From 23265d858f7d5cf58cd8ee0a6b62ddd232bf04cb Mon Sep 17 00:00:00 2001
From: Ganga Ram <Ganga.Ram@tii.ae>
Date: Tue, 11 Jun 2024 14:55:03 +0400
Subject: [PATCH 1/8] Enable Apparmor security

- Added Apparmor configuration for Chromium and Firefox

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
---
 modules/common/security/apparmor/default.nix  |  30 +++
 .../security/apparmor/profiles/chromium.nix   | 186 ++++++++++++++++++
 .../security/apparmor/profiles/firefox.nix    | 171 ++++++++++++++++
 modules/common/security/default.nix           |   1 +
 4 files changed, 388 insertions(+)
 create mode 100755 modules/common/security/apparmor/default.nix
 create mode 100644 modules/common/security/apparmor/profiles/chromium.nix
 create mode 100755 modules/common/security/apparmor/profiles/firefox.nix

diff --git a/modules/common/security/apparmor/default.nix b/modules/common/security/apparmor/default.nix
new file mode 100755
index 000000000..eac8ee7ff
--- /dev/null
+++ b/modules/common/security/apparmor/default.nix
@@ -0,0 +1,30 @@
+# Copyright 2024-2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.ghaf.security.apparmor;
+in {
+  ## Option to enable Apparmor security
+  options.ghaf.security.apparmor = {
+    enable = lib.mkOption {
+      description = ''
+        Enable Apparmor security.
+      '';
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  imports = [
+    ./profiles/firefox.nix
+    ./profiles/chromium.nix
+  ];
+
+  config = lib.mkIf cfg.enable {
+    security.apparmor.enable = true;
+    security.apparmor.killUnconfinedConfinables = lib.mkDefault true;
+  };
+}
diff --git a/modules/common/security/apparmor/profiles/chromium.nix b/modules/common/security/apparmor/profiles/chromium.nix
new file mode 100644
index 000000000..69cf723d6
--- /dev/null
+++ b/modules/common/security/apparmor/profiles/chromium.nix
@@ -0,0 +1,186 @@
+# Copyright 2024-2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.ghaf.security.apparmor;
+  xprofile =
+    if config.ghaf.security.system-security.enable
+    then ''
+        capability sys_admin,
+        capability sys_chroot,
+
+        capability chown,
+        capability fsetid,
+        capability setgid,
+        capability setuid,
+        capability dac_override,
+        capability sys_chroot,
+
+        capability sys_ptrace,
+        ptrace (read, readby),
+        capability sys_chroot,
+        capability ipc_lock,
+
+        capability setuid,
+        capability setgid,
+
+        owner @{PROC}/[0-9]*/gid_map                                   w,
+        owner @{PROC}/[0-9]*/setgroups                                 w,
+        owner @{PROC}/[0-9]*/uid_map                                   w,
+      }
+    ''
+    else ''
+      }
+    '';
+in {
+  ## Option to enable Apparmor profile for chromium
+  options.ghaf.security.apparmor.apps.chromium = {
+    enable = lib.mkOption {
+      description = ''
+        Enable Chromium AppArmor profile.
+      '';
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+  ## Apparmor profile for Chromium
+  config.security.apparmor.policies."bin.chromium" = lib.mkIf cfg.apps.chromium.enable {
+    profile =
+      ''
+        abi <abi/3.0>,
+        include <tunables/global>
+
+        @{CHROMIUM} = ${pkgs.chromium.browser}/libexec/chromium/chromium
+        @{INTEGER}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}
+        @{ETC}=/etc
+        @{NIX_STORE}=/nix/store
+
+        profile chromium  @{CHROMIUM} flags=(enforce){
+           include <abstractions/base>
+           include <abstractions/audio>
+           include <abstractions/cups-client>
+           include <abstractions/dbus-session>
+           include <abstractions/gnome>
+           include <abstractions/ibus>
+           include <abstractions/kde>
+           include <abstractions/nameservice>
+
+           include "${pkgs.apparmorRulesFromClosure {name = "chromium";} [pkgs.chromium]}"
+
+           ${config.environment.etc."os-release".source}                   r,
+           ${config.environment.etc."lsb-release".source}                  r,
+
+           # All of these are for sanely dropping from root and chrooting
+
+           # optional
+           capability sys_resource,
+           owner @{PROC}/[0-9]*/gid_map                                    w,
+           owner @{PROC}/[0-9]*/setgroups                                  w,
+           owner @{PROC}/[0-9]*/uid_map                                    w,
+
+           @{ETC}/nixos/**                                                 r,
+           @{ETC}/nix/**                                                   r,
+           @{NIX_STORE}/**                                                 mrix,
+
+           @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size            r,
+           @{sys}/devices/system/cpu/present                               r,
+           @{sys}/devices/system/cpu/kernel_max                            r,
+           @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size        r,
+           @{sys}/bus/                                                     r,
+           @{sys}/bus/**                                                   r,
+
+           @{sys}/class/                                                   r,
+           @{sys}/class/**                                                 r,
+           @{sys}/devices/pci*/**                                          rw,
+           @{sys}/devices/virtual/tty/**                                   r,
+           @{sys}/devices/virtual/dmi/**                                   r,
+
+           /tmp/.X[0-9]*-lock                                              r,
+
+           @{CHROMIUM}                                                     mrix,
+           ${pkgs.chromium}/share/{,**}                                    r,
+           ${pkgs.chromium.sandbox}/bin/*                                  rix,
+           ${pkgs.chromium.browser}  r,
+           ${pkgs.chromium.browser}/share/{,**}                            r,
+           ${pkgs.chromium.browser}/libexec/chromium/chromium              rix,
+           ${pkgs.chromium.browser}/libexec/chromium/*.so                  mr,
+           ${pkgs.chromium.browser}/libexec/chromium/*                     rix,
+           ${pkgs.chromium.browser}/libexec/chromium/**                    r,
+
+                 @{PROC}                                                   r,
+                 @{PROC}/[0-9]*/net/ipv6_route                             r,
+                 @{PROC}/[0-9]*/net/arp                                    r,
+                 @{PROC}/[0-9]*/net/if_inet6                               r,
+                 @{PROC}/[0-9]*/net/route                                  r,
+                 @{PROC}/[0-9]*/net/ipv6_route                             r,
+                 @{PROC}/[0-9]*/stat                                       rix,
+                 @{PROC}/[0-9]*/task/@{tid}/comm                           rw,
+                 @{PROC}/[0-9]*/task/@{tid}/status                         rix,
+           owner @{PROC}/[0-9]*/cgroup                                     r,
+           owner @{PROC}/[0-9]*/fd/                                        r,
+           owner @{PROC}/[0-9]*/io                                         r,
+           owner @{PROC}/[0-9]*/mountinfo                                  r,
+           owner @{PROC}/[0-9]*/mounts                                     r,
+           owner @{PROC}/[0-9]*/oom_score_adj                              w,
+           owner @{PROC}/[0-9]*/smaps                                      rix,
+           owner @{PROC}/[0-9]*/statm                                      rix,
+           owner @{PROC}/[0-9]*/task/                                      r,
+           owner @{PROC}/[0-9]*/cmdline                                    rix,
+           owner @{PROC}/[0-9]*/environ                                    rix,
+           owner @{PROC}/[0-9]*/clear_refs                                 rw,
+           owner @{PROC}/self/*                                            r,
+           owner @{PROC}/self/fd/*                                         rw,
+                 @{PROC}/sys/kernel/yama/ptrace_scope                      rw,
+                 @{PROC}/sys/fs/inotify/max_user_watches                   r,
+                 @{PROC}/ati/major                                         r,
+
+                 /dev/fb0                                                  rw,
+                 /dev/                                                     r,
+                 /dev/hidraw@{INTEGER}                                     rw,
+                 /dev/shm/**                                               rw,
+                 /dev/tty                                                  rw,
+                 /dev/video@{INTEGER}                                      rw,
+           owner /dev/shm/pulse-shm*                                       m,
+           owner /dev/tty@{INTEGER}                                        rw,
+
+           owner @{HOME}                                                   r,
+           owner @{HOME}/.cache/chromium                                   wrk,
+           owner @{HOME}/.cache/mesa_shader_cache/index                    wrk,
+           owner @{HOME}/.cache/chromium/**                                mrwk,
+           owner @{HOME}/.cache/fontconfig/**                              rwk,
+           owner @{HOME}/.config/chromium                                  rwkm,
+           owner @{HOME}/.config/chromium/**                               rwkm,
+           owner @{HOME}/.config/**                                        rw,
+           owner @{HOME}/.local/share/mime/mime.cache                      m,
+           owner @{HOME}/.pki/nssdb/                                       rwk,
+           owner @{HOME}/.pki/nssdb/**                                     rwk,
+           owner @{HOME}/Downloads/                                        r,
+           owner @{HOME}/Downloads/*                                       rw,
+           owner @{run}/user/1000/                                         rw,
+           owner @{run}/user/1000/**                                       rw,
+           owner /tmp/**                                                   rwk,
+           owner /var/tmp/**                                               m,
+
+           owner /tmp/chromiumargs.?????? rw,
+
+           deny /boot/EFI/systemd/**                                       r,
+           deny /boot/EFI/nixos/**                                         r,
+           deny /boot/loader/**                                            r,
+           deny /.suspended                                                r,
+           deny /boot/vmlinuz*                                             r,
+           deny /var/cache/fontconfig/                                     w,
+
+           ### Networking ###
+           network inet stream,
+           network inet6 stream,
+           network inet dgram,
+           #network inet6 dgrap,
+           network netlink raw,
+      ''
+      + xprofile;
+  };
+}
diff --git a/modules/common/security/apparmor/profiles/firefox.nix b/modules/common/security/apparmor/profiles/firefox.nix
new file mode 100755
index 000000000..086bf5016
--- /dev/null
+++ b/modules/common/security/apparmor/profiles/firefox.nix
@@ -0,0 +1,171 @@
+# Copyright 2024-2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.ghaf.security.apparmor;
+  xprofile =
+    if config.ghaf.security.system-security.enable
+    then ''
+        capability sys_admin,
+        capability sys_chroot,
+        owner @{PROC}/@{pid}/gid_map                                   w,
+        owner @{PROC}/@{pid}/setgroups                                 w,
+        owner @{PROC}/@{pid}/uid_map                                   w,
+      }
+    ''
+    else ''
+      }
+    '';
+in {
+  ## Option to enable Apparmor profile for Firefox
+  options.ghaf.security.apparmor.apps.firefox = {
+    enable = lib.mkOption {
+      description = ''
+        Enable firefox AppArmor profile.
+      '';
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  ## Apparmor profile for Firefox
+  config.security.apparmor.policies."bin.firefox" = lib.mkIf cfg.apps.firefox.enable {
+    profile =
+      ''
+        abi <abi/3.0>,
+        include <tunables/global>
+
+        @{MOZ_LIBDIR} = ${pkgs.firefox}/lib/firefox{,-esr}
+        @{MOZ_HOMEDIR} = @{HOME}/.mozilla
+        @{CACHEDIR} = @{HOME}/.cache
+        @{MOZ_CACHEDIR} = @{CACHEDIR}/mozilla
+        @{FIREFOX} = ${pkgs.firefox}/bin/firefox
+        @{INTEGER}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}
+        @{ETC}=/etc
+        @{NIX_STORE}=/nix/store
+
+        profile firefox  @{FIREFOX} flags=(enforce){
+           include <abstractions/base>
+           include <abstractions/audio>
+           include <abstractions/cups-client>
+           include <abstractions/dbus-session>
+           include <abstractions/gnome>
+           include <abstractions/ibus>
+           include <abstractions/kde>
+           include <abstractions/nameservice>
+
+           include "${pkgs.apparmorRulesFromClosure {name = "firefox";} [pkgs.firefox]}"
+
+           # Uncomment these, if kernel.unprivileged_userns_clone = 1
+           #capability sys_admin,
+           #capability sys_chroot,
+           #owner @{PROC}/@{pid}/gid_map                                   w,
+           #owner @{PROC}/@{pid}/setgroups                                 w,
+           #owner @{PROC}/@{pid}/uid_map                                   w,
+
+           ${config.environment.etc."os-release".source}                   r,
+           ${config.environment.etc."lsb-release".source}                  r,
+
+           @{ETC}/nixos/**                                                 r,
+           @{ETC}/nix/**                                                   r,
+           @{NIX_STORE}/**                                                 mr,
+
+           @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size            r,
+           @{sys}/devices/system/cpu/present                               r,
+           @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size        r,
+           @{sys}/bus/pci                                                  rw,
+           @{sys}/bus/pci_express                                          rw,
+           @{sys}/bus/pci/devices/                                         rw,
+           @{sys}/bus/pci/devices/**                                       rw,
+           @{sys}/devices/pci*/**                                          rw,
+           /tmp/.X[0-9]*-lock                                              r,
+
+           @{FIREFOX}                                                      mrix,
+           ${pkgs.firefox}/lib/firefox/firefox                             rix,
+           ${pkgs.firefox}/lib/firefox/glxtest                             rix,
+           ${pkgs.firefox}/lib/firefox/firefox-bin                         rix,
+           ${pkgs.firefox}/lib/firefox/*.so                                mr,
+           ${pkgs.firefox}/share/firefox/{,**}                             r,
+           ${pkgs.firefox}/share/firefox/fonts                             r,
+           ${pkgs.firefox}/lib/mozilla/plugins/                            r,
+           ${pkgs.firefox}/lib/mozilla/plugins/libvlcplugin.so             mr,
+
+           ${pkgs.firefox-unwrapped}/lib/firefox/glxtest                   rix,
+           ${pkgs.firefox-unwrapped}/lib/firefox/firefox                   rix,
+           ${pkgs.firefox-unwrapped}/lib/firefox/firefox-bin               rix,
+           ${pkgs.firefox-unwrapped}/lib/firefox/*.so                      mr,
+           ${pkgs.firefox-unwrapped}/lib/firefox/fonts                     r,
+           ${pkgs.firefox-unwrapped}/lib/firefox/pingsender                r,
+           ${pkgs.firefox-unwrapped}/share/firefox/{,**}                   r,
+           ${pkgs.firefox-unwrapped}/lib/mozilla/plugins/                  r,
+           ${pkgs.firefox-unwrapped}/lib/mozilla/plugins/libvlcplugin.so   mr,
+
+                 @{PROC}/@{pid}/net/ipv6_route                             r,
+                 @{PROC}/@{pid}/net/arp                                    r,
+                 @{PROC}/@{pid}/net/if_inet6                               r,
+                 @{PROC}/@{pid}/net/route                                  r,
+                 @{PROC}/@{pid}/net/ipv6_route                             r,
+           owner @{PROC}/@{pid}/cgroup                                     r,
+           owner @{PROC}/@{pid}/fd/                                        r,
+           owner @{PROC}/@{pid}/mountinfo                                  r,
+           owner @{PROC}/@{pid}/mounts                                     r,
+           owner @{PROC}/@{pid}/oom_score_adj                              w,
+           owner @{PROC}/@{pid}/smaps                                      r,
+           owner @{PROC}/@{pid}/stat                                       r,
+           owner @{PROC}/@{pid}/statm                                      r,
+           owner @{PROC}/@{pid}/task/                                      r,
+           owner @{PROC}/@{pid}/task/@{tid}/comm                           rw,
+           owner @{PROC}/@{pid}/task/@{tid}/stat                           r,
+           owner @{PROC}/@{pids}/cmdline                                   r,
+           owner @{PROC}/@{pids}/environ                                   r,
+           owner @{PROC}/self/*                                            r,
+           owner @{PROC}/self/fd/*                                         rw,
+
+                 /dev/fb0                                                  rw,
+                 /dev/                                                     r,
+                 /dev/hidraw@{INTEGER}                                     rw,
+                 /dev/shm/                                                 r,
+                 /dev/tty                                                  rw,
+                 /dev/video@{INTEGER}                                      rw,
+           owner /dev/shm/org.chromium.*                                   rw,
+           owner /dev/shm/org.mozilla.ipc.@{pid}.@{INTEGER}                rw,
+           owner /dev/shm/wayland.mozilla.ipc.@{INTEGER}                   rw,
+           owner /dev/tty@{INTEGER}                                        rw,
+
+           owner @{MOZ_HOMEDIR}/                                           rw,
+           owner @{MOZ_HOMEDIR}/{extensions,systemextensionsdev}/          rw,
+           owner @{MOZ_HOMEDIR}/firefox/                                   rw,
+           owner @{MOZ_HOMEDIR}/firefox/installs.ini                       rw,
+           owner @{MOZ_HOMEDIR}/firefox/profiles.ini                       rw,
+           owner @{MOZ_HOMEDIR}/firefox/*/                                 rw,
+           owner @{MOZ_HOMEDIR}/firefox/*/**                               rwk,
+           owner @{HOME}/.cache/                                           rw,
+           owner @{MOZ_CACHEDIR}/                                          rw,
+           owner @{MOZ_CACHEDIR}/**                                        rwk,
+           owner @{CACHEDIR}/mesa_shader_cache/index                       wr,
+           owner @{run}/user/1000/                                         rw,
+           owner @{run}/user/1000/**                                       rw,
+           owner /tmp/**                                                   m,
+           owner /var/tmp/**                                               m,
+
+           deny /boot/EFI/systemd/**                                       r,
+           deny /boot/EFI/nixos/**                                         r,
+           deny /boot/loader/**                                            r,
+           deny /.suspended                                                r,
+           deny /boot/vmlinuz*                                             r,
+           deny /var/cache/fontconfig/                                     w,
+
+           ### Networking ###
+           network inet stream,
+           network inet6 stream,
+           network inet dgram,
+           #network inet6 dgrap,
+           network netlink raw,
+      ''
+      + xprofile;
+  };
+}
diff --git a/modules/common/security/default.nix b/modules/common/security/default.nix
index f91f3ff50..c3007f674 100644
--- a/modules/common/security/default.nix
+++ b/modules/common/security/default.nix
@@ -3,5 +3,6 @@
 {
   imports = [
     ./sshkeys.nix
+     ./apparmor
   ];
 }

