wip: fixing baseline role
This commit is contained in:
		
							parent
							
								
									daf383d981
								
							
						
					
					
						commit
						d01bbd1aa3
					
				
					 61 changed files with 58 additions and 974 deletions
				
			
		|  | @ -8,15 +8,12 @@ | ||||||
|       vars: |       vars: | ||||||
|         umask_changes: true |         umask_changes: true | ||||||
|         manage_network: true |         manage_network: true | ||||||
|  |         allow_ptrace: false # turn off for gvisor | ||||||
| 
 | 
 | ||||||
|     - name: 'Gnome package stuff' |     - name: 'Gnome package stuff' | ||||||
|       ansible.builtin.include_role: |       ansible.builtin.include_role: | ||||||
|         name: gnome |         name: gnome | ||||||
| 
 | 
 | ||||||
| #    - name: 'Setup dom0 prompt for sudo' |  | ||||||
| #      ansible.builtin.include_role: |  | ||||||
| #        name: sudo-dom0-prompt |  | ||||||
| 
 |  | ||||||
|     - name: 'Install trivalent' |     - name: 'Install trivalent' | ||||||
|       ansible.builtin.include_role: |       ansible.builtin.include_role: | ||||||
|         name: trivalent |         name: trivalent | ||||||
|  | @ -25,8 +22,21 @@ | ||||||
|       ansible.builtin.include_role: |       ansible.builtin.include_role: | ||||||
|         name: arkenfox |         name: arkenfox | ||||||
| 
 | 
 | ||||||
|     - name: 'Install wireguard-tools' |     - name: 'Install wireguard-tools and neovim' | ||||||
|       ansible.builtin.dnf5: |       ansible.builtin.dnf5: | ||||||
|         name: |         name: | ||||||
|           - wireguard-tools |           - wireguard-tools | ||||||
|  |           - neovim | ||||||
|         state: 'present' |         state: 'present' | ||||||
|  |    | ||||||
|  |     - name: 'Install devtools' | ||||||
|  |       ansible.builtin.include_role: | ||||||
|  |         name: devtools | ||||||
|  | 
 | ||||||
|  |     - name: 'Handle SUID binaries' | ||||||
|  |       ansible.builtin.include_role: | ||||||
|  |         name: suid_role | ||||||
|  |       vars: | ||||||
|  |         allow_run0: true | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  |  | ||||||
|  | @ -1,2 +1,3 @@ | ||||||
| umask_changes: false | umask_changes: false | ||||||
| manage_network: true | manage_network: true | ||||||
|  | allow_ptrace: false | ||||||
|  |  | ||||||
|  | @ -0,0 +1,8 @@ | ||||||
|  | Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr | ||||||
|  | MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 | ||||||
|  | GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- | ||||||
|  | KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 | ||||||
|  | PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com | ||||||
|  | HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com | ||||||
|  | CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 | ||||||
|  | RequiredRSASize 2048 | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [org/gnome/desktop/interface] |  | ||||||
| gtk-theme='adw-gtk3-dark' |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [org/gnome/desktop/interface] |  | ||||||
| color-scheme='prefer-dark' |  | ||||||
|  | @ -39,8 +39,8 @@ install cramfs /bin/false | ||||||
| install freevxfs /bin/false | install freevxfs /bin/false | ||||||
| install jffs2 /bin/false | install jffs2 /bin/false | ||||||
| # I think blacklisting hfs or hfsplus breaks USBs, but not sure | # I think blacklisting hfs or hfsplus breaks USBs, but not sure | ||||||
| install hfs /bin/false | # install hfs /bin/false | ||||||
| install hfsplus /bin/false | # install hfsplus /bin/false | ||||||
| install squashfs /bin/false | install squashfs /bin/false | ||||||
| install udf /bin/false | install udf /bin/false | ||||||
| install cifs /bin/false | install cifs /bin/false | ||||||
|  |  | ||||||
|  | @ -31,7 +31,6 @@ | ||||||
|     replace: 'umask 077' |     replace: 'umask 077' | ||||||
|   when: umask_changes == true |   when: umask_changes == true | ||||||
| 
 | 
 | ||||||
| 
 |  | ||||||
| - name: Make home directory private | - name: Make home directory private | ||||||
|   ansible.builtin.file: |   ansible.builtin.file: | ||||||
|     path: /home/* |     path: /home/* | ||||||
|  | @ -48,8 +47,13 @@ | ||||||
|   loop: |   loop: | ||||||
|   - 'etc/ssh/ssh_config.d/10-custom.conf' |   - 'etc/ssh/ssh_config.d/10-custom.conf' | ||||||
|   - 'etc/modprobe.d/workstation-blacklist.conf' |   - 'etc/modprobe.d/workstation-blacklist.conf' | ||||||
|   - 'etc/sysctl.d/99-workstation.conf' |   - 'etc/crypto-policies/back-ends/openssh.config' | ||||||
| 
 | 
 | ||||||
|  | - name: Kernel sysctl config | ||||||
|  |   ansible.builtin.template: | ||||||
|  |     src: 'etc/sysctl.d/99-workstation.conf'  | ||||||
|  |     dest: '/etc/sysctl.d/99-workstation.conf' | ||||||
|  |     mode: '0644' | ||||||
| 
 | 
 | ||||||
| - name: Reload sysctl | - name: Reload sysctl | ||||||
|   shell: 'sysctl -p' |   shell: 'sysctl -p' | ||||||
|  | @ -131,6 +135,15 @@ | ||||||
|     name: 'hardened_malloc' |     name: 'hardened_malloc' | ||||||
|     state: 'present' |     state: 'present' | ||||||
| 
 | 
 | ||||||
|  | - name: Install custom packages | ||||||
|  |   ansible.builtin.dnf5: | ||||||
|  |     name: | ||||||
|  |       - 'qubes-ctap' | ||||||
|  |       - 'qubes-gpg-split' | ||||||
|  |       - 'flatpak' | ||||||
|  |       - 'ncurses' | ||||||
|  |       - 'xdg-desktop-portal-gtk' | ||||||
|  | 
 | ||||||
| - name: Enable hardened_malloc | - name: Enable hardened_malloc | ||||||
|   ansible.builtin.copy: |   ansible.builtin.copy: | ||||||
