diff --git a/PKGBUILD b/PKGBUILD index 7340a94..456a5b7 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -7,7 +7,7 @@ pkgname=( luzifer-gui luzifer-lenovo-gui ) -pkgver=0.10.1 +pkgver=0.11.0 pkgrel=1 pkgdesc='System configuration for @luzifer systems' arch=(any) diff --git a/base/usr/share/luzifer/base-setup/files/audit.rules b/base/usr/share/luzifer/base-setup/files/audit.rules new file mode 100644 index 0000000..2cfa5c4 --- /dev/null +++ b/base/usr/share/luzifer/base-setup/files/audit.rules @@ -0,0 +1,31 @@ +# CNSPEC: Ensure events that modify user/group information are collected + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +# CNSPEC: Ensure changes to system administration scope (sudoers) is collected + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d -p wa -k scope + +# CNSPEC: Ensure events that modify the system's Mandatory Access Controls are collected + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +# CNSPEC: Ensure session initiation information is collected + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +# CNSPEC: Ensure kernel module loading and unloading is collected + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +# Disabled as of https://gitlab.archlinux.org/archlinux/packaging/packages/audit/-/issues/2 +#-a always,exit -F arch=b64 -S init_module -S delete_module -k modules diff --git a/base/usr/share/luzifer/base-setup/files/limits.conf b/base/usr/share/luzifer/base-setup/files/limits.conf new file mode 100644 index 0000000..e851677 --- /dev/null +++ b/base/usr/share/luzifer/base-setup/files/limits.conf @@ -0,0 +1,2 @@ +# CNSPEC: Ensure core dumps are restricted +* hard core 0 diff --git a/base/usr/share/luzifer/base-setup/files/sysctl.conf b/base/usr/share/luzifer/base-setup/files/sysctl.conf new file mode 100644 index 0000000..f186889 --- /dev/null +++ b/base/usr/share/luzifer/base-setup/files/sysctl.conf @@ -0,0 +1,10 @@ +# CNSPEC: Ensure suspicious packets are logged +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# CNSPEC: Ensure Reverse Path Filtering is enabled +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# CNSPEC: Ensure core dumps are restricted +fs.suid_dumpable = 0 diff --git a/base/usr/share/luzifer/base-setup/files/tmpfiles.conf b/base/usr/share/luzifer/base-setup/files/tmpfiles.conf new file mode 100644 index 0000000..4f2cca1 --- /dev/null +++ b/base/usr/share/luzifer/base-setup/files/tmpfiles.conf @@ -0,0 +1,11 @@ +# CNSPEC: Ensure secure permissions on /etc/group- are set +f /etc/group- 0600 root root - + +# CNSPEC: Ensure secure permissions on /etc/gshadow- are set +f /etc/gshadow- 0600 root root - + +# CNSPEC: Ensure secure permissions on /etc/passwd- are set +f /etc/passwd- 0600 root root - + +# CNSPEC: Ensure secure permissions on /etc/shadow- are set +f /etc/shadow- 0600 root root - diff --git a/base/usr/share/luzifer/base-setup/tasks/security.yaml b/base/usr/share/luzifer/base-setup/tasks/security.yaml index 25a32d5..c472f09 100644 --- a/base/usr/share/luzifer/base-setup/tasks/security.yaml +++ b/base/usr/share/luzifer/base-setup/tasks/security.yaml @@ -1,12 +1,60 @@ --- -- name: Enable auditd +- name: Enable required services systemd: enabled: true name: '{{ item }}' - state: started with_items: - auditd.service - apparmor.service +- name: Install auditd default cleaner file + copy: + content: | + -D + -b 320 + dest: /etc/audit/rules.d/01-cleaner.rules + mode: '0640' + owner: root + +- name: Install auditd rules + copy: + src: files/audit.rules + dest: /etc/audit/rules.d/50-luzifer-base.rules + mode: '0640' + owner: root + register: luzifer_base_rules + +- name: Load modified auditd rules + command: + cmd: augenrules --load + when: luzifer_base_rules.changed + +- name: Install sysctl config + copy: + src: files/sysctl.conf + dest: /etc/sysctl.d/50-luzifer-base.conf + mode: '0644' + owner: root + register: luzifer_base_conf + +- name: Load modified sysctl config + command: + cmd: sysctl -p /etc/sysctl.d/50-luzifer-base.conf + when: luzifer_base_conf.changed + +- name: Install limits config + copy: + src: files/limits.conf + dest: /etc/security/limits.d/50-luzifer-base.conf + mode: '0640' + owner: root + +- name: Install tmpfiles config + copy: + src: files/tmpfiles.conf + dest: /etc/tmpfiles.d/50-luzifer-base.conf + mode: '0640' + owner: root + ... diff --git a/base/usr/share/luzifer/base-setup/tasks/systemtime.yaml b/base/usr/share/luzifer/base-setup/tasks/systemtime.yaml index adf4617..3bf5792 100644 --- a/base/usr/share/luzifer/base-setup/tasks/systemtime.yaml +++ b/base/usr/share/luzifer/base-setup/tasks/systemtime.yaml @@ -13,14 +13,10 @@ dest: /etc/systemd/timesyncd.conf owner: root mode: '0644' - register: etc_systemd_timesyncd_conf -- name: Restart systemd-timesyncd +- name: Enable systemd-timesyncd systemd: - daemon_reload: true enabled: true name: systemd-timesyncd.service - state: restarted - when: etc_systemd_timesyncd_conf.changed ...