veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1
veilor-os/docs/HARDENING.md
s8n 1c99ae081f
sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) 
Co-authored-by: veilor-org <admin@veilor.org>
2026-05-02 04:39:39 +01:00

194 lines
7 KiB
Markdown
Raw Blame History

# Hardening Reference
What veilor-os locks down and why. Each item is applied by either the
kickstart `%post` or the overlay tree shipped in `/etc`.
## Boot chain
| Item | State | Source |
|------|-------|--------|
| Secure Boot | Required (bootloader signed) | `bootloader` kickstart line |
| Kernel lockdown | `lockdown=integrity` | bootloader kernel args |
| Slab hardening | `slab_nomerge`, `init_on_alloc=1`, `init_on_free=1` | bootloader |
| Stack offset | `randomize_kstack_offset=on` | bootloader |
| vsyscall | `vsyscall=none` | bootloader |
| LUKS2 | aes-xts-plain64 / argon2id, mem=1GB, time=9 | `part pv.veilor` |
| Module loading | Locked 30s after graphical boot | `veilor-modules-lock.service` |
## Kernel sysctl
`/etc/sysctl.d/99-veilor-hardening.conf`:
| Key | Value | Why |
|-----|-------|-----|
| `kernel.kptr_restrict` | 2 | hide kernel pointers from /proc |
| `kernel.dmesg_restrict` | 1 | dmesg root-only |
| `kernel.yama.ptrace_scope` | 2 | ptrace = parent only |
| `kernel.perf_event_paranoid` | 3 | unprivileged perf disabled |
| `net.core.bpf_jit_harden` | 2 | BPF JIT constant blinding |
| `kernel.randomize_va_space` | 2 | full ASLR |
| `fs.suid_dumpable` | 0 | no SUID core dumps |
| `dev.tty.ldisc_autoload` | 0 | block tty LPE vector |
| `net.ipv4.tcp_syncookies` | 1 | SYN flood mitigation |
| `net.ipv4.conf.all.rp_filter` | 1 | reverse-path filter |
| `accept_source_route` | 0 (v4+v6) | ignore source routing |
| `accept_redirects` | 0 (v4+v6) | ignore ICMP redirects |
## SELinux
- Enforcing, targeted policy.
- Custom module `veilor-systemd` grants `systemd_modules_load_t` the
`sys_admin` and `perfmon` capabilities required by the modules-lock
service. Source: `scripts/selinux/veilor-systemd.te`.
### veilor-firstboot SELinux confinement
The first-boot password service is privileged (it has to write
`/etc/shadow`) but small. Module `veilor-firstboot` carves a tight domain:
- Allowed: read `/etc/passwd`, exec `passwd(1)`, write
`/var/lib/veilor-firstboot.done`, write `/etc/sddm.conf.d/`,
start `sddm.service`.
- `neverallow` rules block: network sockets (no phone-home),
`home_root_t` / `user_home_t` access, `sys_module`, `sys_ptrace`,
`sys_rawio`.
Source: `scripts/selinux/veilor-firstboot.te`. Build & load with
`scripts/selinux/build-policy.sh` (loads all modules in one pass).
## Network surface
- **firewalld** default zone = `drop`.
- **Inbound:** ssh only.
- **systemd-resolved:** LLMNR off, DNSSEC `allow-downgrade`,
DNS-over-TLS opportunistic. Resolvers: Cloudflare (1.1.1.1, 1.0.0.1),
fallback Quad9 (9.9.9.9, 149.112.112.112).
- **chrony:** NTS-authenticated time from `time.cloudflare.com` and
`nts.sth1/2.ntp.se`. Pool fallback only.
## SSH
`/etc/ssh/sshd_config.d/10-veilor-hardening.conf`:
- `PasswordAuthentication no`
- `PermitRootLogin no`
- `AllowUsers admin`
- `X11Forwarding no`
- `MaxAuthTries 3`
- `ClientAliveInterval 300`
- `LogLevel VERBOSE`
## Auth / accounts
- Root account **locked** (`passwd -l root`). No interactive root login.
- Single `admin` user, `wheel` group, full sudo.
- `pwquality.conf`: minlen=14, 4 character classes required, dictcheck.
- **First-boot password flow:** `chage -d 0 admin` expires the empty
password immediately. `veilor-firstboot.service` runs on TTY1 before
SDDM, prompts for new password, then starts the graphical session.