|     src: 'etc/ld.so.preload' |     src: 'etc/ld.so.preload' | ||||||
|  | @ -159,4 +172,4 @@ | ||||||
|     path: '{{ item.path }}' |     path: '{{ item.path }}' | ||||||
|     regexp: '^(metalink=.*)$' |     regexp: '^(metalink=.*)$' | ||||||
|     line: '\1&protocol=https' |     line: '\1&protocol=https' | ||||||
|   loop: '{{ found_files.files }}' |   loop: '{{ found_files.files }}' | ||||||
|  |  | ||||||
|  | @ -43,12 +43,15 @@ net.core.bpf_jit_harden = 2 | ||||||
| kernel.unprivileged_userns_clone = 1 | kernel.unprivileged_userns_clone = 1 | ||||||
| 
 | 
 | ||||||
| # Disable ptrace. Not needed on workstations. | # Disable ptrace. Not needed on workstations. | ||||||
|  | {% if allow_ptrace %} | ||||||
|  | kernel.yama.ptrace_scope = 2 | ||||||
|  | {% else %} | ||||||
| kernel.yama.ptrace_scope = 3 | kernel.yama.ptrace_scope = 3 | ||||||
| 
 | {% endif %} | ||||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl | # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl | ||||||
| # Restrict performance events from unprivileged users as much as possible. | # Restrict performance events from unprivileged users as much as possible. | ||||||
| # We are using 4 here, since Ubuntu supports such a level. | # We are using 4 here, since Ubuntu supports such a level. | ||||||
| # Official Linux kernel documentation only says >= so it probably will work. | # Official/ Linux kernel documentation only says >= so it probably will work. | ||||||
| kernel.perf_event_paranoid = 4 | kernel.perf_event_paranoid = 4 | ||||||
| 
 | 
 | ||||||
| # Disable io_uring | # Disable io_uring | ||||||
|  | @ -21,7 +21,6 @@ | ||||||
|       - 'gnome-software' |       - 'gnome-software' | ||||||
|       - 'httpd' |       - 'httpd' | ||||||
|       - 'keepassxc' |       - 'keepassxc' | ||||||
|       - 'thunderbird' |  | ||||||
|       - 'fedora-bookmarks' |       - 'fedora-bookmarks' | ||||||
|       - 'fedora-chromium-config' |       - 'fedora-chromium-config' | ||||||
|       - 'samba-client' |       - 'samba-client' | ||||||
|  | @ -82,9 +81,9 @@ | ||||||
| - name: Install custom packages | - name: Install custom packages | ||||||
|   ansible.builtin.dnf5: |   ansible.builtin.dnf5: | ||||||
|     name: |     name: | ||||||
| #      - 'qubes-ctap' |       - 'qubes-ctap' | ||||||
|       - 'qubes-gpg-split' |       - 'qubes-gpg-split' | ||||||
|       - 'ncurses' |       - 'ncurses' | ||||||
| #         - 'gnome-shell' |       - 'xdg-desktop-portal-gtk' | ||||||
|       - 'ptyxis' |       - 'ptyxis' | ||||||
|     state: 'present' |     state: 'present' | ||||||
|  |  | ||||||
|  | @ -1,20 +0,0 @@ | ||||||
| # Generated by authselect |  | ||||||
| # Do not modify this file manually, use authselect instead. Any user changes will be overwritten. |  | ||||||
| # You can stop authselect from managing your configuration by calling 'authselect opt-out'. |  | ||||||
| # See authselect(8) for more details. |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| auth        [success=1 default=ignore]                   pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ |  | ||||||
| auth        requisite                                    pam_deny.so |  | ||||||
| auth        required                                     pam_permit.so |  | ||||||
| account     required                                     pam_unix.so |  | ||||||
| 
 |  | ||||||
| password    requisite                                    pam_pwquality.so |  | ||||||
| password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok |  | ||||||
| password    required                                     pam_deny.so |  | ||||||
| 
 |  | ||||||
| session     optional                                     pam_keyinit.so revoke |  | ||||||
| session     required                                     pam_limits.so |  | ||||||
| -session    optional                                     pam_systemd.so |  | ||||||
| session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid |  | ||||||
| session     required                                     pam_unix.so |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [org/gnome/desktop/interface] |  | ||||||
| gtk-theme='adw-gtk3-dark' |  | ||||||
|  | @ -1,4 +0,0 @@ | ||||||
| [org/gnome/desktop/media-handling] |  | ||||||
| automount=false |  | ||||||
| automount-open=false |  | ||||||
| autorun-never=true |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| org/gnome/desktop/media-handling/automount |  | ||||||
| org/gnome/desktop/media-handling/automount-open |  | ||||||
| /org/gnome/desktop/media-handling/autorun-never |  | ||||||
|  | @ -1,14 +0,0 @@ | ||||||
| /org/gnome/system/location/enabled |  | ||||||
| 
 |  | ||||||
| /org/gnome/desktop/privacy/remember-recent-files |  | ||||||
| /org/gnome/desktop/privacy/remove-old-trash-files |  | ||||||
| /org/gnome/desktop/privacy/remove-old-temp-files |  | ||||||
| /org/gnome/desktop/privacy/report-technical-problems |  | ||||||
| /org/gnome/desktop/privacy/send-software-usage-stats |  | ||||||
| /org/gnome/desktop/privacy/remember-app-usage |  | ||||||
| 
 |  | ||||||
| /org/gnome/online-accounts/whitelisted-providers |  | ||||||
| 
 |  | ||||||
| /org/gnome/desktop/remote-desktop/rdp/enable |  | ||||||
| 
 |  | ||||||
| /org/gnome/desktop/remote-desktop/vnc/enable |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [org/gnome/desktop/interface] |  | ||||||
| color-scheme='prefer-dark' |  | ||||||
|  | @ -1,16 +0,0 @@ | ||||||
| [org/gnome/system/location] |  | ||||||
| enabled=false |  | ||||||
| 
 |  | ||||||
| [org/gnome/desktop/privacy] |  | ||||||
| remember-recent-files=false |  | ||||||