From 74a555ad2c90e605dc8bc54703155c3305389524 Mon Sep 17 00:00:00 2001
From: Ganga Ram <Ganga.Ram@tii.ae>
Date: Tue, 11 Jun 2024 15:08:14 +0400
Subject: [PATCH 2/8] Integration of ClamAV anti-virus toolkit

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
---
 modules/common/security/clamav/default.nix | 86 ++++++++++++++++++++++
 modules/common/security/default.nix        |  3 +-
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100755 modules/common/security/clamav/default.nix

diff --git a/modules/common/security/clamav/default.nix b/modules/common/security/clamav/default.nix
new file mode 100755
index 000000000..505925094
--- /dev/null
+++ b/modules/common/security/clamav/default.nix
@@ -0,0 +1,86 @@
+# Copyright 2024-2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.ghaf.security.clamav;
+in {
+  ## Antivirus in Ghaf
+  options.ghaf.security.clamav = {
+    # Option to enable
+    enable = lib.mkOption {
+      description = ''
+        Enable Clamav antivirus.
+      '';
+      type = lib.types.bool;
+      default = false;
+    };
+
+    # Option to enable live update of virus database
+    live-update = lib.mkOption {
+      description = ''
+        Enable live update.
+      '';
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config.services.clamav = lib.mkIf cfg.enable {
+    # Enable Clamav antivirus daemon
+    daemon = {
+      enable = true;
+      settings = {
+        #TODO: write more configuration for Clamav
+        #https://linux.die.net/man/5/clamd.conf
+
+        # Uncomment these options to enable logging.
+        # LogFile must be writable for the user running daemon.
+        # A full path is required.
+
+        #LogFile = "/tmp/clamd.log";
+        #LogFileMaxSize = "2M";
+        #LogTime = "yes";
+        #LogRotate = "yes";
+        #ExtendedDetectionInfo = "yes";
+
+        # Always block cloaked URLs, even if URL isn't in database.
+        # This can lead to false positives.
+        PhishingAlwaysBlockCloak = "no";
+
+        # Allow heuristic match to take precedence.
+        # When enabled, if a heuristic scan (such as phishingScan) detects
+        # a possible virus/phish it will stop scan immediately. Recommended, saves CPU
+        # scan-time.
+        # When disabled, virus/phish detected by heuristic scans will be reported only at
+        # the end of a scan. If an archive contains both a heuristically detected
+        # virus/phish, and a real malware, the real malware will be reported
+        HeuristicScanPrecedence = "yes";
+
+        # Enable the Data Loss Prevention module
+        StructuredDataDetection = "yes";
+
+        # Stop daemon when libclamav reports out of memory condition.
+        ExitOnOOM = "yes";
+
+        # With this option clamav will try to detect broken executables (both PE and
+        # ELF) and mark them as Broken.Executable.
+        DetectBrokenExecutables = "yes";
+      };
+    };
+    updater = lib.mkIf cfg.live-update {
+      # Enable live update of virus database
+      enable = true;
+      settings = {
+        #TODO: write updater configuration
+        #https://linux.die.net/man/5/freshclam.conf
+      };
+      #Update virus database every hour
+      interval = "hourly";
+      #Update from 12 databases daily
+      frequency = 12;
+    };
+  };
+}
diff --git a/modules/common/security/default.nix b/modules/common/security/default.nix
index c3007f674..f27884328 100644
--- a/modules/common/security/default.nix
+++ b/modules/common/security/default.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./sshkeys.nix
-     ./apparmor
+    ./apparmor
+    ./clamav
   ];
 }

From 86df98c1d0c01122c38cf9a6adf18cedededbd4a Mon Sep 17 00:00:00 2001
From: Ganga Ram <Ganga.Ram@tii.ae>
Date: Tue, 11 Jun 2024 16:00:28 +0400
Subject: [PATCH 3/8] Integration of Fail2Ban

- A intrusion prevention software framework
- Bans IP addresses conducting too many failed login attempts.

