/microvm/virtualization/microvm/audiovm.nix
@@ -39,14 +39,10 @@
           };
           services.audio.enable = true;
           security = {
-            users.strong-password.enable = true;
-            users.root.enable = false;
-            users.sudo.enable = true;
             system-security.enable = true;
             system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
             network.ipsecurity.enable = true;
             network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-            fail2ban.enable = true;
           };
         };
 

diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix
@@ -47,14 +47,10 @@
           };
 
           security = {
-            users.strong-password.enable = true;
-            users.root.enable = false;
-            users.sudo.enable = true;
             system-security.enable = true;
             system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
             network.ipsecurity.enable = true;
             network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-            fail2ban.enable = true;
           };
         };
 

diff --git a/modules/microvm/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix
@@ -33,14 +33,10 @@ in {
         withHardenedConfigs = true;
       };
       security = {
-        users.strong-password.enable = true;
-        users.root.enable = false;
-        users.sudo.enable = true;
         system-security.enable = true;
         system-security.lock-kernel-modules = lib.mkDefault config.ghaf.profiles.release.enable;
         network.ipsecurity.enable = true;
         network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-        fail2ban.enable = true;
       };
     };
 

diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix
@@ -44,9 +44,6 @@
             withHardenedConfigs = true;
           };
           security = {
-            users.strong-password.enable = true;
-            users.root.enable = false;
-            users.sudo.enable = true;
             system-security.enable = true;
             system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
             network.ipsecurity.enable = true;