| remove-old-trash-files=true |  | ||||||
| remove-old-temp-files=true |  | ||||||
| report-technical-problems=false |  | ||||||
| send-software-usage-stats=false |  | ||||||
| remember-app-usage=false |  | ||||||
| 
 |  | ||||||
| [org/gnome/desktop/remote-desktop/rdp] |  | ||||||
| enable=false |  | ||||||
| 
 |  | ||||||
| [org/gnome/desktop/remote-desktop/vnc] |  | ||||||
| enable=false |  | ||||||
|  | @ -1,11 +0,0 @@ | ||||||
| [main] |  | ||||||
| gpgcheck=True |  | ||||||
| installonly_limit=3 |  | ||||||
| clean_requirements_on_remove=True |  | ||||||
| best=False |  | ||||||
| skip_if_unavailable=True |  | ||||||
| max_parallel_downloads=10 |  | ||||||
| deltarpm=False |  | ||||||
| defaultyes=True |  | ||||||
| install_weak_deps=False |  | ||||||
| countme=False |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| JavaScriptCoreUseJIT=0 |  | ||||||
| GJS_DISABLE_JIT=1 |  | ||||||
| XDG_CURRENT_DESKTOP=GNOME |  | ||||||
|  | @ -1 +0,0 @@ | ||||||
| libhardened_malloc.so |  | ||||||
|  | @ -1,114 +0,0 @@ | ||||||
| # unused network protocols |  | ||||||
| install dccp /bin/false |  | ||||||
| install sctp /bin/false |  | ||||||
| install rds /bin/false |  | ||||||
| install tipc /bin/false |  | ||||||
| install n-hdlc /bin/false |  | ||||||
| install ax25 /bin/false |  | ||||||
| install netrom /bin/false |  | ||||||
| install x25 /bin/false |  | ||||||
| install rose /bin/false |  | ||||||
| install decnet /bin/false |  | ||||||
| install econet /bin/false |  | ||||||
| install af_802154 /bin/false |  | ||||||
| install ipx /bin/false |  | ||||||
| install appletalk /bin/false |  | ||||||
| install psnap /bin/false |  | ||||||
| install p8023 /bin/false |  | ||||||
| install p8022 /bin/false |  | ||||||
| install can /bin/false |  | ||||||
| install atm /bin/false |  | ||||||
| 
 |  | ||||||
| # firewire and thunderbolt |  | ||||||
| install firewire-core /bin/false |  | ||||||
| install firewire_core /bin/false |  | ||||||
| install firewire-ohci /bin/false |  | ||||||
| install firewire_ohci /bin/false |  | ||||||
| install firewire_sbp2 /bin/false |  | ||||||
| install firewire-sbp2 /bin/false |  | ||||||
| install firewire-net /bin/false |  | ||||||
| install thunderbolt /bin/false |  | ||||||
| install ohci1394 /bin/false |  | ||||||
| install sbp2 /bin/false |  | ||||||
| install dv1394 /bin/false |  | ||||||
| install raw1394 /bin/false |  | ||||||
| install video1394 /bin/false |  | ||||||
| 
 |  | ||||||
| # unused filesystems |  | ||||||
| install cramfs /bin/false |  | ||||||
| install freevxfs /bin/false |  | ||||||
| install jffs2 /bin/false |  | ||||||
| install hfs /bin/false |  | ||||||
| install hfsplus /bin/false |  | ||||||
| install squashfs /bin/false |  | ||||||
| install udf /bin/false |  | ||||||
| install cifs /bin/false |  | ||||||
| install nfs /bin/false |  | ||||||
| install nfsv3 /bin/false |  | ||||||
| install nfsv4 /bin/false |  | ||||||
| install ksmbd /bin/false |  | ||||||
| install gfs2 /bin/false |  | ||||||
| install reiserfs /bin/false |  | ||||||
| install kafs /bin/false |  | ||||||
| install orangefs /bin/false |  | ||||||
| install 9p /bin/false |  | ||||||
| install adfs /bin/false |  | ||||||
| install affs /bin/false |  | ||||||
| install afs /bin/false |  | ||||||
| install befs /bin/false |  | ||||||
| install ceph /bin/false |  | ||||||
| install coda /bin/false |  | ||||||
| install ecryptfs /bin/false |  | ||||||
| install erofs /bin/false |  | ||||||
| install jfs /bin/false |  | ||||||
| install minix /bin/false |  | ||||||
| install netfs /bin/false |  | ||||||
| install nilfs2 /bin/false |  | ||||||
| install ocfs2 /bin/false |  | ||||||
| install romfs /bin/false |  | ||||||
| install ubifs /bin/false |  | ||||||
| install zonefs /bin/false |  | ||||||
| install sysv /bin/false |  | ||||||
| install ufs /bin/false |  | ||||||
| 
 |  | ||||||
| # disable vivid |  | ||||||
| install vivid /bin/false |  | ||||||
| 
 |  | ||||||
| # disable GNSS |  | ||||||
| install gnss /bin/false |  | ||||||
| install gnss-mtk /bin/false |  | ||||||
| install gnss-serial /bin/false |  | ||||||
| install gnss-sirf /bin/false |  | ||||||
| install gnss-usb /bin/false |  | ||||||
| install gnss-ubx /bin/false |  | ||||||
| 
 |  | ||||||
| # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns |  | ||||||
| install bluetooth /bin/false |  | ||||||
| install btusb /bin/false |  | ||||||
| 
 |  | ||||||
| # blacklist ath_pci |  | ||||||
| blacklist ath_pci |  | ||||||
| 
 |  | ||||||
| # blacklist cdrom |  | ||||||
| blacklist cdrom |  | ||||||
| blacklist sr_mod |  | ||||||
| 
 |  | ||||||
| # blacklist framebuffer drivers |  | ||||||
| # source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf |  | ||||||
| blacklist cyber2000fb |  | ||||||
| blacklist cyblafb |  | ||||||
| blacklist gx1fb |  | ||||||
| blacklist hgafb |  | ||||||
| blacklist kyrofb |  | ||||||
| blacklist lxfb |  | ||||||
| blacklist matroxfb_base |  | ||||||
| blacklist neofb |  | ||||||
| blacklist nvidiafb |  | ||||||
| blacklist pm2fb |  | ||||||
| blacklist s1d13xxxfb |  | ||||||
| blacklist sisfb |  | ||||||
| blacklist tdfxfb |  | ||||||
| blacklist vesafb |  | ||||||
| blacklist vfb |  | ||||||
| blacklist vt8623fb |  | ||||||
| blacklist udlfb |  | ||||||
|  | @ -1 +0,0 @@ | ||||||
| * hard core 0 |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo |  | ||||||
| systemctl enable --user --now update-user-flatpaks.timer |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| GSSAPIAuthentication no |  | ||||||
| VerifyHostKeyDNS yes |  | ||||||