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
---
 modules/common/security/default.nix          |  1 +
 modules/common/security/fail2ban/default.nix | 36 ++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100755 modules/common/security/fail2ban/default.nix

diff --git a/modules/common/security/default.nix b/modules/common/security/default.nix
index f27884328..a6db80dca 100644
--- a/modules/common/security/default.nix
+++ b/modules/common/security/default.nix
@@ -5,5 +5,6 @@
     ./sshkeys.nix
     ./apparmor
     ./clamav
+ ./fail2ban
   ];
 }
diff --git a/modules/common/security/fail2ban/default.nix b/modules/common/security/fail2ban/default.nix
new file mode 100755
index 000000000..4568fa563
--- /dev/null
+++ b/modules/common/security/fail2ban/default.nix
@@ -0,0 +1,36 @@
+# Copyright 2024-2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.ghaf.security.fail2ban;
+in {
+  #imports = [../../desktop];
+  ## Option to enable fail2ban sandboxing
+  options.ghaf.security.fail2ban = {
+    enable = lib.mkOption {
+      description = ''
+        Enable fail2ban.
+      '';
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  ## Enable fail2ban sandboxing
+  config = {
+    services.fail2ban = lib.mkIf cfg.enable {
+      enable = true;
+      bantime = "30m";
+      maxretry = 3;
+      bantime-increment.enable = true;
+      bantime-increment.factor = "2";
+      jails = {
+        # TODO: define jails here
+        # sshd is jailed by default
+      };
+    };
+  };
+}

From 26854c133d463d0172066fa6b4e6f66c39225038 Mon Sep 17 00:00:00 2001
From: Ganga Ram <Ganga.Ram@tii.ae>
Date: Tue, 11 Jun 2024 16:06:14 +0400
Subject: [PATCH 4/8] Integrate FireJail security module

- Used to sandbox untrusted applications

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
---
 assets/icons/png/chromium.png                | Bin 0 -> 5090 bytes
 assets/icons/png/firefox.png                 | Bin 0 -> 1431 bytes
 modules/common/security/default.nix          |   3 +-
 modules/common/security/firejail/default.nix |  89 +++++++++++++++++++
 4 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 assets/icons/png/chromium.png
 create mode 100644 assets/icons/png/firefox.png
 create mode 100755 modules/common/security/firejail/default.nix

diff --git a/assets/icons/png/chromium.png b/assets/icons/png/chromium.png
new file mode 100644
index 0000000000000000000000000000000000000000..553052f9da04130ae999e5375f1cc37f0c8cf3ea
GIT binary patch
literal 5090
zcmeHKc~lcu7atZkte|ZL7myIJifNL`LPA2qVn7HIi+~^q;$&t*BH2g=2w1g6YDGZ=
zt)ie{tJT`N;L=kIR8%NM)`CR~f)uTls-U%eB2es0K*aO)obPzf*Z)k;Wai!XyT5nu
z@80)LCL?&6|1_&PRuBYD69@Q)fcqTdHF+ZV{UR`^9^5KY!&VX@NHR&Q)5sJ`oJ6E(
zaT0D&$RNnjstR6ZeF=VJu))=R@#=d`w+PrpUH(YiO0+^t`*Oe0m6Z=~5dLDjCZrKR
z7qZmn<M87*N@08X{we1k%cIs3`!744%C5M;jH0A$tnY^NHmBEA|Ip*Aj5xS<pl#1`
zPnVo6Wrjn`CC<M%1<yGf6m{(QZ?V^tN-ur?VG%WE9eL<MV&4Oy?MDB+WGA1v84hMH
z+tb+eioHX*lX?=jFbX{~{DyySwtOGDNQ;`id$1`Lg3LB4M517^Nc21(kVV1z9AUs^
zZ~MyF(8GR<tdpkCs14qKzsqiW)JNp7$>$b-Y5mTg4L&<JyHr*#*HYd4i&rLU6Iy<{
zxMI4cmv@0f!P_y1DxS^%$d)nB{>iQOvZ{6uZ+TdrEV0gfpE|!ATU>i5yt0v!wuO|5
z1Xb5E@3^>5xcMkC8;b4i64X4qQTSOz-KsYxZ>cy_3#+=Ob#+VHI!oWP$LB}R_gpZK
z)ty$69UURqa4VXK?A*JYwe!G&?Qd?Yv<~OzeG-&q$aVjGE&tc4k=ZNiR~4KK%sSUo
z9XqS~9;GJw2ru2mw%BqC`R%L0OD1r-&i;OAWkB<WOI2QX2j=TsZ!g-EgPN_7?}+j0
zcO2?zSrnAHPMl-e_*a*^qqDc%PTu11+u-$teG9xF&i<yUZFsFk-cy&djuxrE_f3vA
zp}l37uv0f_mVt?dCLJb84hBOV4R`Z(-p{CwXYTa1v{rRn>^OKLgj;^m3645+Kd~_R
zV~=%%PlCR@;CS??u5^OEK?T~*paAW)QWC^RH7Xi{X{0#KpwfcAgCK#IL5raAI6;!)
zaSFAN+*@*iOj2M%a)g@%mS{z|ToI6}!$VV-g`uhOC=Vlhd0Gh!d_bVW34~-&Db;$u
zK}a_7^1-vwOed2}5F%bkUMUGCi8MN##HO)nFxAhXNMe#btw;hLCgX?rE*Yf&BOzH%
z5L!N+o}8RaOJ>nDx;Q$6$K%mqCY{No0t8i`q9zanRjqe6QjBo;;(Ao4&=Lxbnq=fe
zq?$xRNG5}M()0LKT8U(gUacQh0q8+DAX++u2Gdn4`gjjL;g<wRMg#gs4}BQerSuS7
zuSwLQxL*>kCY;ApVCa~?Hc_WErGue#T#2gyR1a2VytJghSQ0$uVU!?Fq0*YXfY>h~
z35D#1STDt9oH3;{J`mtO#`_ZbdG01KKuIKgUk#dQ3{UJUBpcV~V;WR}@lB7oJB%@K
zgiU2J+}){c7KcaWA#N-x3uC|to5$o~9C#d+Sgj`zHHsUl069$ocz9BtyA0*PR5k~A
zv)wQ$6>&o`D#}3-1`lDn@nGpViuZI1(3OaCd{jm%3{c_jD3`<FVN|Y+i5aP2s+7xh
zqcYr>m^*`sa~UkmM1`UJB^sRy0p(PvkT{&KRmYhojDquhg2h5IlQt5#$r7wY2pMn?
zl7kfLM8gYcm_mhz5{OYv2A2UdS#C_A0f)<jxi3KBxK0l`(a6bwX)LyB##k0UNCpUt
z82c0unCu`IzDS27ghm&p(I|yvV*n(h=h(CaY$psM5MPAA0V&L6^I;aB!3<-t_)M4&
z!xR`;#^E)XLYDHs(8kR}5{#5QK%ocgr<hD5J1P`U7#WQWl?u~VB9Tm+f{&mhDd>?T
zd_-ZuH8O?D5p^66PLI)ceQsC$Ln~lh9s}jMaj7T^ky6?2u$0P!88DT@1GPk?up1Y3
zH>ohjuGh$jWJHJi!~q?FR-ipiT9Fo-3g!ATI$4ezs{jO}!Yt~TU@Xq4VD!<1>BckT
zdBy_ze`z8x0mdCNz;DC`4li&P(#H<NQO!WS|K?}37XRiFB+~0eUP<5Aa=n)8l@xd-
z@ayh+E!Qh4@Jis<-SvNy%j(7J6s`vUf|9|@63OYIH+a#qjPsHBKu~e^)FEU77*CWg
z_4kFI8NWqkM|J|s6m3AH9)heZjF;Ib6zjRbIEfHT{3hMCcw@@jF7H$izY9SY?~8qX
z!UC$wcHh*5;<Ku}jy&jAl>Dbrt#28QnoV(IWzuE^?bw<7At_>dFHt}LryaA-c<lT=
zwn$Q{%dm@Po6WwqTCw}7^C2CYd32NI*C7+zKS#S-9F-3OlS@zKFF4%Gx!Aw@yN1UH
z8lHMKJoap$d~xi`v*LG45&{(&o623+cr{vF{V;OP#JnI`)3v05%`PFkn%;y?S~!|d
zO6spq>_pcH_KJJw0i#)`IowZo{?h@@tv&SEBP}HAQ@eiK$({)R&IfN*2Mz2_Xui6*
zy4f2tFTdtWouQm^CG$WPxyJ6mo6__c<?W}%$L3n~r)>)TdG0sZx^2o!9nBv<v@C<Z
zvc0m)c2DKP{pf>^6Hd(TN3zCAp6}Ul9e6!^tcZoQ+NPUnqAHtDvkEGI>iPVSA}HWG
zKkQii%sVn!B<1*=VgDx8=@qAII6=9tQ!+I(MY2DKpoedjUs;<&KN)lJ-Mx3iqVIb>
zC7;}G9eRa!O543Cdjs8qG#Jx=Q?ONEnC%hT9Of8)s>X`5EzL!|L}l@#;r?%R_GPEf
z-%C2`yIy#;Z<;M-!r7cNyJUCHKdG*;wJhSqN;!Qqf4!lxBqIXrnI+2j%}@c`R#YMH
ze*A=-PyMs-M{UZD+SsAhd0U^>L@c-GU?pT-#w;J?vr6@fyS*FcY1{+)d~ybwj!h3M
zi75Iu<oj0HTj%ey(rW8kI^skNWi==6Mf%(A<zyDM)rFs_&eVUgz3HH|M>p9_C%4(!
zR-JmDtUHfd)}2+RpC`v}w0&gbI5TZXQ(8N4*{Uy4a+|5LlvvHZX6IG3#5}#j>!Zqh
zL;hm#`2~Wk_M6p#>V%S`%arZTUshk@_O4HIFdY2k$niE&XDwnMlQoqhzTUbbQ2!)y
zfU(Vas6hL^@2z5sRr`_kw`OFe{E<TGz0!`KE?ibbtdqA5X0E2}IoxzIrNwS*e~0IH
z`}bu>^?kdv+`~JXIF_2cH!vw<?XV5h8taiR{#wb+r+KxMoh#Num$OpHG&E)p^c7-L
zzxu)tRGZS7SyfRD&Z_&--~G5f9WD#MW+vG5SDVi=usZLT&iHb*x&H?gb8$%9Qe;=X
z@Kdcr#`kD*-NaBz@8;8JR&a-$f3U>HKR-LjOjN$+Os+$$Pks%uJkOA<ESk}@rL3Xt
t*6&lzZhx?<9AnQL{57L+)w8~VsrxQiIyI*jion){#D2?sPb^-O_BWx1oTdN(

