Hardening: Lynis recommendations

davidak commented 5 years ago

Issue description

I scanned my NixOS desktop with lynis.

  Lynis security scan details:

  Hardening index : 64 [############        ]

We might want to implement the recommendations, by default or special profile. (maybe the hardening profile already has them? https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix)

[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile
    - fs.protected_hardlinks (exp: 1)                         [ OK ]
    - fs.protected_symlinks (exp: 1)                          [ OK ]
    - fs.suid_dumpable (exp: 0)                               [ OK ]
    - kernel.core_uses_pid (exp: 1)                           [ DIFFERENT ]
    - kernel.ctrl-alt-del (exp: 0)                            [ OK ]
    - kernel.dmesg_restrict (exp: 1)                          [ DIFFERENT ]
    - kernel.kptr_restrict (exp: 2)                           [ DIFFERENT ]
    - kernel.randomize_va_space (exp: 2)                      [ OK ]
    - kernel.sysrq (exp: 0)                                   [ DIFFERENT ]
    - kernel.yama.ptrace_scope (exp: 1 2 3)                   [ DIFFERENT ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)             [ OK ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)                  [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)                   [ DIFFERENT ]
    - net.ipv4.conf.all.log_martians (exp: 1)                 [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)                [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)                    [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)                    [ DIFFERENT ]
    - net.ipv4.conf.all.send_redirects (exp: 0)               [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route (exp: 0)      [ DIFFERENT ]
    - net.ipv4.conf.default.log_martians (exp: 1)             [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)           [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)     [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)                        [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0 1)                      [ OK ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv6.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route (exp: 0)      [ OK ]

cc @joachifm

Steps to reproduce

nix run -f channel:nixos-unstable nixpkgs.lynis -c lynis audit system -Q

Technical details

system: "x86_64-linux"
host os: Linux 4.19.49, NixOS, 19.03.172866.4649b6ef4b5 (Koi)
multi-user?: no
sandbox: yes
version: nix-env (Nix) 2.2.2
channels(root): "nixos-19.03.172979.8634c3b6199, nixos-hardware, nixos-unstable-19.09pre183392.83ba5afcc96"
nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

joachifm commented 5 years ago

I'd disable ICMP redirects in the hardened profile, though arguably it makes sense to do so by default & only enable if actually needed ... for the others, I suppose you can open a PR to change defaults but there may be concerns over broken features. Perhaps there could be a "workstation/non-developer" profile of some sort, where breaking developer features is okay yet stopping short of outright wrecking performance and features like the hardened profile does.

markuskowa commented 5 years ago

kernel.sysrq should not be enabled by default (only in a developer profile).

aanderse commented 5 years ago

I've had 2 different security scanners complain about net.ipv4.tcp_timestamps on nix boxes. I haven't looked into the implications of changing it yet, though.

davidak commented 5 years ago

@aanderse is openvas/GVM one of them? It's the only thing it complains about on NixOS targets. (I work for the company that develops it)

Screenshot from 2019-07-03 22-03-28

It's not a very high security risk. The worst thing that can happen is that someone knows the uptime of your system. Other popular linux distros have it also enabled.

aanderse commented 5 years ago

@davidak Yes one of the scanners is ossim (which uses openvas as you'd be aware of), and the other is from Qualys. Thank you for clarifying the issue.

Entirely unrelated to this issue: I'm very glad to know who you work for! If you're able to lend any assistance I would greatly appreciate it: https://discourse.nixos.org/t/need-help-packaging-gsa/3345

stale[bot] commented 4 years ago

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

Search for maintainers and people that previously touched the related code and @ mention them in a comment.
Ask on the NixOS Discourse.
Ask on the #nixos channel on irc.freenode.net.

mohe2015 commented 3 years ago

still important in my opinion

stale[bot] commented 3 years ago

I marked this as stale due to inactivity. → More info

NixOS / nixpkgs