|  | @ -1,4 +0,0 @@ | ||||||
| Defaults !requiretty |  | ||||||
| user ALL=(ALL) ALL |  | ||||||
| 
 |  | ||||||
| # vim: ft=sudoers |  | ||||||
|  | @ -1,119 +0,0 @@ | ||||||
| 
 |  | ||||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl |  | ||||||
| dev.tty.ldisc_autoload = 0 |  | ||||||
| 
 |  | ||||||
| # https://access.redhat.com/solutions/1985633 |  | ||||||
| # Seems dangerous. |  | ||||||
| # Roseta need this though, so if you use it change it to 1. |  | ||||||
| fs.binfmt_misc.status = 0 |  | ||||||
| 
 |  | ||||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace |  | ||||||
| # Enable fs.protected sysctls. |  | ||||||
| fs.protected_regular = 2 |  | ||||||
| fs.protected_fifos = 2 |  | ||||||
| fs.protected_symlinks = 1 |  | ||||||
| fs.protected_hardlinks = 1 |  | ||||||
| 
 |  | ||||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps |  | ||||||
| # Disable coredumps. |  | ||||||
| # For additional safety, disable coredumps using ulimit and systemd too. |  | ||||||
| kernel.core_pattern=|/bin/false |  | ||||||
| fs.suid_dumpable = 0 |  | ||||||
| 
 |  | ||||||
| # Restrict dmesg to CAP_SYS_LOG. |  | ||||||
| # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt |  | ||||||
| kernel.dmesg_restrict = 1 |  | ||||||
| 
 |  | ||||||
| # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt |  | ||||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel |  | ||||||
| # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak |  | ||||||
| # Restrict access to /proc. |  | ||||||
| kernel.kptr_restrict = 2 |  | ||||||
| 
 |  | ||||||
| # Not needed, I don't do livepatching and reboot regularly. |  | ||||||
| # On a workstation, this shouldn't be used at all. Don't live patch, just reboot. |  | ||||||
| kernel.kexec_load_disabled = 1 |  | ||||||
| 
 |  | ||||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl |  | ||||||
| # Basically, restrict eBPF to CAP_BPF. |  | ||||||
| kernel.unprivileged_bpf_disabled = 1 |  | ||||||
| net.core.bpf_jit_harden = 2 |  | ||||||
| 
 |  | ||||||
| # Needed for Flatpak and Bubblewrap. |  | ||||||
| kernel.unprivileged_userns_clone = 1 |  | ||||||
| 
 |  | ||||||
| # Disable ptrace. Not needed on workstations. |  | ||||||
| kernel.yama.ptrace_scope = 3 |  | ||||||
| 
 |  | ||||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl |  | ||||||
| # Restrict performance events from unprivileged users as much as possible. |  | ||||||
| # We are using 4 here, since Ubuntu supports such a level. |  | ||||||
| # Official Linux kernel documentation only says >= so it probably will work. |  | ||||||
| kernel.perf_event_paranoid = 4 |  | ||||||
| 
 |  | ||||||
| # Disable io_uring |  | ||||||
| # https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled |  | ||||||
| # https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html |  | ||||||
| # Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out |  | ||||||
| # on a Proxmox node. |  | ||||||
| kernel.io_uring_disabled = 2 |  | ||||||
| 
 |  | ||||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel |  | ||||||
| # Disable sysrq. |  | ||||||
| kernel.sysrq = 0 |  | ||||||
| 
 |  | ||||||
| # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 |  | ||||||
| # Not running a router here, so no redirects. |  | ||||||
| net.ipv4.conf.*.send_redirects = 0 |  | ||||||
| net.ipv4.conf.*.accept_redirects = 0 |  | ||||||
| net.ipv6.conf.*.accept_redirects = 0 |  | ||||||
| 
 |  | ||||||
| # Check if the source of the IP address is reachable through the same interface it came in |  | ||||||
| # Basic IP spoofing mitigation. |  | ||||||
| net.ipv4.conf.*.rp_filter = 1 |  | ||||||
| 
 |  | ||||||
| # Do not respond to ICMP. |  | ||||||
| net.ipv4.icmp_echo_ignore_all = 1 |  | ||||||
| net.ipv6.icmp.echo_ignore_all = 1 |  | ||||||
| 
 |  | ||||||
| # Ignore Bogus ICMP responses. |  | ||||||
| net.ipv4.icmp_ignore_bogus_error_responses = 1 |  | ||||||
| 
 |  | ||||||
| # Enable IP Forwarding. |  | ||||||
| # Needed for VM networking and whatnot. |  | ||||||
| net.ipv4.ip_forward = 1 |  | ||||||
| net.ipv6.conf.all.forwarding = 1 |  | ||||||
| 
 |  | ||||||
| # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 |  | ||||||
| # Ignore bogus icmp response. |  | ||||||
| net.ipv4.icmp_ignore_bogus_error_responses = 1 |  | ||||||
| 
 |  | ||||||
| # Protection against time-wait assasination attacks. |  | ||||||
| net.ipv4.tcp_rfc1337 = 1 |  | ||||||
| 
 |  | ||||||
| # Enable SYN cookies. |  | ||||||
| # Basic SYN flood mitigation. |  | ||||||
| net.ipv4.tcp_syncookies = 1  |  | ||||||
| 
 |  | ||||||
| # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf |  | ||||||
| # Make sure TCP timestamp is enabled. |  | ||||||
| net.ipv4.tcp_timestamps = 1 |  | ||||||
| 
 |  | ||||||
| # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf |  | ||||||
| # Disable TCP SACK. |  | ||||||
| # We have good networking :) |  | ||||||
| net.ipv4.tcp_sack = 0 |  | ||||||
| 
 |  | ||||||
| # No SACK, therefore no Duplicated SACK. |  | ||||||
| net.ipv4.tcp_dsack = 0 |  | ||||||
| 
 |  | ||||||
| # Improve ALSR effectiveness for mmap. |  | ||||||
| vm.mmap_rnd_bits = 32 |  | ||||||
| vm.mmap_rnd_compat_bits = 16 |  | ||||||
| 
 |  | ||||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel |  | ||||||
| # Restrict userfaultfd to CAP_SYS_PTRACE. |  | ||||||
| # https://bugs.archlinux.org/task/62780 |  | ||||||
| # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is |  | ||||||
| # probably not used in the real world at all. |  | ||||||
| vm.unprivileged_userfaultfd = 0 |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [Coredump] |  | ||||||
