systemd service hardening

Signed-off-by: Ganga Ram <[email protected]>

docs/src/ref_impl/development.md

@@ -15,6 +15,7 @@ The scope of target support is updated with development progress:
 * [Cross-Compilation](./cross_compilation.md)
 * [Creating Application VM](./creating_appvm.md)
 * [labwc Desktop Environment](./labwc.md)
+* [Systemd Service Hardening](./systemd-service-config.md)
 
 Once you are up and running, you can participate in the collaborative development process by building a development build with additional options. For example, with the development username and password that are defined in [accounts.nix](https://github.com/tiiuae/ghaf/blob/main/modules/common/users/accounts.nix).
 

modules/common/systemd/default.nix

@@ -4,6 +4,6 @@
   imports = [
     ./base.nix
     ./boot.nix
-    # TODO hardened configs
+    ./harden.nix
   ];
 }

modules/common/systemd/harden.nix

@@ -0,0 +1,48 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  ...
+}: let
+  # Ghaf systemd config
+  cfg = config.ghaf.systemd;
+  apply-service-configs = configs-dir: {
+    services = lib.foldl' (
+      services: s: let
+        svc = builtins.replaceStrings [".nix"] [""] s;
+      in
+        services
+        // lib.optionalAttrs (!builtins.elem "${svc}.service" cfg.excludedHardenedConfigs)
+        {${svc}.serviceConfig = import "${configs-dir}/${svc}.nix";}
+    ) {} (builtins.attrNames (builtins.readDir configs-dir));
+  };
+in {
+  options.ghaf.systemd = {
+    withHardenedConfigs = lib.mkOption {
+      description = "Enable common hardened configs.";
+      type = lib.types.bool;
+      default = false;
+    };
+    excludedHardenedConfigs = lib.mkOption {
+      default = [];
+      type = lib.types.listOf lib.types.str;
+      example = ["sshd.service"];
+      description = ''
+        A list of units to skip when applying hardened systemd service configurations.
+        The main purpose of this is to provide a mechanism to exclude specific hardened
+        configurations for fast debugging and problem resolution.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.withHardenedConfigs {
+    systemd = lib.mkMerge [
+      # Apply hardened systemd service configurations
+      (apply-service-configs ./hardened-configs/common)
+
+      # Apply release only service configurations
+      (lib.mkIf (!cfg.withDebug) (apply-service-configs ./hardened-configs/release))
+    ];
+  };
+}

modules/common/systemd/hardened-configs/common/NetworkManager-dispatcher.nix

@@ -0,0 +1,151 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+{
+  ##############
+  # Networking #
+  ##############
+
+  # PrivateNetwork=true;
+  # IPAccounting=yes
+  IPAddressDeny = "any";
+  RestrictAddressFamilies = [
+    "AF_PACKET"
+    "AF_NETLINK"
+    "AF_UNIX"
+    "AF_INET"
+    "AF_INET6"
+  ];
+
+  ###############
+  # File system #
+  ###############
+
+  # ProtectHome=true;
+  # ProtectSystem="full";
+  ProtectProc = "noaccess";
+  # ReadWritePaths=[ "/etc"];
+  PrivateTmp = true;
+
+  # Not applicable for the service runs as root
+  # PrivateMounts=true;
+  # ProcSubset="all";
+
+  ###################
+  # User separation #
+  ###################
+
+  # Not applicable for the service runs as root
+  PrivateUsers = true;
+  # DynamicUser=true;
+
+  ###########
+  # Devices #
+  ###########
+
+  # PrivateDevices=false;
+  # DeviceAllow=/dev/null
+
+  ##########
+  # Kernel #
+  ##########
+
+  ProtectKernelTunables = true;
+  ProtectKernelModules = true;
+  ProtectKernelLogs = true;
+
+  ########
+  # Misc #
+  ########
+
+  Delegate = false;
+  # KeyringMode="private";
+  # NoNewPrivileges=true;
+  UMask = 077;
+  ProtectHostname = true;
+  ProtectClock = true;
+  ProtectControlGroups = true;
+  RestrictNamespaces = true;
+  /*
+    RestrictNamespaces=[
+   #"~user"
+   #"~pid"
+   #"~net"
+   #"~uts"
+   #"~mnt"
+   #"~cgroup"
+   #"~ipc"
+  ];
+  */
+  LockPersonality = true;
+  MemoryDenyWriteExecute = true;
+  RestrictRealtime = true;
+  RestrictSUIDSGID = true;
+  # RemoveIPC=true
+  SystemCallArchitectures = "native";
+  # NotifyAccess=false;
+
+  ################
+  # Capabilities #
+  ################
+
+  #AmbientCapabilities=
+  CapabilityBoundingSet = [
+    "~CAP_SYS_PACCT"
+    "~CAP_KILL"
+    # "~CAP_WAKE_ALARM"
+    # "~CAP_DAC_*
+    "~CAP_FOWNER"
+    # "~CAP_IPC_OWNER"
+    # "~CAP_BPF"
+    "~CAP_LINUX_IMMUTABLE"
+    # "~CAP_IPC_LOCK"
+    "~CAP_SYS_MODULE"
+    "~CAP_SYS_TTY_CONFIG"
+    "~CAP_SYS_BOOT"
+    "~CAP_SYS_CHROOT"
+    # "~CAP_BLOCK_SUSPEND"
+    "~CAP_LEASE"
+    "~CAP_MKNOD"
+    # "~CAP_CHOWN"
+    # "~CAP_FSETID"
+    # "~CAP_SETFCAP"
+    # "~CAP_SETUID"
+    # "~CAP_SETGID"
+    # "~CAP_SETPCAP"
+    # "~CAP_MAC_ADMIN"
+    # "~CAP_MAC_OVERRIDE"
+    "~CAP_SYS_RAWIO"
+    "~CAP_SYS_PTRACE"
+    # "~CAP_SYS_NICE"
+    # "~CAP_SYS_RESOURCE"
+    "~CAP_NET_ADMIN"
+    "~CAP_NET_BIND_SERVICE"
+    "~CAP_NET_BROADCAST"
+    "~CAP_NET_RAW"
+    # "~CAP_AUDIT_CONTROL"
+    # "~CAP_AUDIT_READ"
+    # "~CAP_AUDIT_WRITE"
+    "~CAP_SYS_ADMIN"
+    # "~CAP_SYSLOG"
+    # "~CAP_SYS_TIME
+  ];
+
+  ################
+  # System calls #
+  ################
+
+  SystemCallFilter = [
+    "~@clock"
+    # "~@cpu-emulation"
+    "~@debug"
+    "~@module"
+    "~@mount"
+    "~@obsolete"
+    "~@privileged"
+    # "~@raw-io"
+    "~@reboot"
+    "~@resources"
+    "~@swap"
+  ];
+}

