Add security configurations

Signed-off-by: Knut Ahlers <knut@ahlers.me>

PKGBUILD

@@ -7,7 +7,7 @@ pkgname=(
   luzifer-gui
   luzifer-lenovo-gui
 )
-pkgver=0.10.1
+pkgver=0.11.0
 pkgrel=1
 pkgdesc='System configuration for @luzifer systems'
 arch=(any)

base/usr/share/luzifer/base-setup/files/audit.rules

@@ -0,0 +1,31 @@
+# CNSPEC: Ensure events that modify user/group information are collected
+
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+
+# CNSPEC: Ensure changes to system administration scope (sudoers) is collected
+
+-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d -p wa -k scope
+
+# CNSPEC: Ensure events that modify the system's Mandatory Access Controls are collected
+
+-w /etc/apparmor/ -p wa -k MAC-policy
+-w /etc/apparmor.d/ -p wa -k MAC-policy
+
+# CNSPEC: Ensure session initiation information is collected
+
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k logins
+-w /var/log/btmp -p wa -k logins
+
+# CNSPEC: Ensure kernel module loading and unloading is collected
+
+-w /sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules
+# Disabled as of https://gitlab.archlinux.org/archlinux/packaging/packages/audit/-/issues/2
+#-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

base/usr/share/luzifer/base-setup/files/limits.conf

@@ -0,0 +1,2 @@
+# CNSPEC: Ensure core dumps are restricted
+* hard core 0

base/usr/share/luzifer/base-setup/files/sysctl.conf

@@ -0,0 +1,10 @@
+# CNSPEC: Ensure suspicious packets are logged
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# CNSPEC: Ensure Reverse Path Filtering is enabled
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# CNSPEC: Ensure core dumps are restricted
+fs.suid_dumpable = 0

base/usr/share/luzifer/base-setup/files/tmpfiles.conf

@@ -0,0 +1,11 @@
+# CNSPEC: Ensure secure permissions on /etc/group- are set
+f /etc/group- 0600 root root -
+
+# CNSPEC: Ensure secure permissions on /etc/gshadow- are set
+f /etc/gshadow- 0600 root root -
+
+# CNSPEC: Ensure secure permissions on /etc/passwd- are set
+f /etc/passwd- 0600 root root -
+
+# CNSPEC: Ensure secure permissions on /etc/shadow- are set
+f /etc/shadow- 0600 root root -

base/usr/share/luzifer/base-setup/tasks/security.yaml

@@ -1,12 +1,60 @@
 ---
 
-- name: Enable auditd
+- name: Enable required services
   systemd:
     enabled: true
     name: '{{ item }}'
-    state: started
   with_items:
     - auditd.service
     - apparmor.service
 
+- name: Install auditd default cleaner file
+  copy:
+    content: |
+      -D
+      -b 320
+    dest: /etc/audit/rules.d/01-cleaner.rules
+    mode: '0640'
+    owner: root
+
+- name: Install auditd rules
+  copy:
+    src: files/audit.rules
+    dest: /etc/audit/rules.d/50-luzifer-base.rules
+    mode: '0640'
+    owner: root
+  register: luzifer_base_rules
+
+- name: Load modified auditd rules
+  command:
+    cmd: augenrules --load
+  when: luzifer_base_rules.changed
+
+- name: Install sysctl config
+  copy:
+    src: files/sysctl.conf
+    dest: /etc/sysctl.d/50-luzifer-base.conf
+    mode: '0644'
+    owner: root
+  register: luzifer_base_conf
+
+- name: Load modified sysctl config
+  command:
+    cmd: sysctl -p /etc/sysctl.d/50-luzifer-base.conf
+  when: luzifer_base_conf.changed
+
+- name: Install limits config
+  copy:
+    src: files/limits.conf
+    dest: /etc/security/limits.d/50-luzifer-base.conf
+    mode: '0640'
+    owner: root
+
+- name: Install tmpfiles config
+  copy:
+    src: files/tmpfiles.conf
+    dest: /etc/tmpfiles.d/50-luzifer-base.conf
+    mode: '0640'
+    owner: root
+
 ...

base/usr/share/luzifer/base-setup/tasks/systemtime.yaml

@@ -13,14 +13,10 @@
     dest: /etc/systemd/timesyncd.conf
     owner: root
     mode: '0644'
-  register: etc_systemd_timesyncd_conf
 
-- name: Restart systemd-timesyncd
+- name: Enable systemd-timesyncd
   systemd:
-    daemon_reload: true
     enabled: true
     name: systemd-timesyncd.service
-    state: restarted
-  when: etc_systemd_timesyncd_conf.changed
 
 ...