| Storage=none |  | ||||||
|  | @ -1,28 +0,0 @@ | ||||||
| [Service] |  | ||||||
| # Hardening |  | ||||||
| CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT |  | ||||||
| LockPersonality=true |  | ||||||
| MemoryDenyWriteExecute=true |  | ||||||
| #PrivateDevices=true #breaks tun usage |  | ||||||
| #ProtectProc=invisible |  | ||||||
| PrivateTmp=yes |  | ||||||
| ProtectClock=true |  | ||||||
| ProtectControlGroups=true |  | ||||||
| ProtectHome=read-only |  | ||||||
| ProtectKernelLogs=true |  | ||||||
| #ProtectKernelModules=true |  | ||||||
| #ProtectSystem=strict |  | ||||||
| #ReadOnlyPaths=/etc/NetworkManager |  | ||||||
| ReadOnlyPaths=-/home |  | ||||||
| #ReadWritePaths=-/etc/NetworkManager/system-connections |  | ||||||
| ReadWritePaths=-/etc/sysconfig/network-scripts |  | ||||||
| ReadWritePaths=/var/lib/NetworkManager |  | ||||||
| ReadWritePaths=-/var/run/NetworkManager |  | ||||||
| ReadWritePaths=-/run/NetworkManager |  | ||||||
| RemoveIPC=true |  | ||||||
| RestrictNamespaces=true |  | ||||||
| RestrictRealtime=true |  | ||||||
| RestrictSUIDSGID=true |  | ||||||
| SystemCallArchitectures=native |  | ||||||
| SystemCallFilter=@system-service |  | ||||||
| UMask=0077 |  | ||||||
|  | @ -1,6 +0,0 @@ | ||||||
| [Unit] |  | ||||||
| Description=Update user Flatpaks |  | ||||||
| 
 |  | ||||||
| [Service] |  | ||||||
| Type=oneshot |  | ||||||
| ExecStart=/usr/bin/flatpak --user update -y |  | ||||||
|  | @ -1,9 +0,0 @@ | ||||||
| [Unit] |  | ||||||
| Description=Update user Flatpaks daily |  | ||||||
| 
 |  | ||||||
| [Timer] |  | ||||||
| OnCalendar=daily |  | ||||||
| Persistent=true |  | ||||||
| 
 |  | ||||||
| [Install] |  | ||||||
| WantedBy=timers.target |  | ||||||
|  | @ -1,4 +0,0 @@ | ||||||
| [zram0] |  | ||||||
| zram-fraction = 1 |  | ||||||
| max-zram-size = 8192 |  | ||||||
| compression-algorithm = zstd |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [preferred] |  | ||||||
| default=gtk; |  | ||||||
|  | @ -1,285 +0,0 @@ | ||||||
| - name: Configure Fedora 41 Gnome Template |  | ||||||
|   hosts: 127.0.0.1 |  | ||||||
|   connection: local |  | ||||||
|   tasks: |  | ||||||
|    - name: Kill debug-shell service |  | ||||||
|      ansible.builtin.systemd_service: |  | ||||||
|        name: debug-shell.service |  | ||||||
|        masked: true |  | ||||||
|    - name: Kill kdump service |  | ||||||
|      ansible.builtin.systemd_service: |  | ||||||
|        name: kdump.service |  | ||||||
|        masked: true |  | ||||||
|         |  | ||||||
|    - name: Set umask to 077 |  | ||||||
|      shell: umask 077 |  | ||||||
|    - name: Set umask to 077 in login.defs |  | ||||||
|      ansible.builtin.replace: |  | ||||||
|       path: /etc/login.defs |  | ||||||
|       regexp: '^UMASK.*' |  | ||||||
|       replace: 'UMASK 077' |  | ||||||
| 
 |  | ||||||
|    - name: Set umask to 077 in logins.defs |  | ||||||
|      ansible.builtin.replace: |  | ||||||
|       path: /etc/login.defs |  | ||||||
|       regexp: '^HOME_MODE' |  | ||||||
|       replace: '#HOME_MODE' |  | ||||||
| 
 |  | ||||||
|    - name: Set umask to 077 in bashrc |  | ||||||
|      ansible.builtin.replace: |  | ||||||
|        path: /etc/bashrc |  | ||||||
|        regexp: 'umask 022' |  | ||||||
|        replace: 'umask 077' |  | ||||||
| 
 |  | ||||||
|    - name: Make home directory private |  | ||||||
|      ansible.builtin.file: |  | ||||||
|        path: /home/* |  | ||||||
|        state: directory |  | ||||||
|        recurse: true |  | ||||||
|        mode: '0700' |  | ||||||
| 
 |  | ||||||
|    - name: Harden SSH, add kernel blacklist and hardening |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: '{{ item }}' |  | ||||||
|       dest: '/{{ item }}' |  | ||||||
|       mode: '0644' |  | ||||||
|      loop: |  | ||||||
|       - 'etc/ssh/ssh_config.d/10-custom.conf' |  | ||||||
|       - 'etc/modprobe.d/workstation-blacklist.conf' |  | ||||||
|       - 'etc/sysctl.d/99-workstation.conf' |  | ||||||
|    |  | ||||||
| 
 |  | ||||||
|    - name: Reload sysctl |  | ||||||
|      shell: 'sysctl -p' |  | ||||||
| 
 |  | ||||||
|    - name: Create coredump.conf.d |  | ||||||
|      ansible.builtin.file: |  | ||||||
|        path: '/etc/systemd/coredump.conf.d' |  | ||||||
|        state: 'directory' |  | ||||||
|        mode: '0755' |  | ||||||
|    - name: Make locks dir for dconf |  | ||||||
|      ansible.builtin.file: |  | ||||||
|        path: '/etc/dconf/db/local.d/locks' |  | ||||||
|        state: 'directory' |  | ||||||
|        mode: '0755' |  | ||||||
|    - name: Create XDG portals directory |  | ||||||
|      ansible.builtin.file: |  | ||||||
|        path: '/etc/xdg-desktop-portal' |  | ||||||
|        state: 'directory' |  | ||||||
|        mode: '0755' |  | ||||||
| 
 |  | ||||||
|    - name: Create /etc/systemd/system/NetworkManager.service.d |  | ||||||
|      ansible.builtin.file: |  | ||||||
|        path: '/etc/systemd/system/NetworkManager.service.d' |  | ||||||
|        state: 'directory' |  | ||||||
|        mode: '0755' |  | ||||||
|    - name: Copy dconf files + xdg-desktop-portals fix + Network manager |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: '{{ item }}' |  | ||||||
|       dest: '/{{ item }}' |  | ||||||
|       mode: '0644' |  | ||||||
|      loop: |  | ||||||
|       - 'etc/security/limits.d/30-disable-coredump.conf' |  | ||||||
|       - 'etc/systemd/coredump.conf.d/disable.conf' |  | ||||||
|       - 'etc/dconf/db/local.d/locks/automount-disable' |  | ||||||
|       - 'etc/dconf/db/local.d/locks/privacy' |  | ||||||
