Hardening: Lynis recommendations

[davidak]

Issue description

I scanned my NixOS desktop with lynis.

  Lynis security scan details:

  Hardening index : 64 [############        ]

We might want to implement the recommendations, by default or special profile. (maybe the hardening profile already has them? https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix)

[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile
    - fs.protected_hardlinks (exp: 1)                         [ OK ]
    - fs.protected_symlinks (exp: 1)                          [ OK ]
    - fs.suid_dumpable (exp: 0)                               [ OK ]
    - kernel.core_uses_pid (exp: 1)                           [ DIFFERENT ]
    - kernel.ctrl-alt-del (exp: 0)                            [ OK ]
    - kernel.dmesg_restrict (exp: 1)                          [ DIFFERENT ]
    - kernel.kptr_restrict (exp: 2)                           [ DIFFERENT ]
    - kernel.randomize_va_space (exp: 2)                      [ OK ]
    - kernel.sysrq (exp: 0)                                   [ DIFFERENT ]
    - kernel.yama.ptrace_scope (exp: 1 2 3)                   [ DIFFERENT ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)             [ OK ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)                  [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)                   [ DIFFERENT ]
    - net.ipv4.conf.all.log_martians (exp: 1)                 [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)                [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)                    [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)                    [ DIFFERENT ]
    - net.ipv4.conf.all.send_redirects (exp: 0)               [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route (exp: 0)      [ DIFFERENT ]
    - net.ipv4.conf.default.log_martians (exp: 1)             [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)           [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)     [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)                        [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0 1)                      [ OK ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv6.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route (exp: 0)      [ OK ]

cc @joachifm

Steps to reproduce

1. nix run -f channel:nixos-unstable nixpkgs.lynis -c lynis audit system -Q

Technical details

• system: "x86_64-linux"
• host os: Linux 4.19.49, NixOS, 19.03.172866.4649b6ef4b5 (Koi)
• multi-user?: no
• sandbox: yes
• version: nix-env (Nix) 2.2.2
• channels(root): "nixos-19.03.172979.8634c3b6199, nixos-hardware, nixos-unstable-19.09pre183392.83ba5afcc96"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[joachifm]

I'd disable ICMP redirects in the hardened profile, though arguably it makes sense to do so by default & only enable if actually needed ... for the others, I suppose you can open a PR to change defaults but there may be concerns over broken features. Perhaps there could be a "workstation/non-developer" profile of some sort, where breaking developer features is okay yet stopping short of outright wrecking performance and features like the hardened profile does.

[markuskowa]

kernel.sysrq should not be enabled by default (only in a developer profile).

[aanderse]

I've had 2 different security scanners complain about net.ipv4.tcp_timestamps on nix boxes. I haven't looked into the implications of changing it yet, though.

[davidak]

@aanderse is openvas/GVM one of them? It's the only thing it complains about on NixOS targets. (I work for the company that develops it)

It's not a very high security risk. The worst thing that can happen is that someone knows the uptime of your system. Other popular linux distros have it also enabled.

[aanderse]

@davidak Yes one of the scanners is ossim (which uses openvas as you'd be aware of), and the other is from Qualys. Thank you for clarifying the issue.

Entirely unrelated to this issue: I'm very glad to know who you work for! If you're able to lend any assistance I would greatly appreciate it: https://discourse.nixos.org/t/need-help-packaging-gsa/3345

[stale]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.

[mohe2015]

still important in my opinion

[stale]

I marked this as stale due to inactivity. → More info