literal 0
HcmV?d00001

diff --git a/assets/icons/png/firefox.png b/assets/icons/png/firefox.png
new file mode 100644
index 0000000000000000000000000000000000000000..aa7767a4b34610f21556581608cfb6ec1cbb7b58
GIT binary patch
literal 1431
zcmV;I1!($-P)<h;3K|Lk000e1NJLTq000;O000;W1^@s6;CDUv00009a7bBm000ie
z000ie0hKEb8vp<WNl8ROR7i=%mECV#M;V8oIUoD!-OYa3Ysa{8lQhi-Q43Yuiz<{B
zqN;F#R7j<Qs@}I3Tyj%Egb4oucSzhJh*Z>q6p)ILC{)lA5!9wFX$!Gq*B|TkdiQwu
z?Abl@zQe`Fu0xS3At6Q@X-0F-^P73+eSZW0<7Pf>{qCnPo})SUgkP<kJ$`(?zPj3S
z@m9CRZuFLGx3AoM`O=&JmB5j2{_rV(cJ@;4^wE=<`8o@YLp(HF<7Ri4x7XT?T0KVp
zTzBc}`Ze3x{?4tJF8=mEas2(!g$w@UNA7*><~`@vjy?L!PlAQJE)~xnYlQU@#xoe_
zSSU|X3_@;gb&=GP8Sa>{yE+%P-hZ~yT&U*U@b^&^*@FV!-r$jT^z~6X{L#_o;;&3?
z=GoxT6bxdDSN}l%jn^oSlzuF<wg>qA5yWF$P{74KylBmsxb^L+YUA4C$&-sf_=yvg
zYqjS+&wq0MQ07=odz7P(D6hUtX=jb{6W^j<t+CPCVQG1tdbP^J>@4-^Cbv2c%{HL3
zf{X?Y)P1Q^sdl<Mo$Gf9G-l?WyXVxIGv$0pR$?;aK4F?LG$GZ8&tr^FK9{3btCG*<
zG0wv?KG`sf3#X{v|0u)dw-`m;rmB3wluJJz^?Hd9aOT2=%<-AS-!Dv+>dra9V9ezH
zTT37C_bZo4m);|3Z%{dY7Mug;P*IBI61BM|Q`6Jr=N8#`{R$#d^i<v)MA3Tzz@o`K
z9rd~=27~_OM^y}lAPfmJ8D@P$X0XG|>Ca)DqqWka-mLMrSO3D1(?_WtZs1f&wl@eW
zb;hkVoYMz^UjzW{t=3o6S_*|C7=u$qRY{T<Ri$zI^UQqX1xzjvz}C_Rt8Xu%i4d)K
zsLs}i+g*A~D-7G~s0u3b*;1+0@BnX|jP4U_8IQ+^wODJhHbtx;A|zfGFIT`AgTXMj
zIEQb1ywnh_?2tqQOz4rV6%Z?^SXAt}AP5QpfM-m_rYWOQLMD^JIY&NUz{_NrdG19#
z-=Sjn%d$FOrTt-xw4I<f<;E}nN~sC)<{GLN5kXZesPqHC3&L=2lnfCSj4|YLd5rOh
zqlo3JHz~}{lWlJj=0d#C!x)FBDQRa7XH&c|q;vfS?Q5@~6FAmN9QUK00C2u%J`}Mh
z0FpQ+3`5e?;GDAZ(nV$-_!`;TVc1>6kCw@lXXxo+lFlYLN48YM4tBAl0V0Bk#i`x^
zTmXpiyq_7&cdbnkEd3~As#HeB;@Oy;tCuMhi{uMMynK<}AtY+SW%0a_APDJqK0;J(
z3kXi!>-$!r#(OykLuajEtq>0e^tv5}aZE0k0}~+XlLpfa4n0CAog<YT#u<VjV0Y=y
z^f%r?MG>*62qNh#cev?;=N@~byS@ETIv(S2x2@LT`5t8JP`QtwI765#F^(hDj?gq_
zu>30HxQ!hrh_#4V#Ogmp(i4CNdjew9?`3njUjxK({IMNcFyjr(?mFX4onY!NjGt%R
z-(c9jj-<(c+(jlSZr}%i-f;qevkyG{Q&o8;84ei^V|+g#P1BD*a1K?$sqVvc4}QCT
zoa*nKb6<u@82p0*X1e~Htn#=qe8w0L6~XsB)Y`r3M6E?6#oF6*m4omPoO53V2A{BN
zfWhWwO0{x16m!z4oSJM}an4O(BB)xd=mGeoJJmlq=bi*M4>Io%0EoA@$2;3wKQEOl
z@2klDB2rVCgk{g8R2AoRk~JzTPW46S-19*6@4QcY^!<8s{)-^z)!I|eX<gKbs%(h0
l?^xA8+9Y{xk_!K)_Ad;bE<?=3KSBTi002ovPDHLkV1oEy$#4Jw

literal 0
HcmV?d00001

diff --git a/modules/common/security/default.nix b/modules/common/security/default.nix
index a6db80dca..46883e5e4 100644
--- a/modules/common/security/default.nix
+++ b/modules/common/security/default.nix
@@ -5,6 +5,7 @@
     ./sshkeys.nix
     ./apparmor
     ./clamav
- ./fail2ban
+    ./fail2ban
+    ./firejail
   ];
 }
diff --git a/modules/common/security/firejail/default.nix b/modules/common/security/firejail/default.nix
new file mode 100755
index 000000000..294ecdb3f
--- /dev/null
+++ b/modules/common/security/firejail/default.nix
@@ -0,0 +1,89 @@
+# Copyright 2024-2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.ghaf.security.firejail;
+in {
+  imports = [../../../desktop];
+  ## Option to enable Firejail sandboxing
+  options.ghaf.security.firejail = {
+    enable = lib.mkOption {
+      description = ''
+        Enable Firejail sandboxing.
+      '';
+      type = lib.types.bool;
+      default = false;
+    };
+
+    apps = {
+      firefox.enable = lib.mkOption {
+        description = ''
+          Enable sandboxing for Firefox. Enable this option when the browser is enabled in host.
+        '';
+        type = lib.types.bool;
+        default = false;
+      };
+
+      chromium.enable = lib.mkOption {
+        description = ''
+          Enable sandboxing for Chromium. Enable this option when the browser is enabled in host.
+        '';
+        type = lib.types.bool;
+        default = false;
+      };
+    };
+  };
+
+  ## Enable Firejail sandboxing
+  config = {
+    ghaf.graphics = lib.mkIf config.ghaf.profiles.graphics.enable {
+      demo-apps = lib.mkMerge [
+        (lib.mkIf cfg.apps.firefox.enable {
+          firefox = lib.mkForce false;
+        })
+        (lib.mkIf cfg.apps.chromium.enable {
+          chromium = lib.mkForce false;
+        })
+      ];
+
+      launchers =
+        lib.optional cfg.apps.firefox.enable {
+          name = "firefox-safe";
+          path = "/run/current-system/sw/bin/firefox";
+          icon = "${../../../assets/icons/png/firefox.png}";
+        }
+        ++ lib.optional cfg.apps.chromium.enable {
+          name = "chromium";
+          path = "/run/current-system/sw/bin/chromium";
+          icon = "${../../../assets/icons/png/chromium.png}";
+        };
+    };
+
+    programs.firejail = lib.mkIf cfg.enable {
+      enable = true;
+      wrappedBinaries = {
+        # Firefox profile
+        firefox = lib.mkIf cfg.apps.firefox.enable {
+          executable = "${lib.getBin pkgs.firefox}/bin/firefox";
+          profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+          extraArgs = [
+            "--whitelist=/run/current-system/sw/bin/firefox"
+          ];
+        };
+
+        # Chromium profile
+        chromium = lib.mkIf cfg.apps.chromium.enable {
+          executable = "${lib.getBin pkgs.chromium}/bin/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland";
+          profile = "${pkgs.firejail}/etc/firejail/chromium-browser.profile";
+          extraArgs = [
+            "--whitelist=/run/current-system/sw/bin/chromium"
+          ];
+        };
+      };
+    };
+  };
+}

From b31c1a80066c4ad44d6d1e9e67f7cb5b989f0fd7 Mon Sep 17 00:00:00 2001
From: Ganga Ram <Ganga.Ram@tii.ae>
Date: Tue, 11 Jun 2024 16:13:01 +0400
Subject: [PATCH 5/8] Security module for networking

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
---
 modules/common/security/default.nix    |  1 +
 modules/common/security/networking.nix | 85 ++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)
 create mode 100755 modules/common/security/networking.nix

diff --git a/modules/common/security/default.nix b/modules/common/security/default.nix
index 46883e5e4..a7ce12ca7 100644
--- a/modules/common/security/default.nix
+++ b/modules/common/security/default.nix
@@ -7,5 +7,6 @@
     ./clamav
     ./fail2ban
     ./firejail
+    ./networking.nix
   ];
 }
diff --git a/modules/common/security/networking.nix b/modules/common/security/networking.nix
new file mode 100755
index 000000000..7191cbcb7
--- /dev/null
+++ b/modules/common/security/networking.nix
@@ -0,0 +1,85 @@
+# Copyright 2024-2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.ghaf.security.network;
+in {
+  ## Option to enable IP security
+  options.ghaf.security.network.ipsecurity.enable = lib.mkOption {
+    description = ''
+      Enable Internet Protocol security.
+    '';
+    type = lib.types.bool;
+    default = true;
+  };
+
+  options.ghaf.security.network.bpf-access-level = lib.mkOption {
+    description = ''
+      Aceess level for bpf:
+        0: disable bpf JIT
+        1: priviledged access only
+        no restriction for any other value
+    '';
+    type = lib.types.int;
+    default = 0;
+  };
+
+  config.boot.kernel.sysctl = lib.mkMerge [
+    (lib.mkIf cfg.ipsecurity.enable {
+      # Disable IPv6
+      "net.ipv6.conf.all.disable_ipv6" = lib.mkForce 1;
+      "net.ipv6.conf.default.disable_ipv6" = lib.mkForce 1;
+      "net.ipv6.conf.lo.disable_ipv6" = lib.mkForce 1;
+
+      # Prevent SYN flooding
+      "net.ipv4.tcp_syncookies" = lib.mkForce 1;
+      "net.ipv4.tcp_syn_retries" = lib.mkForce 2;
+      "net.ipv4.tcp_synack_retries" = lib.mkForce 2;
+      "net.ipv4.tcp_max_syn_backlog" = lib.mkForce 4096;
+
+      # Drop RST packets for sockets in the time-wait state
+      "net.ipv4.tcp_rfc1337" = lib.mkForce 1;
+
+      # Enable RP Filter
+      "net.ipv4.conf.all.rp_filter" = lib.mkForce 1;
+      "net.ipv4.conf.default.rp_filter" = lib.mkForce 1;
+
+      # Disable redirect acceptance
+      "net.ipv4.conf.all.accept_redirects" = lib.mkForce 0;
+      "net.ipv4.conf.default.accept_redirects" = lib.mkForce 0;
+      "net.ipv4.conf.all.secure_redirects" = lib.mkForce 0;
+      "net.ipv4.conf.default.secure_redirects" = lib.mkForce 0;
+      "net.ipv4.conf.all.send_redirects" = lib.mkForce 0;
+      "net.ipv4.conf.default.send_redirects" = lib.mkForce 0;
+
+      # Ignore source-routed IP packets
+      "net.ipv4.conf.all.accept_source_route" = lib.mkForce 0;
+      "net.ipv4.conf.default.accept_source_route" = lib.mkForce 0;
+
+      # Ignore ICMP echo requests
+      "net.ipv4.icmp_echo_ignore_all" = lib.mkForce 1;
+
+      # Log Martian packets
+      "net.ipv4.conf.all.log_martians" = lib.mkDefault 0;
+      "net.ipv4.conf.default.log_martians" = lib.mkDefault 0;
+
+      # Ignore bogus ICMP error responses
+      "net.ipv4.icmp_ignore_bogus_error_responses" = lib.mkForce 1;
+    })
+
+    (lib.mkIf (cfg.bpf-access-level == 0) {
+      # Disable BPF JIT compiler (to eliminate spray attacks)
+      "net.core.bpf_jit_enable" = lib.mkDefault false;
+    })
+
+    (lib.mkIf (cfg.bpf-access-level == 1) {
+      # Provide BPF access to privileged users
+      # TODO: test if it works with Tetragon/Suricata
+      "kernel.unprivileged_bpf_disabled" = lib.mkOverride 500 1;
+      "net.core.bpf_jit_harden" = lib.mkForce 2;
+    })
+  ];
+}