|       - 'etc/dconf/db/local.d/adw-gtk3-dark' |  | ||||||
|       - 'etc/dconf/db/local.d/automount-disable' |  | ||||||
|       - 'etc/dconf/db/local.d/prefer-dark' |  | ||||||
|       - 'etc/dconf/db/local.d/privacy' |  | ||||||
|       - 'etc/xdg-desktop-portal/portals.conf' |  | ||||||
|       - 'etc/systemd/system/NetworkManager.service.d/99-brace.conf' |  | ||||||
| 
 |  | ||||||
|    - name: Update dconf |  | ||||||
|      shell: sudo dconf update |  | ||||||
| 
 |  | ||||||
|    - name: Setup ZRAM, flatpak updater and environment variables to disable GJS, WebkitGTK JIT, and fix GNOME env variable |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: '{{ item }}' |  | ||||||
|       dest: '/{{ item }}' |  | ||||||
|       mode: '0600' |  | ||||||
|      loop: |  | ||||||
|       - 'etc/systemd/zram-generator.conf' |  | ||||||
|       - 'etc/systemd/user/update-user-flatpaks.service' |  | ||||||
|       - 'etc/systemd/user/update-user-flatpaks.timer' |  | ||||||
|       - 'etc/environment' |  | ||||||
| 
 |  | ||||||
|    - name: Upgrade all packages |  | ||||||
|      ansible.builtin.dnf5: |  | ||||||
|        name: "*" |  | ||||||
|        state: latest |  | ||||||
| 
 |  | ||||||
|    - name: Mark packages as manually installed to avoid removal |  | ||||||
|      shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' |  | ||||||
| 
 |  | ||||||
|    - name: Remove unnecessary stuff from the template |  | ||||||
|      ansible.builtin.dnf5: |  | ||||||
|        name: |  | ||||||
|         - '@Container Management' |  | ||||||
|         - '@Desktop Accessibility' |  | ||||||
|         - '@Guest Desktop Agents' |  | ||||||
|         - '@Printing Support' |  | ||||||
|         - 'gnome-software' |  | ||||||
|         - 'httpd' |  | ||||||
|         - 'keepassxc' |  | ||||||
|         - 'thunderbird' |  | ||||||
|         - 'fedora-bookmarks' |  | ||||||
|         - 'fedora-chromium-config' |  | ||||||
|         - 'samba-client' |  | ||||||
|         - 'gvfs-smb' |  | ||||||
|         - 'NetworkManager-pptp-gnome' |  | ||||||
|         - 'NetworkManager-ssh-gnome' |  | ||||||
|         - 'NetworkManager-openconnect-gnome' |  | ||||||
|         - 'NetworkManager-openvpn-gnome' |  | ||||||
|         - 'NetworkManager-vpnc-gnome' |  | ||||||
|         - 'ppp*' |  | ||||||
|         - 'ModemManager' |  | ||||||
|         - 'baobab' |  | ||||||
|         - 'chrome-gnome-shell' |  | ||||||
|         - 'eog' |  | ||||||
|         - 'gnome-boxes' |  | ||||||
|         - 'gnome-calculator' |  | ||||||
|         - 'gnome-calendar' |  | ||||||
|         - 'gnome-characters' |  | ||||||
|         - 'gnome-classic*' |  | ||||||
|         - 'gnome-clocks' |  | ||||||
|         - 'gnome-color-manager' |  | ||||||
|         - 'gnome-connections' |  | ||||||
|         - 'gnome-contacts' |  | ||||||
|         - 'gnome-disk-utility' |  | ||||||
|         - 'gnome-font-viewer' |  | ||||||
|         - 'gnome-logs' |  | ||||||
|         - 'gnome-maps' |  | ||||||
|         - 'gnome-photos' |  | ||||||
|         - 'gnome-remote-desktop' |  | ||||||
|         - 'gnome-screenshot' |  | ||||||
|         - 'gnome-shell-extension-apps-menu' |  | ||||||
|         - 'gnome-shell-extension-background-logo' |  | ||||||
|         - 'gnome-shell-extension-launch-new-instance' |  | ||||||
|         - 'gnome-shell-extension-places-menu' |  | ||||||
|         - 'gnome-shell-extension-window-list' |  | ||||||
|         - 'gnome-text-editor' |  | ||||||
|         - 'gnome-themes-extra' |  | ||||||
|         - 'gnome-tour' |  | ||||||
|         - 'gnome-user*' |  | ||||||
|         - 'gnome-weather' |  | ||||||
|         - 'loupe' |  | ||||||
|         - 'snapshot' |  | ||||||
|         - 'totem' |  | ||||||
|         - 'cheese' |  | ||||||
|         - 'evince' |  | ||||||
|         - 'file-roller*' |  | ||||||
|         - 'libreoffice*' |  | ||||||
|         - 'mediawriter' |  | ||||||
|         - 'rhythmbox' |  | ||||||
|         - 'yelp' |  | ||||||
|         - 'lvm2' |  | ||||||
|         - 'rng-tools' |  | ||||||
|         - 'thermald' |  | ||||||
|        state: 'absent' |  | ||||||
|        allowerasing: true |  | ||||||
|        autoremove: true |  | ||||||
| 
 |  | ||||||
|    - name: Install custom packages |  | ||||||
|      ansible.builtin.dnf5: |  | ||||||
|        name: |  | ||||||
|          - 'qubes-ctap' |  | ||||||
|          - 'qubes-gpg-split' |  | ||||||
|          - 'adw-gtk3-theme' |  | ||||||
|          - 'ncurses' |  | ||||||
|          - 'gnome-shell' |  | ||||||
|          - 'ptyxis' |  | ||||||
|        state: 'present' |  | ||||||
|    - name: Enable hardened_malloc COPR |  | ||||||
|      shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' |  | ||||||
| 
 |  | ||||||
|    - name: Install hardened_malloc |  | ||||||
|      ansible.builtin.dnf5: |  | ||||||
|        name: 'hardened_malloc' |  | ||||||
|        state: 'present' |  | ||||||
| 
 |  | ||||||
|    - name: Enable hardened_malloc |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|        src: 'etc/ld.so.preload' |  | ||||||
|        dest: '/etc/ld.so.preload' |  | ||||||
|        mode: '0644' |  | ||||||
|    - name: Enable hardened_malloc for system wide flatpak |  | ||||||
|      shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' |  | ||||||
|    - name: Enable hardened_malloc for user flatpak # has to be run per APP VM |  | ||||||
|      shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' |  | ||||||
|    - name: Setup dnf repos |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|        src: 'etc/dnf/dnf.conf' |  | ||||||
