Securing jeevesjr (#39)

* secured openssh * removing MaxSessions * setup endlessh * set openssh logging to VERBOSE * fix * got MaxSessions working * set ClientAliveCountMax * setup usbguard * updated central openssh settings * added sysstat service * add auditd * testing lynis setting * fixed typo * setup login.defs * removed login.defs * updated ChallengeResponseAuthentication to no * made LogLevel a Default Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com> --------- Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com>
2024-01-13 22:20:01 -05:00 · 2024-01-13 22:20:01 -05:00 · 5af2c60bdb
commit 5af2c60bdb
parent fb4039022d
2 changed files with 49 additions and 5 deletions
--- a/systems/configuration.nix
+++ b/systems/configuration.nix
@ -53,15 +53,21 @@
        }
      ];

+      # all of these setting are recommended by lynis unless otherwise commented
      settings = {
-        ClientAliveCountMax = 10;
+        AllowAgentForwarding = "no";
+        AllowTcpForwarding = "no";
+        ChallengeResponseAuthentication = "no";
+        ClientAliveCountMax = lib.mkDefault 2;
        Compression = "NO";
        IgnoreRhosts = "yes";
+        LogLevel = lib.mkDefault "VERBOSE";
        MaxAuthTries = 3;
-        MaxSessions = 10;
+        MaxSessions = lib.mkDefault 2;
        PasswordAuthentication = false;
        PermitEmptyPasswords = "no";
        PermitRootLogin = "no";
+        TcpKeepAlive = "no";

        KexAlgorithms = [
          "curve25519-sha256@libssh.org"
--- a/systems/jeeves-jr/configuration.nix
+++ b/systems/jeeves-jr/configuration.nix
@ -33,17 +33,55 @@
    };
  };

-  environment.systemPackages = with pkgs; [
-    docker-compose
-  ];
+  environment = {
+    systemPackages = with pkgs; [
+      docker-compose
+    ];
+
+    etc = {
+      # Creates /etc/lynis/custom.prf
+      "lynis/custom.prf" = {
+        text = ''
+          skip-test=BANN-7126
+          skip-test=BANN-7130
+          skip-test=DEB-0520
+          skip-test=DEB-0810
+          skip-test=FIRE-4513
+          skip-test=HRDN-7222
+          skip-test=KRNL-5820
+          skip-test=LOGG-2190
+          skip-test=LYNIS
+          skip-test=TOOL-5002
+        '';
+        mode = "0440";
+      };
+    };
+  };
+
+
+  security.auditd.enable = true;

  services = {
    nfs.server.enable = true;

+    endlessh-go = {
+      enable = true;
+      port = 22;
+    };
+
    openssh.ports = [ 352 ];

    smartd.enable = true;

+    sysstat.enable = true;
+
+    usbguard = {
+      enable = true;
+      rules = ''
+        allow id 1532:0241
+      '';
+    };
+
    zfs = {
      trim.enable = true;
      autoScrub.enable = true;