diff --git a/assets/icons/png/chromium.png b/assets/icons/png/chromium.png deleted file mode 100644 index 553052f9da..0000000000 Binary files a/assets/icons/png/chromium.png and /dev/null differ diff --git a/assets/icons/png/firefox.png b/assets/icons/png/firefox.png deleted file mode 100644 index aa7767a4b3..0000000000 Binary files a/assets/icons/png/firefox.png and /dev/null differ diff --git a/modules/common/security/firejail/default.nix b/modules/common/security/firejail/default.nix index 294ecdb3fe..108293b49b 100755 --- a/modules/common/security/firejail/default.nix +++ b/modules/common/security/firejail/default.nix @@ -52,14 +52,14 @@ in { launchers = lib.optional cfg.apps.firefox.enable { - name = "firefox-safe"; + name = "Firefox-safe"; path = "/run/current-system/sw/bin/firefox"; - icon = "${../../../assets/icons/png/firefox.png}"; + icon = "${pkgs.icon-pack}/firefox.svg"; } ++ lib.optional cfg.apps.chromium.enable { - name = "chromium"; + name = "Chromium-safe"; path = "/run/current-system/sw/bin/chromium"; - icon = "${../../../assets/icons/png/chromium.png}"; + icon = "${pkgs.icon-pack}/chromium.svg"; }; }; diff --git a/modules/common/security/system.nix b/modules/common/security/system.nix index d15e281c1a..268d7b6637 100755 --- a/modules/common/security/system.nix +++ b/modules/common/security/system.nix @@ -16,7 +16,7 @@ in { Enforce Strong password for each user. ''; type = lib.types.bool; - default = false; + default = true; }; min-passwd-len = lib.mkOption { @@ -28,14 +28,6 @@ in { }; }; - encrypt_home.enable = lib.mkOption { - description = '' - Enable encryption of user's data stored in 'Home' directory. - ''; - type = lib.types.bool; - default = false; - }; - root.enable = lib.mkOption { description = '' Disable root login. @@ -123,16 +115,6 @@ in { type = lib.types.bool; default = false; }; - enableASLR = lib.mkOption { - description = '' - Randomize user virtual address space. It disrupts the - predictability of memory layouts and makes it harder for - attackers to exploit memory related vulnerabilities. - May slightly impact performance, may increase boot time. - ''; - type = lib.types.bool; - default = false; - }; randomizePageFreeList = lib.mkOption { description = '' Randomize free memory pages managed by the page allocator. @@ -167,7 +149,7 @@ in { # There is no possible string to hash to just “!” users.users.root = lib.mkIf (!cfg.users.root.enable) { - hashedPassword = lib.mkForce "!"; + shell = "${pkgs.shadow}/bin/nologin"; }; # Enforce strong password @@ -187,9 +169,6 @@ in { ''; }; }; - - # Encrypt user's data stored in 'Home' directory - enableFscrypt = cfg.users.encrypt_home.enable; }; ## sudo administartion @@ -249,9 +228,6 @@ in { # Disable ftrace "kernel.ftrace_enabled" = lib.mkDefault false; - # Randomize address space including heap - "kernel.randomize_va_space" = lib.mkIf (cfg.system-security.misc.enableASLR || cfg.system-security.misc.enable-all) (lib.mkForce 2); - # Restrict core dump "fs.suid_dumpable" = lib.mkForce 0; @@ -262,7 +238,7 @@ in { "vm.unprivileged_userfaultfd" = lib.mkForce 0; # Disable SysRq key - "kernel.sysrq" = lib.mkForce 0; + "kernel.sysrq" = lib.mkIf config.ghaf.profiles.release.enable (lib.mkForce 0); # Disable loading of line descipline kernel module of TTY device # The line descipline module provides an interface between the low-level driver handling a TTY device diff --git a/modules/microvm/virtualization/microvm/adminvm.nix b/modules/microvm/virtualization/microvm/adminvm.nix index 5fe78b84a9..c78140839e 100644 --- a/modules/microvm/virtualization/microvm/adminvm.nix +++ b/modules/microvm/virtualization/microvm/adminvm.nix @@ -33,14 +33,10 @@ withDebug = configHost.ghaf.profiles.debug.enable; }; security = { - users.strong-password.enable = true; - users.root.enable = false; - users.sudo.enable = true; system-security.enable = true; system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable; network.ipsecurity.enable = true; network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users - fail2ban.enable = true; }; }; diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix index 96f4b40d14..2fcabe19af 100644 --- a/modules/microvm/virtualization/microvm/appvm.nix +++ b/modules/microvm/virtualization/microvm/appvm.nix @@ -66,14 +66,10 @@ withHardenedConfigs = true; }; security = { - users.strong-password.enable = true; - users.root.enable = false; - users.sudo.enable = true; system-security.enable = true; system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable; network.ipsecurity.enable = true; network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users - fail2ban.enable = true; }; }; diff --git a/modules/microvm/virtualization/microvm/audiovm.nix b/modules/microvm/virtualization/microvm/audiovm.nix index a5637efbba..5d084702dd 100644 --- a/modules/microvm/virtualization/microvm/audiovm.nix +++ b/modules/microvm/virtualization/microvm/audiovm.nix @@ -39,14 +39,10 @@ }; services.audio.enable = true; security = { - users.strong-password.enable = true; - users.root.enable = false; - users.sudo.enable = true; system-security.enable = true; system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable; network.ipsecurity.enable = true; network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users - fail2ban.enable = true; }; }; diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix index 44b4bb18d0..a3e05b310e 100644 --- a/modules/microvm/virtualization/microvm/guivm.nix +++ b/modules/microvm/virtualization/microvm/guivm.nix @@ -47,14 +47,10 @@ }; security = { - users.strong-password.enable = true; - users.root.enable = false; - users.sudo.enable = true; system-security.enable = true; system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable; network.ipsecurity.enable = true; network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users - fail2ban.enable = true; }; }; diff --git a/modules/microvm/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix index 4e610b6941..0dbc9676b3 100644 --- a/modules/microvm/virtualization/microvm/microvm-host.nix +++ b/modules/microvm/virtualization/microvm/microvm-host.nix @@ -33,14 +33,10 @@ in { withHardenedConfigs = true; }; security = { - users.strong-password.enable = true; - users.root.enable = false; - users.sudo.enable = true; system-security.enable = true; system-security.lock-kernel-modules = lib.mkDefault config.ghaf.profiles.release.enable; network.ipsecurity.enable = true; network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users - fail2ban.enable = true; }; }; diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix index 3229cf9a61..0776dd4045 100644 --- a/modules/microvm/virtualization/microvm/netvm.nix +++ b/modules/microvm/virtualization/microvm/netvm.nix @@ -44,9 +44,6 @@ withHardenedConfigs = true; }; security = { - users.strong-password.enable = true; - users.root.enable = false; - users.sudo.enable = true; system-security.enable = true; system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable; network.ipsecurity.enable = true;