From f753f2d0565d3b195b707a9836486a89b5a0551c Mon Sep 17 00:00:00 2001
From: Ganga Ram <Ganga.Ram@tii.ae>
Date: Tue, 11 Jun 2024 16:17:00 +0400
Subject: [PATCH 6/8] Module for system security

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
---
 modules/common/security/default.nix |   1 +
 modules/common/security/system.nix  | 336 ++++++++++++++++++++++++++++
 2 files changed, 337 insertions(+)
 create mode 100755 modules/common/security/system.nix

diff --git a/modules/common/security/default.nix b/modules/common/security/default.nix
index a7ce12ca7..9dd02a6a8 100644
--- a/modules/common/security/default.nix
+++ b/modules/common/security/default.nix
@@ -8,5 +8,6 @@
     ./fail2ban
     ./firejail
     ./networking.nix
+    ./system.nix
   ];
 }
diff --git a/modules/common/security/system.nix b/modules/common/security/system.nix
new file mode 100755
index 000000000..d15e281c1
--- /dev/null
+++ b/modules/common/security/system.nix
@@ -0,0 +1,336 @@
+# Copyright 2024-2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.ghaf.security;
+in {
+  options.ghaf.security = {
+    users = {
+      strong-password = {
+        enable = lib.mkOption {
+          description = ''
+            Enforce Strong password for each user.
+          '';
+          type = lib.types.bool;
+          default = false;
+        };
+
+        min-passwd-len = lib.mkOption {
+          description = ''
+            Minimum password length.
+          '';
+          type = lib.types.int;
+          default = 8;
+        };
+      };
+
+      encrypt_home.enable = lib.mkOption {
+        description = ''
+          Enable encryption of user's data stored in 'Home' directory.
+        '';
+        type = lib.types.bool;
+        default = false;
+      };
+
+      root.enable = lib.mkOption {
+        description = ''
+          Disable root login.
+        '';
+        type = lib.types.bool;
+        default = true;
+      };
+
+      sudo = {
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+          description = ''
+            Whether to enable the {command}`sudo` command, which
+            allows non-root users to execute commands as root.
+          '';
+        };
+
+        extraConfig = lib.mkOption {
+          type = lib.types.lines;
+          default = "";
+          description = ''
+            Extra configuration text appended to {file}`sudoers`.
+          '';
+        };
+      };
+    };
+
+    system-security = {
+      enable = lib.mkOption {
+        description = ''
+          Enables basic linux security mechanism.
+        '';
+        type = lib.types.bool;
+        default = false;
+      };
+      lock-kernel-modules = lib.mkOption {
+        description = ''
+          Lock dynamic kernel modules.
+        '';
+        type = lib.types.bool;
+        default = true;
+      };
+      memory-allocator = lib.mkOption {
+        description = ''
+          Memory allocator.
+          Options: "libc", "graphene-hardened", "jemalloc", "mimalloc", "scudo"
+        '';
+        type = lib.types.enum ["libc" "graphene-hardened" "jemalloc" "mimalloc" "scudo"];
+        default = "libc";
+      };
+      misc = {
+        enable-all = lib.mkOption {
+          description = ''
+            Enable additional security features, which may affect performance. Specific options can be
+            activated individually to achieve a balance between performance and security.
+          '';
+          type = lib.types.bool;
+          default = false;
+        };
+        disableHyperthreading = lib.mkOption {
+          description = ''
+            Disable hyperthreading. Disabling hyperthreading means that only physical
+            CPU cores will be usable at runtime, potentially at significant performance cost.
+          '';
+          type = lib.types.bool;
+          default = false;
+        };
+        vm-flushL1DCache = lib.mkOption {
+          description = ''
+            Flush L1 data cache every time the hypervisor enters the guest. It provides security
+            May incur significant performance cost.
+          '';
+          type = lib.types.bool;
+          default = false;
+        };
+        isolatePageTables = lib.mkOption {
+          description = ''
+            Isolate kernel and userspace page tables. This separation
+            helps prevent user-space applications from accessing
+            kernel space memory, which is crucial for maintaining
+            system stability and security.
+            Performance impact on system call, context switch.
+          '';
+          type = lib.types.bool;
+          default = false;
+        };
+        enableASLR = lib.mkOption {
+          description = ''
+            Randomize user virtual address space. It disrupts the
+            predictability of memory layouts and makes it harder for
+            attackers to exploit memory related vulnerabilities.
+            May slightly impact performance, may increase boot time.
+          '';
+          type = lib.types.bool;
+          default = false;
+        };
+        randomizePageFreeList = lib.mkOption {
+          description = ''
+            Randomize free memory pages managed by the page allocator.
+            This randomization lowers risk against certain lib.types of attacks
+            that exploit predictable memory allocation patterns.
+            May slightly impact performance, may increase boot time.
+          '';
+          type = lib.types.bool;
+          default = false;
+        };
+        randomizeKStackOffset = lib.mkOption {
+          description = ''
+            Randomizes the offset of the kernel stack to enhance security
+            against certain lib.types of attacks, such as stack-based buffer
+            overflows or exploits that rely on knowing the exact layout of
+            the kernel stack.
+            May slightly impact performance.
+          '';
+          type = lib.types.bool;
+          default = false;
+        };
+      };
+    };
+  };
+  config = lib.mkMerge [
+    ## User account security
+    {
+      # root account
+      nix = {
+        settings.allowed-users = ["root"];
+      };
+
+      # There is no possible string to hash to just “!”
+      users.users.root = lib.mkIf (!cfg.users.root.enable) {
+        hashedPassword = lib.mkForce "!";
+      };
+
+      # Enforce strong password
+      security.pam = {
+        services = let
+          minlen = config.ghaf.security.users.strong-password.min-passwd-len;
+        in {
+          passwd = lib.mkIf cfg.users.strong-password.enable {
+            text = ''
+              auth       required   pam_unix.so shadow nullok
+              auth       required   pam_faillock.so authfail audit deny=3 unlock_time=900
+              account    required   pam_unix.so
+              account    sufficient pam_localuser.so
+              password   requisite  ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so retry=3 minlen=${toString minlen} dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 enforce_for_root=true
+              password   required   pam_unix.so use_authtok shadow
+              session    required   pam_unix.so
+            '';
+          };
+        };
+
+        # Encrypt user's data stored in 'Home' directory
+        enableFscrypt = cfg.users.encrypt_home.enable;
+      };
+
+      ## sudo administartion
+      security.sudo = {
+        inherit (cfg.users.sudo) enable;
+        inherit (cfg.users.sudo) extraConfig;
+      };
+    }
+
+    ## Linux security
+    (lib.mkIf cfg.system-security.enable {
+      services.openssh = {
+        extraConfig = lib.optionalString config.ghaf.profiles.release.enable ''
+          AllowTcpForwarding yes
+          X11Forwarding no
+          AllowAgentForwarding no
+          AllowStreamLocalForwarding no
+          AuthenticationMethods publickey
+        '';
+      };
+
+      # Disable loading and execution of new kernel
+      security.protectKernelImage = lib.mkDefault config.ghaf.profiles.release.enable;
+
+      # Disable user namespace cloning for unprivileged users
+      security.unprivilegedUsernsClone = lib.mkDefault false;
+
+      # Disable Hyperthreading (To reduce risk of side channel attack)
+      security.allowSimultaneousMultithreading = lib.mkDefault (!(cfg.system-security.misc.disableHyperthreading || cfg.system-security.misc.enable-all));
+
+      # Flush L1 Data cache before entering guest vm
+      security.virtualisation.flushL1DataCache = lib.mkIf (cfg.system-security.misc.vm-flushL1DCache || cfg.system-security.misc.enable-all) (lib.mkDefault "always");
+
+      # Enforce page table isolation
+      security.forcePageTableIsolation = lib.mkDefault (cfg.system-security.misc.isolatePageTables || cfg.system-security.misc.enable-all);
+
+      # Disable dynamic kernel modules
+      security.lockKernelModules = lib.mkDefault cfg.system-security.lock-kernel-modules;
+
+      environment.memoryAllocator.provider = cfg.system-security.memory-allocator;
+      environment.variables = lib.mkIf (cfg.system-security.memory-allocator == "scudo") {
+        SCUDO_OPTIONS = lib.mkDefault "ZeroContents=1";
+      };
+
+      boot.tmp.useTmpfs = lib.mkForce true;
+
+      boot.kernel.sysctl = {
+        # Disable loading of new kernel
+        "kernel.kexec_load_disabled" = lib.mkForce config.ghaf.profiles.release.enable;
+
+        # Disable ptrace
+        "kernel.yama.ptrace_scope" = lib.mkForce 3;
+
+        # Completely hide kernel pointers
+        "kernel.kptr_restrict" = lib.mkForce 2;
+
+        # Disable ftrace
+        "kernel.ftrace_enabled" = lib.mkDefault false;
+
+        # Randomize address space including heap
+        "kernel.randomize_va_space" = lib.mkIf (cfg.system-security.misc.enableASLR || cfg.system-security.misc.enable-all) (lib.mkForce 2);
+
+        # Restrict core dump
+        "fs.suid_dumpable" = lib.mkForce 0;
+
+        # Restrict kernel log
+        "kernel.dmesg_restrict" = lib.mkIf config.ghaf.profiles.release.enable (lib.mkForce 1);
+
+        # Disable user space page fault handling
+        "vm.unprivileged_userfaultfd" = lib.mkForce 0;
+
+        # Disable SysRq key
+        "kernel.sysrq" = lib.mkForce 0;
+
+        # Disable loading of line descipline kernel module of TTY device
+        # The line descipline module provides an interface between the low-level driver handling a TTY device
+        # and user terminal application
+        "dev.tty.ldisc_autoload" = lib.mkForce 0;
+
+        # This will avoid unintentional writes to an attacker-controlled FIFO/Regular file.
+        # Extend the restriction to group sticky directories
+        "fs.protected_fifos" = lib.mkForce 0;
+        "fs.protected_regular" = lib.mkForce 2;
+
+        # Allow only root to access perf events
+        "kernel.perf_event_paranoid" = lib.mkForce 3;
+      };
+
+      boot.blacklistedKernelModules = [
+        # Obscure network protocols
+        "ax25"
+        "netrom"
+        "rose"
+
+        # Old or rare or insufficiently audited filesystems
+        "adfs"
+        "affs"
+        "bfs"
+        "befs"
+        "cramfs"
+        "efs"
+        "erofs"
+        "exofs"
+        "freevxfs"
+        "f2fs"
+        "hfs"
+        "hpfs"
+        "jfs"
+        "minix"
+        "nilfs2"
+        "ntfs"
+        "omfs"
+        "qnx4"
+        "qnx6"
+        "sysv"
+        "ufs"
+      ];
+      boot.kernelParams =
+        [
+          # Fill freed pages and heap objects with zeroes
+          "init_memory=0"
+
+          # Panic on any uncorrectable errors through the machine check exception system
+          "mce=0"
+        ]
+        ++ lib.optionals (cfg.system-security.misc.randomizePageFreeList || cfg.system-security.misc.enable-all) [
+          # Page allocation randomization
+          "page_alloc.shuffle=1"
+        ]
+        ++ lib.optionals (cfg.system-security.misc.randomizeKStackOffset || cfg.system-security.misc.enable-all) [
+          # Kernel stack offset randomization
+          "randomize_kstack_offset=on"
+        ]
+        ++ lib.optionals config.ghaf.profiles.debug.enable [
+          # To identify and fix potential vulnerability.
+          "slub_debug=FZPU"
+        ]
+        ++ lib.optionals config.ghaf.security.network.ipsecurity.enable [
+          # Disable IPv6 to reduce attack surface.
+          "ipv6.disable=1"
+        ];
+    })
+  ];
+}