|        dest: '/etc/dnf/dnf.conf' |  | ||||||
|        mode: '0644' |  | ||||||
| 
 |  | ||||||
|    - name: Get list of files |  | ||||||
|      ansible.builtin.find: |  | ||||||
|        paths: /etc/yum.repos.d/ |  | ||||||
|        recurse: true |  | ||||||
|      register: found_files |  | ||||||
| 
 |  | ||||||
|    - name: Replace text in those files |  | ||||||
|      ansible.builtin.lineinfile: |  | ||||||
|        backup: true |  | ||||||
|        backrefs: true |  | ||||||
|        path: '{{ item.path }}' |  | ||||||
|        regexp: '^(metalink=.*)$' |  | ||||||
|        line: '\1&protocol=https' |  | ||||||
|      loop: '{{ found_files.files }}' |  | ||||||
| 
 |  | ||||||
|    - name: Check that the sudo-dom0-prompt exists |  | ||||||
|      stat: |  | ||||||
|        path: '/etc/authselect/custom/sudo-dom0-prompt' |  | ||||||
|      register: stat_result |  | ||||||
| 
 |  | ||||||
|    - name: Create authselect profile |  | ||||||
|      shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam |  | ||||||
|      when: not stat_result.stat.exists |  | ||||||
|    - name: Copy authselect file |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' |  | ||||||
|       dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' |  | ||||||
|       mode: '0644' |  | ||||||
|       |  | ||||||
| 
 |  | ||||||
|    - name: Copy authselect folder |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: '/etc/authselect/system-auth' |  | ||||||
|       dest: '/etc/authselect/custom/sudo-dom0-prompt' |  | ||||||
|       mode: '0755' |  | ||||||
| 
 |  | ||||||
|    - name: Copy authselect file |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' |  | ||||||
|       dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' |  | ||||||
|       mode: '0644' |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
|    - name: Select authselect profile |  | ||||||
|      shell: authselect select custom/sudo-dom0-prompt |  | ||||||
| 
 |  | ||||||
|    - name: Fix sudoers.d |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: 'etc/sudoers.d/qubes' |  | ||||||
|       dest: '/etc/sudoers.d/qubes' |  | ||||||
|       mode: '0440' |  | ||||||
| 
 |  | ||||||
|    - name: Check that allow all rule doesn't exist |  | ||||||
|      stat: |  | ||||||
|        path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' |  | ||||||
|      register: allow_all_result |  | ||||||
| 
 |  | ||||||
|    - name: Delete allow all rule |  | ||||||
|      ansible.builtin.file: |  | ||||||
|       path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' |  | ||||||
|       state: 'absent' |  | ||||||
|      when: allow_all_result.stat.exists |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
|    - name: Drop flathub script to homedir for any new appvms created based on this template |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: 'etc/skel/flathub.sh' |  | ||||||
|       dest: '/etc/skel/flathub.sh' |  | ||||||
|       mode: '0700' |  | ||||||
|  | @ -1 +0,0 @@ | ||||||
| packages_to_remove: |  | ||||||
|  | @ -1,20 +0,0 @@ | ||||||
| # Generated by authselect |  | ||||||
| # Do not modify this file manually, use authselect instead. Any user changes will be overwritten. |  | ||||||
| # You can stop authselect from managing your configuration by calling 'authselect opt-out'. |  | ||||||
| # See authselect(8) for more details. |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| auth        [success=1 default=ignore]                   pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ |  | ||||||
| auth        requisite                                    pam_deny.so |  | ||||||
| auth        required                                     pam_permit.so |  | ||||||
| account     required                                     pam_unix.so |  | ||||||
| 
 |  | ||||||
| password    requisite                                    pam_pwquality.so |  | ||||||
| password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok |  | ||||||
| password    required                                     pam_deny.so |  | ||||||
| 
 |  | ||||||
| session     optional                                     pam_keyinit.so revoke |  | ||||||
| session     required                                     pam_limits.so |  | ||||||
| -session    optional                                     pam_systemd.so |  | ||||||
| session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid |  | ||||||
| session     required                                     pam_unix.so |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [org/gnome/desktop/interface] |  | ||||||
| gtk-theme='adw-gtk3-dark' |  | ||||||
|  | @ -1,4 +0,0 @@ | ||||||
| [org/gnome/desktop/media-handling] |  | ||||||
| automount=false |  | ||||||
| automount-open=false |  | ||||||
| autorun-never=true |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| org/gnome/desktop/media-handling/automount |  | ||||||
| org/gnome/desktop/media-handling/automount-open |  | ||||||
| /org/gnome/desktop/media-handling/autorun-never |  | ||||||
|  | @ -1,14 +0,0 @@ | ||||||
| /org/gnome/system/location/enabled |  | ||||||
| 
 |  | ||||||
| /org/gnome/desktop/privacy/remember-recent-files |  | ||||||
| /org/gnome/desktop/privacy/remove-old-trash-files |  | ||||||
| /org/gnome/desktop/privacy/remove-old-temp-files |  | ||||||
| /org/gnome/desktop/privacy/report-technical-problems |  | ||||||
| /org/gnome/desktop/privacy/send-software-usage-stats |  | ||||||
| /org/gnome/desktop/privacy/remember-app-usage |  | ||||||
| 
 |  | ||||||
| /org/gnome/online-accounts/whitelisted-providers |  | ||||||
