From 5af2c60bdbaabb2e87ea19bdaf5cb273f9ad75bf Mon Sep 17 00:00:00 2001
From: Richie Cahill <Richie@tmmworkshop.com>
Date: Sat, 13 Jan 2024 22:20:01 -0500
Subject: [PATCH] Securing jeevesjr (#39)

* secured openssh

* removing MaxSessions

* setup endlessh

* set openssh logging to VERBOSE

* fix

* got MaxSessions working

* set ClientAliveCountMax

* setup usbguard

* updated central openssh settings

* added sysstat service

* add auditd

* testing lynis setting

* fixed typo

* setup login.defs

* removed login.defs

* updated ChallengeResponseAuthentication to no

* made LogLevel a Default

Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com>

---------

Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com>
---
 systems/configuration.nix           | 10 +++++--
 systems/jeeves-jr/configuration.nix | 44 +++++++++++++++++++++++++++--
 2 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/systems/configuration.nix b/systems/configuration.nix
index 0815e35..e9520da 100644
--- a/systems/configuration.nix
+++ b/systems/configuration.nix
@@ -53,15 +53,21 @@
         }
       ];
 
+      # all of these setting are recommended by lynis unless otherwise commented
       settings = {
-        ClientAliveCountMax = 10;
+        AllowAgentForwarding = "no";
+        AllowTcpForwarding = "no";
+        ChallengeResponseAuthentication = "no";
+        ClientAliveCountMax = lib.mkDefault 2;
         Compression = "NO";
         IgnoreRhosts = "yes";
+        LogLevel = lib.mkDefault "VERBOSE";
         MaxAuthTries = 3;
-        MaxSessions = 10;
+        MaxSessions = lib.mkDefault 2;
         PasswordAuthentication = false;
         PermitEmptyPasswords = "no";
         PermitRootLogin = "no";
+        TcpKeepAlive = "no";
 
         KexAlgorithms = [
           "curve25519-sha256@libssh.org"
diff --git a/systems/jeeves-jr/configuration.nix b/systems/jeeves-jr/configuration.nix
index 2866819..9795317 100644
--- a/systems/jeeves-jr/configuration.nix
+++ b/systems/jeeves-jr/configuration.nix
@@ -33,17 +33,55 @@
     };
   };
 
-  environment.systemPackages = with pkgs; [
-    docker-compose
-  ];
+  environment = {
+    systemPackages = with pkgs; [
+      docker-compose
+    ];
+
+    etc = {
+      # Creates /etc/lynis/custom.prf
+      "lynis/custom.prf" = {
+        text = ''
+          skip-test=BANN-7126
+          skip-test=BANN-7130
+          skip-test=DEB-0520
+          skip-test=DEB-0810
+          skip-test=FIRE-4513
+          skip-test=HRDN-7222
+          skip-test=KRNL-5820
+          skip-test=LOGG-2190
+          skip-test=LYNIS
+          skip-test=TOOL-5002
+        '';
+        mode = "0440";
+      };
+    };
+  };
+
+
+  security.auditd.enable = true;
 
   services = {
     nfs.server.enable = true;
 
+    endlessh-go = {
+      enable = true;
+      port = 22;
+    };
+
     openssh.ports = [ 352 ];
 
     smartd.enable = true;
 
+    sysstat.enable = true;
+
+    usbguard = {
+      enable = true;
+      rules = ''
+        allow id 1532:0241
+      '';
+    };
+
     zfs = {
       trim.enable = true;
       autoScrub.enable = true;