From a5ffa7b5c3936472842c8945de82f5629ba96678 Mon Sep 17 00:00:00 2001
From: Ganga Ram <Ganga.Ram@tii.ae>
Date: Tue, 11 Jun 2024 16:21:45 +0400
Subject: [PATCH 7/8] Enable basic security features in VMs

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
---
 .../virtualization/microvm/adminvm.nix        | 10 +++++
 .../microvm/virtualization/microvm/appvm.nix  | 10 +++++
 .../virtualization/microvm/audiovm.nix        | 10 +++++
 .../microvm/virtualization/microvm/guivm.nix  | 11 +++++
 .../virtualization/microvm/microvm-host.nix   | 42 ++++++++++++-------
 .../microvm/virtualization/microvm/netvm.nix  | 10 +++++
 modules/reference/appvms/chromium.nix         |  2 +
 7 files changed, 80 insertions(+), 15 deletions(-)

diff --git a/modules/microvm/virtualization/microvm/adminvm.nix b/modules/microvm/virtualization/microvm/adminvm.nix
index 387b39824..5fe78b84a 100644
--- a/modules/microvm/virtualization/microvm/adminvm.nix
+++ b/modules/microvm/virtualization/microvm/adminvm.nix
@@ -32,6 +32,16 @@
             withPolkit = true;
             withDebug = configHost.ghaf.profiles.debug.enable;
           };
+          security = {
+            users.strong-password.enable = true;
+            users.root.enable = false;
+            users.sudo.enable = true;
+            system-security.enable = true;
+            system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
+            network.ipsecurity.enable = true;
+            network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
+            fail2ban.enable = true;
+          };
         };
 
         system.stateVersion = lib.trivial.release;
diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix
index a8fb2256c..96f4b40d1 100644
--- a/modules/microvm/virtualization/microvm/appvm.nix
+++ b/modules/microvm/virtualization/microvm/appvm.nix
@@ -65,6 +65,16 @@
               withDebug = configHost.ghaf.profiles.debug.enable;
               withHardenedConfigs = true;
             };
+            security = {
+              users.strong-password.enable = true;
+              users.root.enable = false;
+              users.sudo.enable = true;
+              system-security.enable = true;
+              system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
+              network.ipsecurity.enable = true;
+              network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
+              fail2ban.enable = true;
+            };
           };
 
           # SSH is very picky about the file permissions and ownership and will
diff --git a/modules/microvm/virtualization/microvm/audiovm.nix b/modules/microvm/virtualization/microvm/audiovm.nix
index d1df382d8..a5637efbb 100644
--- a/modules/microvm/virtualization/microvm/audiovm.nix
+++ b/modules/microvm/virtualization/microvm/audiovm.nix
@@ -38,6 +38,16 @@
             withDebug = configHost.ghaf.profiles.debug.enable;
           };
           services.audio.enable = true;
+          security = {
+            users.strong-password.enable = true;
+            users.root.enable = false;
+            users.sudo.enable = true;
+            system-security.enable = true;
+            system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
+            network.ipsecurity.enable = true;
+            network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
+            fail2ban.enable = true;
+          };
         };
 
         environment = {
diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix
index 21fdd49ce..44b4bb18d 100644
--- a/modules/microvm/virtualization/microvm/guivm.nix
+++ b/modules/microvm/virtualization/microvm/guivm.nix
@@ -45,6 +45,17 @@
             withDebug = configHost.ghaf.profiles.debug.enable;
             withHardenedConfigs = true;
           };
+
+          security = {
+            users.strong-password.enable = true;
+            users.root.enable = false;
+            users.sudo.enable = true;
+            system-security.enable = true;
+            system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
+            network.ipsecurity.enable = true;
+            network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
+            fail2ban.enable = true;
+          };
         };
 
         systemd.services."waypipe-ssh-keygen" = let
diff --git a/modules/microvm/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix
index 4f004d98d..4e610b694 100644
--- a/modules/microvm/virtualization/microvm/microvm-host.nix
+++ b/modules/microvm/virtualization/microvm/microvm-host.nix
@@ -15,21 +15,33 @@ in {
 
   config = lib.mkIf cfg.enable {
     microvm.host.enable = true;
-    ghaf.systemd = {
-      withName = "host-systemd";
-      enable = true;
-      boot.enable = true;
-      withPolkit = true;
-      withTpm2Tss = pkgs.stdenv.hostPlatform.isx86;
-      withRepart = true;
-      withFido2 = true;
-      withCryptsetup = true;
-      withTimesyncd = cfg.networkSupport;
-      withNss = cfg.networkSupport;
-      withResolved = cfg.networkSupport;
-      withSerial = config.ghaf.profiles.debug.enable;
-      withDebug = config.ghaf.profiles.debug.enable;
-      withHardenedConfigs = true;
+    ghaf = {
+      systemd = {
+        withName = "host-systemd";
+        enable = true;
+        boot.enable = true;
+        withPolkit = true;
+        withTpm2Tss = pkgs.stdenv.hostPlatform.isx86;
+        withRepart = true;
+        withFido2 = true;
+        withCryptsetup = true;
+        withTimesyncd = cfg.networkSupport;
+        withNss = cfg.networkSupport;
+        withResolved = cfg.networkSupport;
+        withSerial = config.ghaf.profiles.debug.enable;
+        withDebug = config.ghaf.profiles.debug.enable;
+        withHardenedConfigs = true;
+      };
+      security = {
+        users.strong-password.enable = true;
+        users.root.enable = false;
+        users.sudo.enable = true;
+        system-security.enable = true;
+        system-security.lock-kernel-modules = lib.mkDefault config.ghaf.profiles.release.enable;
+        network.ipsecurity.enable = true;
+        network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
+        fail2ban.enable = true;
+      };
     };
 
     # TODO: remove hardcoded paths
diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix
index 8b43c4525..3229cf9a6 100644
--- a/modules/microvm/virtualization/microvm/netvm.nix
+++ b/modules/microvm/virtualization/microvm/netvm.nix
@@ -43,6 +43,16 @@
             withDebug = configHost.ghaf.profiles.debug.enable;
             withHardenedConfigs = true;
           };
+          security = {
+            users.strong-password.enable = true;
+            users.root.enable = false;
+            users.sudo.enable = true;
+            system-security.enable = true;
+            system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
+            network.ipsecurity.enable = true;
+            network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
+            fail2ban.enable = true;
+          };
         };
 
         system.stateVersion = lib.trivial.release;
diff --git a/modules/reference/appvms/chromium.nix b/modules/reference/appvms/chromium.nix
index 86d07860a..10b697b10 100644
--- a/modules/reference/appvms/chromium.nix
+++ b/modules/reference/appvms/chromium.nix
@@ -61,6 +61,8 @@ in {
       microvm.devices = [];
 
       ghaf.programs.chromium.enable = true;
+      ghaf.security.apparmor.enable = true;
+      ghaf.security.apparmor.apps.chromium.enable = true;
 
       # Set default PDF XDG handler
       xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop";

From 74afc891047af3108533fa2ec534c69943057fd8 Mon Sep 17 00:00:00 2001
From: Ganga Ram <Ganga.Ram@tii.ae>
Date: Thu, 13 Jun 2024 13:33:07 +0400
Subject: [PATCH 8/8] security options update

- use icons for jailed firefox and chromium from icon pack
- users options set to default in all VMs
- KASLR option removed as it is by default enabled in kernel
- sysrq disabled only in release build
- fail2ban enabled in net-vm only

