wip: fixing baseline role

2025-09-15 19:06:19 +02:00 · 2025-09-15 19:06:19 +02:00 · d01bbd1aa3
commit d01bbd1aa3
parent daf383d981
61 changed files with 58 additions and 974 deletions
--- a/roles/baseline/defaults/main.yaml
+++ b/roles/baseline/defaults/main.yaml
@ -1,2 +1,3 @@
 umask_changes: false
-manage_network: true
+manage_network: true
+allow_ptrace: false
--- a/roles/baseline/files/etc/crypto-policies/back-ends/openssh.config
+++ b/roles/baseline/files/etc/crypto-policies/back-ends/openssh.config
@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
--- a/roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark
+++ b/roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark
@ -1,2 +0,0 @@
-[org/gnome/desktop/interface]
-gtk-theme='adw-gtk3-dark'
--- a/roles/baseline/files/etc/dconf/db/local.d/prefer-dark
+++ b/roles/baseline/files/etc/dconf/db/local.d/prefer-dark
@ -1,2 +0,0 @@
-[org/gnome/desktop/interface]
-color-scheme='prefer-dark'
--- a/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf
+++ b/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf
@ -39,8 +39,8 @@ install cramfs /bin/false
 install freevxfs /bin/false
 install jffs2 /bin/false
 # I think blacklisting hfs or hfsplus breaks USBs, but not sure
-install hfs /bin/false
-install hfsplus /bin/false
+# install hfs /bin/false
+# install hfsplus /bin/false
 install squashfs /bin/false
 install udf /bin/false
 install cifs /bin/false
--- a/roles/baseline/tasks/main.yaml
+++ b/roles/baseline/tasks/main.yaml
@ -31,7 +31,6 @@
    replace: 'umask 077'
  when: umask_changes == true

-
 - name: Make home directory private
  ansible.builtin.file:
    path: /home/*
@ -48,8 +47,13 @@
  loop:
  - 'etc/ssh/ssh_config.d/10-custom.conf'
  - 'etc/modprobe.d/workstation-blacklist.conf'
-  - 'etc/sysctl.d/99-workstation.conf'
+  - 'etc/crypto-policies/back-ends/openssh.config'

+- name: Kernel sysctl config
+  ansible.builtin.template:
+    src: 'etc/sysctl.d/99-workstation.conf' 
+    dest: '/etc/sysctl.d/99-workstation.conf'
+    mode: '0644'

 - name: Reload sysctl
  shell: 'sysctl -p'
@ -131,6 +135,15 @@
    name: 'hardened_malloc'
    state: 'present'

+- name: Install custom packages
+  ansible.builtin.dnf5:
+    name:
+      - 'qubes-ctap'
+      - 'qubes-gpg-split'
+      - 'flatpak'
+      - 'ncurses'
+      - 'xdg-desktop-portal-gtk'
+
 - name: Enable hardened_malloc
  ansible.builtin.copy:
    src: 'etc/ld.so.preload'
@ -159,4 +172,4 @@
    path: '{{ item.path }}'
    regexp: '^(metalink=.*)$'
    line: '\1&protocol=https'
-  loop: '{{ found_files.files }}'
+  loop: '{{ found_files.files }}'
--- a/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2
+++ b/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2
@ -0,0 +1,122 @@
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+dev.tty.ldisc_autoload = 0
+
+# https://access.redhat.com/solutions/1985633
+# Seems dangerous.
+# Roseta need this though, so if you use it change it to 1.
+fs.binfmt_misc.status = 0
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
+# Enable fs.protected sysctls.
+fs.protected_regular = 2
+fs.protected_fifos = 2
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
+# Disable coredumps.
+# For additional safety, disable coredumps using ulimit and systemd too.
+kernel.core_pattern=|/bin/false
+fs.suid_dumpable = 0
+
+# Restrict dmesg to CAP_SYS_LOG.
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+kernel.dmesg_restrict = 1
+
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
+# Restrict access to /proc.
+kernel.kptr_restrict = 2
+
+# Not needed, I don't do livepatching and reboot regularly.
+# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
+kernel.kexec_load_disabled = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Basically, restrict eBPF to CAP_BPF.
+kernel.unprivileged_bpf_disabled = 1
+net.core.bpf_jit_harden = 2
+
+# Needed for Flatpak and Bubblewrap.
+kernel.unprivileged_userns_clone = 1
+
+# Disable ptrace. Not needed on workstations.
+{% if allow_ptrace %}
+kernel.yama.ptrace_scope = 2
+{% else %}
+kernel.yama.ptrace_scope = 3
+{% endif %}
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Restrict performance events from unprivileged users as much as possible.
+# We are using 4 here, since Ubuntu supports such a level.
+# Official/ Linux kernel documentation only says >= so it probably will work.
+kernel.perf_event_paranoid = 4
+
+# Disable io_uring
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
+# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
+kernel.io_uring_disabled = 2
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Disable sysrq.
+kernel.sysrq = 0
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
+# Not running a router here, so no redirects.
+net.ipv4.conf.*.send_redirects = 0
+net.ipv4.conf.*.accept_redirects = 0
+net.ipv6.conf.*.accept_redirects = 0
+
+# Check if the source of the IP address is reachable through the same interface it came in
+# Basic IP spoofing mitigation.
+net.ipv4.conf.*.rp_filter = 1
+
+# Do not respond to ICMP.
+net.ipv4.icmp_echo_ignore_all = 1
+net.ipv6.icmp.echo_ignore_all = 1
+
+# Ignore Bogus ICMP responses.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Enable IP Forwarding.
+# Needed for VM networking and whatnot.
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
+# Ignore bogus icmp response.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Protection against time-wait assasination attacks.
+net.ipv4.tcp_rfc1337 = 1
+
+# Enable SYN cookies.
+# Basic SYN flood mitigation.
+net.ipv4.tcp_syncookies = 1 
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Make sure TCP timestamp is enabled.
+net.ipv4.tcp_timestamps = 1
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Disable TCP SACK.
+# We have good networking :)
+net.ipv4.tcp_sack = 0
+
+# No SACK, therefore no Duplicated SACK.
+net.ipv4.tcp_dsack = 0
+
+# Improve ALSR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Restrict userfaultfd to CAP_SYS_PTRACE.
+# https://bugs.archlinux.org/task/62780
+# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
+# probably not used in the real world at all.
+vm.unprivileged_userfaultfd = 0