From cf3b62e01e02806fdfc46dfc761ea20a67049bea Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 22 Aug 2024 22:58:48 +0200 Subject: [PATCH 1/3] bekkalokk/phpfpm-*: systemd hardening --- hosts/bekkalokk/configuration.nix | 1 + hosts/bekkalokk/services/phpfpm.nix | 51 +++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 hosts/bekkalokk/services/phpfpm.nix diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index bbc3c6b..ff2f1af 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -11,6 +11,7 @@ ./services/kerberos ./services/mediawiki ./services/nginx.nix + ./services/phpfpm.nix ./services/vaultwarden.nix ./services/webmail ./services/website diff --git a/hosts/bekkalokk/services/phpfpm.nix b/hosts/bekkalokk/services/phpfpm.nix new file mode 100644 index 0000000..d796ff7 --- /dev/null +++ b/hosts/bekkalokk/services/phpfpm.nix @@ -0,0 +1,51 @@ +{ lib, ... }: +let + pools = map (pool: "phpfpm-${pool}") [ + "idp" + "mediawiki" + "pvv-nettsiden" + "roundcube" + "snappymail" + ]; +in +{ + # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/ + systemd.services = lib.genAttrs pools (_: { + serviceConfig = let + caps = [ + "CAP_NET_BIND_SERVICE" + "CAP_SETGID" + "CAP_SETUID" + "CAP_CHOWN" + "CAP_KILL" + "CAP_IPC_LOCK" + "CAP_DAC_OVERRIDE" + ]; + in { + AmbientCapabilities = caps; + CapabilityBoundingSet = caps; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateMounts = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RemoveIPC = true; + UMask = "0077"; + RestrictNamespaces = "~mnt"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + KeyringMode = "private"; + SystemCallFilter = [ + "@system-service" + ]; + }; + }); +} -- 2.44.1 From 945d53cdb4e515ef25914c9c0cadc7c5f20ddfa2 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 22 Aug 2024 22:59:32 +0200 Subject: [PATCH 2/3] bekkalokk/vaultwarden: systemd hardening --- hosts/bekkalokk/services/vaultwarden.nix | 36 ++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/hosts/bekkalokk/services/vaultwarden.nix b/hosts/bekkalokk/services/vaultwarden.nix index 13722ce..f4a7477 100644 --- a/hosts/bekkalokk/services/vaultwarden.nix +++ b/hosts/bekkalokk/services/vaultwarden.nix @@ -65,4 +65,40 @@ in { proxyWebsockets = true; }; }; + + systemd.services.vaultwarden = lib.mkIf cfg.enable { + serviceConfig = { + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + NoNewPrivileges = true; + # MemoryDenyWriteExecute = true; + PrivateMounts = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0007"; + }; + }; } -- 2.44.1 From ef418bf1255f62e91ae0fd7e3ecc62890c795baf Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 22 Aug 2024 23:00:45 +0200 Subject: [PATCH 3/3] base/logrotate: systemd hardening + more --- base.nix | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/base.nix b/base.nix index 4b1e171..9733a7f 100644 --- a/base.nix +++ b/base.nix @@ -133,6 +133,46 @@ extraConfig = "return 444;"; }; + # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service + systemd.services.logrotate = { + documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ]; + unitConfig.RequiresMountsFor = "/var/log"; + serviceConfig = { + Nice = 19; + IOSchedulingClass = "best-effort"; + IOSchedulingPriority = 7; + + ReadWritePaths = [ "/var/log" ]; + + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; # disable for third party rotate scripts + PrivateDevices = true; + PrivateNetwork = true; # disable for mail delivery + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; # disable for userdir logs + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; # disable for creating setgid directories + SocketBindDeny = [ "any" ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + ]; + }; + }; + networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ]; security.acme = { -- 2.44.1