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
---
 assets/icons/png/chromium.png                 | Bin 5090 -> 0 bytes
 assets/icons/png/firefox.png                  | Bin 1431 -> 0 bytes
 modules/common/security/firejail/default.nix  |  12 +++---
 modules/common/security/system.nix            |  35 +++---------------
 .../virtualization/microvm/adminvm.nix        |   4 --
 .../microvm/virtualization/microvm/appvm.nix  |   4 --
 .../virtualization/microvm/audiovm.nix        |   4 --
 .../microvm/virtualization/microvm/guivm.nix  |   4 --
 .../virtualization/microvm/microvm-host.nix   |   4 --
 .../microvm/virtualization/microvm/netvm.nix  |   3 --
 10 files changed, 12 insertions(+), 58 deletions(-)
 delete mode 100644 assets/icons/png/chromium.png
 delete mode 100644 assets/icons/png/firefox.png

diff --git a/assets/icons/png/chromium.png b/assets/icons/png/chromium.png
deleted file mode 100644
index 553052f9da04130ae999e5375f1cc37f0c8cf3ea..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 5090
zcmeHKc~lcu7atZkte|ZL7myIJifNL`LPA2qVn7HIi+~^q;$&t*BH2g=2w1g6YDGZ=
zt)ie{tJT`N;L=kIR8%NM)`CR~f)uTls-U%eB2es0K*aO)obPzf*Z)k;Wai!XyT5nu
z@80)LCL?&6|1_&PRuBYD69@Q)fcqTdHF+ZV{UR`^9^5KY!&VX@NHR&Q)5sJ`oJ6E(
zaT0D&$RNnjstR6ZeF=VJu))=R@#=d`w+PrpUH(YiO0+^t`*Oe0m6Z=~5dLDjCZrKR
z7qZmn<M87*N@08X{we1k%cIs3`!744%C5M;jH0A$tnY^NHmBEA|Ip*Aj5xS<pl#1`
zPnVo6Wrjn`CC<M%1<yGf6m{(QZ?V^tN-ur?VG%WE9eL<MV&4Oy?MDB+WGA1v84hMH
z+tb+eioHX*lX?=jFbX{~{DyySwtOGDNQ;`id$1`Lg3LB4M517^Nc21(kVV1z9AUs^
zZ~MyF(8GR<tdpkCs14qKzsqiW)JNp7$>$b-Y5mTg4L&<JyHr*#*HYd4i&rLU6Iy<{
zxMI4cmv@0f!P_y1DxS^%$d)nB{>iQOvZ{6uZ+TdrEV0gfpE|!ATU>i5yt0v!wuO|5
z1Xb5E@3^>5xcMkC8;b4i64X4qQTSOz-KsYxZ>cy_3#+=Ob#+VHI!oWP$LB}R_gpZK
z)ty$69UURqa4VXK?A*JYwe!G&?Qd?Yv<~OzeG-&q$aVjGE&tc4k=ZNiR~4KK%sSUo
z9XqS~9;GJw2ru2mw%BqC`R%L0OD1r-&i;OAWkB<WOI2QX2j=TsZ!g-EgPN_7?}+j0
zcO2?zSrnAHPMl-e_*a*^qqDc%PTu11+u-$teG9xF&i<yUZFsFk-cy&djuxrE_f3vA
zp}l37uv0f_mVt?dCLJb84hBOV4R`Z(-p{CwXYTa1v{rRn>^OKLgj;^m3645+Kd~_R
zV~=%%PlCR@;CS??u5^OEK?T~*paAW)QWC^RH7Xi{X{0#KpwfcAgCK#IL5raAI6;!)
zaSFAN+*@*iOj2M%a)g@%mS{z|ToI6}!$VV-g`uhOC=Vlhd0Gh!d_bVW34~-&Db;$u
zK}a_7^1-vwOed2}5F%bkUMUGCi8MN##HO)nFxAhXNMe#btw;hLCgX?rE*Yf&BOzH%
z5L!N+o}8RaOJ>nDx;Q$6$K%mqCY{No0t8i`q9zanRjqe6QjBo;;(Ao4&=Lxbnq=fe
zq?$xRNG5}M()0LKT8U(gUacQh0q8+DAX++u2Gdn4`gjjL;g<wRMg#gs4}BQerSuS7
zuSwLQxL*>kCY;ApVCa~?Hc_WErGue#T#2gyR1a2VytJghSQ0$uVU!?Fq0*YXfY>h~
z35D#1STDt9oH3;{J`mtO#`_ZbdG01KKuIKgUk#dQ3{UJUBpcV~V;WR}@lB7oJB%@K
zgiU2J+}){c7KcaWA#N-x3uC|to5$o~9C#d+Sgj`zHHsUl069$ocz9BtyA0*PR5k~A
zv)wQ$6>&o`D#}3-1`lDn@nGpViuZI1(3OaCd{jm%3{c_jD3`<FVN|Y+i5aP2s+7xh
zqcYr>m^*`sa~UkmM1`UJB^sRy0p(PvkT{&KRmYhojDquhg2h5IlQt5#$r7wY2pMn?
zl7kfLM8gYcm_mhz5{OYv2A2UdS#C_A0f)<jxi3KBxK0l`(a6bwX)LyB##k0UNCpUt
z82c0unCu`IzDS27ghm&p(I|yvV*n(h=h(CaY$psM5MPAA0V&L6^I;aB!3<-t_)M4&
z!xR`;#^E)XLYDHs(8kR}5{#5QK%ocgr<hD5J1P`U7#WQWl?u~VB9Tm+f{&mhDd>?T
zd_-ZuH8O?D5p^66PLI)ceQsC$Ln~lh9s}jMaj7T^ky6?2u$0P!88DT@1GPk?up1Y3
zH>ohjuGh$jWJHJi!~q?FR-ipiT9Fo-3g!ATI$4ezs{jO}!Yt~TU@Xq4VD!<1>BckT
zdBy_ze`z8x0mdCNz;DC`4li&P(#H<NQO!WS|K?}37XRiFB+~0eUP<5Aa=n)8l@xd-
z@ayh+E!Qh4@Jis<-SvNy%j(7J6s`vUf|9|@63OYIH+a#qjPsHBKu~e^)FEU77*CWg
z_4kFI8NWqkM|J|s6m3AH9)heZjF;Ib6zjRbIEfHT{3hMCcw@@jF7H$izY9SY?~8qX
z!UC$wcHh*5;<Ku}jy&jAl>Dbrt#28QnoV(IWzuE^?bw<7At_>dFHt}LryaA-c<lT=
zwn$Q{%dm@Po6WwqTCw}7^C2CYd32NI*C7+zKS#S-9F-3OlS@zKFF4%Gx!Aw@yN1UH
z8lHMKJoap$d~xi`v*LG45&{(&o623+cr{vF{V;OP#JnI`)3v05%`PFkn%;y?S~!|d
zO6spq>_pcH_KJJw0i#)`IowZo{?h@@tv&SEBP}HAQ@eiK$({)R&IfN*2Mz2_Xui6*
zy4f2tFTdtWouQm^CG$WPxyJ6mo6__c<?W}%$L3n~r)>)TdG0sZx^2o!9nBv<v@C<Z
zvc0m)c2DKP{pf>^6Hd(TN3zCAp6}Ul9e6!^tcZoQ+NPUnqAHtDvkEGI>iPVSA}HWG
zKkQii%sVn!B<1*=VgDx8=@qAII6=9tQ!+I(MY2DKpoedjUs;<&KN)lJ-Mx3iqVIb>
zC7;}G9eRa!O543Cdjs8qG#Jx=Q?ONEnC%hT9Of8)s>X`5EzL!|L}l@#;r?%R_GPEf
z-%C2`yIy#;Z<;M-!r7cNyJUCHKdG*;wJhSqN;!Qqf4!lxBqIXrnI+2j%}@c`R#YMH
ze*A=-PyMs-M{UZD+SsAhd0U^>L@c-GU?pT-#w;J?vr6@fyS*FcY1{+)d~ybwj!h3M
zi75Iu<oj0HTj%ey(rW8kI^skNWi==6Mf%(A<zyDM)rFs_&eVUgz3HH|M>p9_C%4(!
zR-JmDtUHfd)}2+RpC`v}w0&gbI5TZXQ(8N4*{Uy4a+|5LlvvHZX6IG3#5}#j>!Zqh
zL;hm#`2~Wk_M6p#>V%S`%arZTUshk@_O4HIFdY2k$niE&XDwnMlQoqhzTUbbQ2!)y
zfU(Vas6hL^@2z5sRr`_kw`OFe{E<TGz0!`KE?ibbtdqA5X0E2}IoxzIrNwS*e~0IH
z`}bu>^?kdv+`~JXIF_2cH!vw<?XV5h8taiR{#wb+r+KxMoh#Num$OpHG&E)p^c7-L
zzxu)tRGZS7SyfRD&Z_&--~G5f9WD#MW+vG5SDVi=usZLT&iHb*x&H?gb8$%9Qe;=X
z@Kdcr#`kD*-NaBz@8;8JR&a-$f3U>HKR-LjOjN$+Os+$$Pks%uJkOA<ESk}@rL3Xt
t*6&lzZhx?<9AnQL{57L+)w8~VsrxQiIyI*jion){#D2?sPb^-O_BWx1oTdN(

diff --git a/assets/icons/png/firefox.png b/assets/icons/png/firefox.png
deleted file mode 100644
index aa7767a4b34610f21556581608cfb6ec1cbb7b58..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1431
zcmV;I1!($-P)<h;3K|Lk000e1NJLTq000;O000;W1^@s6;CDUv00009a7bBm000ie
z000ie0hKEb8vp<WNl8ROR7i=%mECV#M;V8oIUoD!-OYa3Ysa{8lQhi-Q43Yuiz<{B
zqN;F#R7j<Qs@}I3Tyj%Egb4oucSzhJh*Z>q6p)ILC{)lA5!9wFX$!Gq*B|TkdiQwu
z?Abl@zQe`Fu0xS3At6Q@X-0F-^P73+eSZW0<7Pf>{qCnPo})SUgkP<kJ$`(?zPj3S
z@m9CRZuFLGx3AoM`O=&JmB5j2{_rV(cJ@;4^wE=<`8o@YLp(HF<7Ri4x7XT?T0KVp
zTzBc}`Ze3x{?4tJF8=mEas2(!g$w@UNA7*><~`@vjy?L!PlAQJE)~xnYlQU@#xoe_
zSSU|X3_@;gb&=GP8Sa>{yE+%P-hZ~yT&U*U@b^&^*@FV!-r$jT^z~6X{L#_o;;&3?
z=GoxT6bxdDSN}l%jn^oSlzuF<wg>qA5yWF$P{74KylBmsxb^L+YUA4C$&-sf_=yvg
zYqjS+&wq0MQ07=odz7P(D6hUtX=jb{6W^j<t+CPCVQG1tdbP^J>@4-^Cbv2c%{HL3
zf{X?Y)P1Q^sdl<Mo$Gf9G-l?WyXVxIGv$0pR$?;aK4F?LG$GZ8&tr^FK9{3btCG*<
zG0wv?KG`sf3#X{v|0u)dw-`m;rmB3wluJJz^?Hd9aOT2=%<-AS-!Dv+>dra9V9ezH
zTT37C_bZo4m);|3Z%{dY7Mug;P*IBI61BM|Q`6Jr=N8#`{R$#d^i<v)MA3Tzz@o`K
z9rd~=27~_OM^y}lAPfmJ8D@P$X0XG|>Ca)DqqWka-mLMrSO3D1(?_WtZs1f&wl@eW
zb;hkVoYMz^UjzW{t=3o6S_*|C7=u$qRY{T<Ri$zI^UQqX1xzjvz}C_Rt8Xu%i4d)K
zsLs}i+g*A~D-7G~s0u3b*;1+0@BnX|jP4U_8IQ+^wODJhHbtx;A|zfGFIT`AgTXMj
zIEQb1ywnh_?2tqQOz4rV6%Z?^SXAt}AP5QpfM-m_rYWOQLMD^JIY&NUz{_NrdG19#
z-=Sjn%d$FOrTt-xw4I<f<;E}nN~sC)<{GLN5kXZesPqHC3&L=2lnfCSj4|YLd5rOh
zqlo3JHz~}{lWlJj=0d#C!x)FBDQRa7XH&c|q;vfS?Q5@~6FAmN9QUK00C2u%J`}Mh
z0FpQ+3`5e?;GDAZ(nV$-_!`;TVc1>6kCw@lXXxo+lFlYLN48YM4tBAl0V0Bk#i`x^
zTmXpiyq_7&cdbnkEd3~As#HeB;@Oy;tCuMhi{uMMynK<}AtY+SW%0a_APDJqK0;J(
z3kXi!>-$!r#(OykLuajEtq>0e^tv5}aZE0k0}~+XlLpfa4n0CAog<YT#u<VjV0Y=y
z^f%r?MG>*62qNh#cev?;=N@~byS@ETIv(S2x2@LT`5t8JP`QtwI765#F^(hDj?gq_
zu>30HxQ!hrh_#4V#Ogmp(i4CNdjew9?`3njUjxK({IMNcFyjr(?mFX4onY!NjGt%R
z-(c9jj-<(c+(jlSZr}%i-f;qevkyG{Q&o8;84ei^V|+g#P1BD*a1K?$sqVvc4}QCT
zoa*nKb6<u@82p0*X1e~Htn#=qe8w0L6~XsB)Y`r3M6E?6#oF6*m4omPoO53V2A{BN
zfWhWwO0{x16m!z4oSJM}an4O(BB)xd=mGeoJJmlq=bi*M4>Io%0EoA@$2;3wKQEOl
z@2klDB2rVCgk{g8R2AoRk~JzTPW46S-19*6@4QcY^!<8s{)-^z)!I|eX<gKbs%(h0
l?^xA8+9Y{xk_!K)_Ad;bE<?=3KSBTi002ovPDHLkV1oEy$#4Jw