modules/common/systemd/hardened-configs/common/audit.nix

@@ -0,0 +1,151 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+{
+  ########
+  # Networking #
+  ##############
+
+  PrivateNetwork = true;
+  # IPAccounting=yes
+  IPAddressDeny = "any";
+  RestrictAddressFamilies = [
+    #"~AF_PACKET"
+    #"~AF_NETLINK"
+    #"~AF_UNIX"
+    #"~AF_INET"
+    #"~AF_INET6"
+  ];
+
+  ###############
+  # File system #
+  ###############
+
+  ProtectHome = true;
+  ProtectSystem = "full";
+  ProtectProc = "noaccess";
+  # ReadWritePaths=[ "/etc"];
+  PrivateTmp = true;
+
+  # Not applicable for the service runs as root
+  # PrivateMounts=true;
+  # ProcSubset="all";
+
+  ################
+  # User separation #
+  ###################
+
+  # Not applicable for the service runs as root
+  # PrivateUsers= service runs as root
+  # DynamicUser= service runs as root
+
+  ###########
+  # Devices #
+  ###########
+
+  # PrivateDevices=false;
+  # DeviceAllow=/dev/exampledevice
+
+  ##########
+  # Kernel #
+  ##########
+
+  ProtectKernelTunables = true;
+  ProtectKernelModules = true;
+  ProtectKernelLogs = true;
+
+  ########
+  # Misc #
+  ########
+
+  Delegate = false;
+  # KeyringMode="private";
+  NoNewPrivileges = true;
+  UMask = 077;
+  ProtectHostname = true;
+  ProtectClock = true;
+  ProtectControlGroups = true;
+  RestrictNamespaces = true;
+  /*
+    RestrictNamespaces=[
+   #"~user"
+   #"~pid"
+   #"~net"
+   #"~uts"
+   #"~mnt"
+   #"~cgroup"
+   #"~ipc"
+  ];
+  */
+  LockPersonality = true;
+  MemoryDenyWriteExecute = true;
+  RestrictRealtime = true;
+  RestrictSUIDSGID = true;
+  # RemoveIPC= service runs as root
+  SystemCallArchitectures = "native";
+  # NotifyAccess=false;
+
+  ################
+  # Capabilities #
+  ################
+
+  #AmbientCapabilities=
+  CapabilityBoundingSet = [
+    "~CAP_SYS_PACCT"
+    "~CAP_KILL"
+    # "~CAP_WAKE_ALARM"
+    # "~CAP_DAC_*
+    "~CAP_FOWNER"
+    # "~CAP_IPC_OWNER"
+    # "~CAP_BPF"
+    "~CAP_LINUX_IMMUTABLE"
+    # "~CAP_IPC_LOCK"
+    "~CAP_SYS_MODULE"
+    "~CAP_SYS_TTY_CONFIG"
+    "~CAP_SYS_BOOT"
+    "~CAP_SYS_CHROOT"
+    # "~CAP_BLOCK_SUSPEND"
+    "~CAP_LEASE"
+    "~CAP_MKNOD"
+    # "~CAP_CHOWN"
+    # "~CAP_FSETID"
+    # "~CAP_SETFCAP"
+    # "~CAP_SETUID"
+    # "~CAP_SETGID"
+    # "~CAP_SETPCAP"
+    # "~CAP_MAC_ADMIN"
+    # "~CAP_MAC_OVERRIDE"
+    "~CAP_SYS_RAWIO"
+    "~CAP_SYS_PTRACE"
+    # "~CAP_SYS_NICE"
+    # "~CAP_SYS_RESOURCE"
+    "~CAP_NET_ADMIN"
+    "~CAP_NET_BIND_SERVICE"
+    "~CAP_NET_BROADCAST"
+    "~CAP_NET_RAW"
+    # "~CAP_AUDIT_CONTROL"
+    # "~CAP_AUDIT_READ"
+    # "~CAP_AUDIT_WRITE"
+    "~CAP_SYS_ADMIN"
+    # "~CAP_SYSLOG"
+    # "~CAP_SYS_TIME
+  ];
+
+  ################
+  # System calls #
+  ################
+
+  SystemCallFilter = [
+    "~@clock"
+    # "~@cpu-emulation"
+    "~@debug"
+    "~@module"
+    "~@mount"
+    "~@obsolete"
+    "~@privileged"
+    # "~@raw-io"
+    "~@reboot"
+    "~@resources"
+    "~@swap"
+  ];
+}