## Audit
`/etc/audit/rules.d/99-veilor-hardening.rules` watches:
- `/etc/passwd`, `/etc/shadow`, `/etc/group`, `/etc/gshadow`
- `/etc/sudoers`, `/etc/sudoers.d/`
- `/etc/ssh/sshd_config*`, `/etc/selinux/`, `/etc/firewalld/`
- `/etc/cron.*`, `/var/spool/cron/`
- `/etc/sysctl.*`, `/etc/systemd/system/`, `/usr/lib/systemd/system/`
- All privileged binaries (sudo, su, passwd, mount, pkexec, etc.)
- Kernel module load/unload syscalls
- Permission/ownership changes by uid≥1000
## Intrusion detection
`fail2ban` jails:
- `sshd` — aggressive mode, 3 retries, 24h ban
- `pam-generic` — 5 retries, 1h ban (catches XDM, su, sudo failures)
Backend: systemd journal. Action: firewalld rich rules.
## USB
`USBGuard` daemon, `ImplicitPolicyTarget=block`.
Ships with **empty allowlist**. On first boot, admin runs:
```bash
sudo usbguard generate-policy > /etc/usbguard/rules.conf
sudo systemctl restart usbguard
```
This snapshots all currently-connected devices into the allowlist.
Anything plugged in afterward is blocked unless explicitly allowed:
```bash
sudo usbguard list-devices
sudo usbguard allow-device <id>
```
## Disabled services
`abrt*`, `cups`, `cups-browsed`, `geoclue`, `avahi-daemon`,
`bluetooth`, `ModemManager`, `gssproxy`, `atd`, `pcscd.socket`,
`pcscd.service`, `kdeconnectd` (removed at package level).
## AppArmor (v0.5)
Fedora 43 ships AppArmor alongside SELinux. veilor-os keeps SELinux as the
primary MAC layer (enforcing, targeted) but ships AppArmor profile
skeletons for high-risk userland binaries that benefit from a second,
binary-scoped policy on top of SELinux's role-based one.
Profiles live in `scripts/apparmor/`:
| Profile | Target | Default mode |
|---------|--------|--------------|
| `usr.bin.thorium` | Thorium browser | `complain` |
| `usr.local.bin.lm-studio` | LM Studio LLM runner | `complain` |
| `usr.bin.veilor-power` | Power profile switcher | `enforce` |
Profiles are **not** loaded automatically — they are opt-in until v0.5.
Enable a profile post-install with:
```bash
sudo dnf install apparmor-utils apparmor-parser
sudo install -m 0644 scripts/apparmor/usr.bin.thorium /etc/apparmor.d/
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.thorium
sudo aa-complain /etc/apparmor.d/usr.bin.thorium # log only
sudo aa-enforce /etc/apparmor.d/usr.bin.thorium # block
```
Refine `complain`-mode profiles with `aa-logprof` after exercising the
app through normal use; it converts logged denials into rule additions
interactively.
## Audit log shipping (optional)
Local journald is the default audit sink. For off-device shipping to a
trusted log collector (Loki / Wazuh / Splunk), veilor-os ships a
disabled-by-default plugin template:
- `/etc/audit/plugins.d/veilor-remote.conf` — auditd plugin shim
(set `active = yes` to enable).
- `/etc/audisp/audisp-remote.conf.disabled` — audisp-remote target
config template (rename to `audisp-remote.conf` and edit
`remote_server` to enable).
**Warning:** enabling remote audit shipping leaks every privileged syscall,
file-watch hit, and auth event off-device. Treat the collector as a host
with the same trust level as root. Only enable if the collector itself is
hardened and the transport is TLS or kerberized.
Reference integration paths in the template: Loki via promtail/vector
syslog source, Wazuh via local wazuh-agent (no network shipping needed),
Splunk via HEC bridge.
## What's *not* enabled by default
- **Disk swap** — replaced by zram (RAM-only, no key leak risk).
- **Bluetooth** — disabled. Enable with `systemctl enable --now bluetooth`.
- **Printing** — CUPS removed. Reinstall if needed: `dnf install cups`.
- **Snapd, Flatpak** — not installed (Flatpak optional add-on).
- **PackageKit** — removed; updates manual via `dnf`.
Reference in a new issue View git blame Copy permalink