diff --git a/modules/common/security/firejail/default.nix b/modules/common/security/firejail/default.nix
index 294ecdb3f..af695577c 100755
--- a/modules/common/security/firejail/default.nix
+++ b/modules/common/security/firejail/default.nix
@@ -39,7 +39,7 @@ in {
   };
 
   ## Enable Firejail sandboxing
-  config = {
+  config = lib.mkIf cfg.enable {
     ghaf.graphics = lib.mkIf config.ghaf.profiles.graphics.enable {
       demo-apps = lib.mkMerge [
         (lib.mkIf cfg.apps.firefox.enable {
@@ -52,18 +52,18 @@ in {
 
       launchers =
         lib.optional cfg.apps.firefox.enable {
-          name = "firefox-safe";
+          name = "Firefox-safe";
           path = "/run/current-system/sw/bin/firefox";
-          icon = "${../../../assets/icons/png/firefox.png}";
+          icon = "${pkgs.icon-pack}/firefox.svg";
         }
         ++ lib.optional cfg.apps.chromium.enable {
-          name = "chromium";
+          name = "Chromium-safe";
           path = "/run/current-system/sw/bin/chromium";
-          icon = "${../../../assets/icons/png/chromium.png}";
+          icon = "${pkgs.icon-pack}/chromium.svg";
         };
     };
 
-    programs.firejail = lib.mkIf cfg.enable {
+    programs.firejail = {
       enable = true;
       wrappedBinaries = {
         # Firefox profile
diff --git a/modules/common/security/system.nix b/modules/common/security/system.nix
index d15e281c1..a06cb731b 100755
--- a/modules/common/security/system.nix
+++ b/modules/common/security/system.nix
@@ -16,7 +16,7 @@ in {
             Enforce Strong password for each user.
           '';
           type = lib.types.bool;
-          default = false;
+          default = true;
         };
 
         min-passwd-len = lib.mkOption {
@@ -28,14 +28,6 @@ in {
         };
       };
 
-      encrypt_home.enable = lib.mkOption {
-        description = ''
-          Enable encryption of user's data stored in 'Home' directory.
-        '';
-        type = lib.types.bool;
-        default = false;
-      };
-
       root.enable = lib.mkOption {
         description = ''
           Disable root login.
@@ -123,16 +115,6 @@ in {
           type = lib.types.bool;
           default = false;
         };
-        enableASLR = lib.mkOption {
-          description = ''
-            Randomize user virtual address space. It disrupts the
-            predictability of memory layouts and makes it harder for
-            attackers to exploit memory related vulnerabilities.
-            May slightly impact performance, may increase boot time.
-          '';
-          type = lib.types.bool;
-          default = false;
-        };
         randomizePageFreeList = lib.mkOption {
           description = ''
             Randomize free memory pages managed by the page allocator.
@@ -167,7 +149,7 @@ in {
 
       # There is no possible string to hash to just “!”
       users.users.root = lib.mkIf (!cfg.users.root.enable) {
-        hashedPassword = lib.mkForce "!";
+        shell = "${pkgs.shadow}/bin/nologin";
       };
 
       # Enforce strong password
@@ -187,9 +169,6 @@ in {
             '';
           };
         };
-
-        # Encrypt user's data stored in 'Home' directory
-        enableFscrypt = cfg.users.encrypt_home.enable;
       };
 
       ## sudo administartion
@@ -249,9 +228,6 @@ in {
         # Disable ftrace
         "kernel.ftrace_enabled" = lib.mkDefault false;
 
-        # Randomize address space including heap
-        "kernel.randomize_va_space" = lib.mkIf (cfg.system-security.misc.enableASLR || cfg.system-security.misc.enable-all) (lib.mkForce 2);
-
         # Restrict core dump
         "fs.suid_dumpable" = lib.mkForce 0;
 
@@ -262,7 +238,7 @@ in {
         "vm.unprivileged_userfaultfd" = lib.mkForce 0;
 
         # Disable SysRq key
-        "kernel.sysrq" = lib.mkForce 0;
+        "kernel.sysrq" = lib.mkIf config.ghaf.profiles.release.enable (lib.mkForce 0);
 
         # Disable loading of line descipline kernel module of TTY device
         # The line descipline module provides an interface between the low-level driver handling a TTY device
@@ -271,7 +247,7 @@ in {
 
         # This will avoid unintentional writes to an attacker-controlled FIFO/Regular file.
         # Extend the restriction to group sticky directories
-        "fs.protected_fifos" = lib.mkForce 0;
+        "fs.protected_fifos" = lib.mkForce 2;
         "fs.protected_regular" = lib.mkForce 2;
 
         # Allow only root to access perf events
@@ -310,7 +286,8 @@ in {
       boot.kernelParams =
         [
           # Fill freed pages and heap objects with zeroes
-          "init_memory=0"
+          "init_on_free=1"
+          "init_on_alloc=1"
 
           # Panic on any uncorrectable errors through the machine check exception system
           "mce=0"
diff --git a/modules/microvm/virtualization/microvm/adminvm.nix b/modules/microvm/virtualization/microvm/adminvm.nix
index 5fe78b84a..c78140839 100644
--- a/modules/microvm/virtualization/microvm/adminvm.nix
+++ b/modules/microvm/virtualization/microvm/adminvm.nix
@@ -33,14 +33,10 @@
             withDebug = configHost.ghaf.profiles.debug.enable;
           };
           security = {
-            users.strong-password.enable = true;
-            users.root.enable = false;
-            users.sudo.enable = true;
             system-security.enable = true;
             system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
             network.ipsecurity.enable = true;
             network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-            fail2ban.enable = true;
           };
         };
 
diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix
index 96f4b40d1..2fcabe19a 100644
--- a/modules/microvm/virtualization/microvm/appvm.nix
+++ b/modules/microvm/virtualization/microvm/appvm.nix
@@ -66,14 +66,10 @@
               withHardenedConfigs = true;
             };
             security = {
-              users.strong-password.enable = true;
-              users.root.enable = false;
-              users.sudo.enable = true;
               system-security.enable = true;
               system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
               network.ipsecurity.enable = true;
               network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-              fail2ban.enable = true;
             };
           };
 
diff --git a/modules/microvm/virtualization/microvm/audiovm.nix b/modules/microvm/virtualization/microvm/audiovm.nix
index a5637efbb..5d084702d 100644
--- a/modules/microvm/virtualization/microvm/audiovm.nix
+++ b/modules/microvm/virtualization/microvm/audiovm.nix
@@ -39,14 +39,10 @@
           };
           services.audio.enable = true;
           security = {
-            users.strong-password.enable = true;
-            users.root.enable = false;
-            users.sudo.enable = true;
             system-security.enable = true;
             system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
             network.ipsecurity.enable = true;
             network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-            fail2ban.enable = true;
           };
         };
 
diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix
index 44b4bb18d..a3e05b310 100644
--- a/modules/microvm/virtualization/microvm/guivm.nix
+++ b/modules/microvm/virtualization/microvm/guivm.nix
@@ -47,14 +47,10 @@
           };
 
           security = {
-            users.strong-password.enable = true;
-            users.root.enable = false;
-            users.sudo.enable = true;
             system-security.enable = true;
             system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
             network.ipsecurity.enable = true;
             network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-            fail2ban.enable = true;
           };
         };
 
diff --git a/modules/microvm/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix
index 4e610b694..0dbc9676b 100644
--- a/modules/microvm/virtualization/microvm/microvm-host.nix
+++ b/modules/microvm/virtualization/microvm/microvm-host.nix
@@ -33,14 +33,10 @@ in {
         withHardenedConfigs = true;
       };
       security = {
-        users.strong-password.enable = true;
-        users.root.enable = false;
-        users.sudo.enable = true;
         system-security.enable = true;
         system-security.lock-kernel-modules = lib.mkDefault config.ghaf.profiles.release.enable;
         network.ipsecurity.enable = true;
         network.bpf-access-level = lib.mkForce 1; # Provide BPF access to privileged users
-        fail2ban.enable = true;
       };
     };
 
diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix
index 3229cf9a6..0776dd404 100644
--- a/modules/microvm/virtualization/microvm/netvm.nix
+++ b/modules/microvm/virtualization/microvm/netvm.nix
@@ -44,9 +44,6 @@
             withHardenedConfigs = true;
           };
           security = {
-            users.strong-password.enable = true;
-            users.root.enable = false;
-            users.sudo.enable = true;
             system-security.enable = true;
             system-security.lock-kernel-modules = lib.mkDefault configHost.ghaf.profiles.release.enable;
             network.ipsecurity.enable = true;