| 
 |  | ||||||
| /org/gnome/desktop/remote-desktop/rdp/enable |  | ||||||
| 
 |  | ||||||
| /org/gnome/desktop/remote-desktop/vnc/enable |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [org/gnome/desktop/interface] |  | ||||||
| color-scheme='prefer-dark' |  | ||||||
|  | @ -1,16 +0,0 @@ | ||||||
| [org/gnome/system/location] |  | ||||||
| enabled=false |  | ||||||
| 
 |  | ||||||
| [org/gnome/desktop/privacy] |  | ||||||
| remember-recent-files=false |  | ||||||
| remove-old-trash-files=true |  | ||||||
| remove-old-temp-files=true |  | ||||||
| report-technical-problems=false |  | ||||||
| send-software-usage-stats=false |  | ||||||
| remember-app-usage=false |  | ||||||
| 
 |  | ||||||
| [org/gnome/desktop/remote-desktop/rdp] |  | ||||||
| enable=false |  | ||||||
| 
 |  | ||||||
| [org/gnome/desktop/remote-desktop/vnc] |  | ||||||
| enable=false |  | ||||||
|  | @ -1,11 +0,0 @@ | ||||||
| [main] |  | ||||||
| gpgcheck=True |  | ||||||
| installonly_limit=3 |  | ||||||
| clean_requirements_on_remove=True |  | ||||||
| best=False |  | ||||||
| skip_if_unavailable=True |  | ||||||
| max_parallel_downloads=10 |  | ||||||
| deltarpm=False |  | ||||||
| defaultyes=True |  | ||||||
| install_weak_deps=False |  | ||||||
| countme=False |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| JavaScriptCoreUseJIT=0 |  | ||||||
| GJS_DISABLE_JIT=1 |  | ||||||
| XDG_CURRENT_DESKTOP=GNOME |  | ||||||
|  | @ -1 +0,0 @@ | ||||||
| libhardened_malloc.so |  | ||||||
|  | @ -1,114 +0,0 @@ | ||||||
| # unused network protocols |  | ||||||
| install dccp /bin/false |  | ||||||
| install sctp /bin/false |  | ||||||
| install rds /bin/false |  | ||||||
| install tipc /bin/false |  | ||||||
| install n-hdlc /bin/false |  | ||||||
| install ax25 /bin/false |  | ||||||
| install netrom /bin/false |  | ||||||
| install x25 /bin/false |  | ||||||
| install rose /bin/false |  | ||||||
| install decnet /bin/false |  | ||||||
| install econet /bin/false |  | ||||||
| install af_802154 /bin/false |  | ||||||
| install ipx /bin/false |  | ||||||
| install appletalk /bin/false |  | ||||||
| install psnap /bin/false |  | ||||||
| install p8023 /bin/false |  | ||||||
| install p8022 /bin/false |  | ||||||
| install can /bin/false |  | ||||||
| install atm /bin/false |  | ||||||
| 
 |  | ||||||
| # firewire and thunderbolt |  | ||||||
| install firewire-core /bin/false |  | ||||||
| install firewire_core /bin/false |  | ||||||
| install firewire-ohci /bin/false |  | ||||||
| install firewire_ohci /bin/false |  | ||||||
| install firewire_sbp2 /bin/false |  | ||||||
| install firewire-sbp2 /bin/false |  | ||||||
| install firewire-net /bin/false |  | ||||||
| install thunderbolt /bin/false |  | ||||||
| install ohci1394 /bin/false |  | ||||||
| install sbp2 /bin/false |  | ||||||
| install dv1394 /bin/false |  | ||||||
| install raw1394 /bin/false |  | ||||||
| install video1394 /bin/false |  | ||||||
| 
 |  | ||||||
| # unused filesystems |  | ||||||
| install cramfs /bin/false |  | ||||||
| install freevxfs /bin/false |  | ||||||
| install jffs2 /bin/false |  | ||||||
| install hfs /bin/false |  | ||||||
| install hfsplus /bin/false |  | ||||||
| install squashfs /bin/false |  | ||||||
| install udf /bin/false |  | ||||||
| install cifs /bin/false |  | ||||||
| install nfs /bin/false |  | ||||||
| install nfsv3 /bin/false |  | ||||||
| install nfsv4 /bin/false |  | ||||||
| install ksmbd /bin/false |  | ||||||
| install gfs2 /bin/false |  | ||||||
| install reiserfs /bin/false |  | ||||||
| install kafs /bin/false |  | ||||||
| install orangefs /bin/false |  | ||||||
| install 9p /bin/false |  | ||||||
| install adfs /bin/false |  | ||||||
| install affs /bin/false |  | ||||||
| install afs /bin/false |  | ||||||
| install befs /bin/false |  | ||||||
| install ceph /bin/false |  | ||||||
| install coda /bin/false |  | ||||||
| install ecryptfs /bin/false |  | ||||||
| install erofs /bin/false |  | ||||||
| install jfs /bin/false |  | ||||||
| install minix /bin/false |  | ||||||
| install netfs /bin/false |  | ||||||
| install nilfs2 /bin/false |  | ||||||
| install ocfs2 /bin/false |  | ||||||
| install romfs /bin/false |  | ||||||
| install ubifs /bin/false |  | ||||||
| install zonefs /bin/false |  | ||||||
| install sysv /bin/false |  | ||||||
| install ufs /bin/false |  | ||||||
| 
 |  | ||||||
| # disable vivid |  | ||||||
| install vivid /bin/false |  | ||||||
| 
 |  | ||||||
| # disable GNSS |  | ||||||
| install gnss /bin/false |  | ||||||
| install gnss-mtk /bin/false |  | ||||||
| install gnss-serial /bin/false |  | ||||||
| install gnss-sirf /bin/false |  | ||||||
| install gnss-usb /bin/false |  | ||||||
| install gnss-ubx /bin/false |  | ||||||
| 
 |  | ||||||
| # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns |  | ||||||
| install bluetooth /bin/false |  | ||||||
| install btusb /bin/false |  | ||||||
| 
 |  | ||||||
| # blacklist ath_pci |  | ||||||
| blacklist ath_pci |  | ||||||
| 
 |  | ||||||
| # blacklist cdrom |  | ||||||
| blacklist cdrom |  | ||||||
| blacklist sr_mod |  | ||||||
| 
 |  | ||||||
| # blacklist framebuffer drivers |  | ||||||
| # source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf |  | ||||||
| blacklist cyber2000fb |  | ||||||
| blacklist cyblafb |  | ||||||
| blacklist gx1fb |  | ||||||
| blacklist hgafb |  | ||||||
| blacklist kyrofb |  | ||||||
| blacklist lxfb |  | ||||||
| blacklist matroxfb_base |  | ||||||
| blacklist neofb |  | ||||||
| blacklist nvidiafb |  | ||||||
| blacklist pm2fb |  | ||||||
| blacklist s1d13xxxfb |  | ||||||
| blacklist sisfb |  | ||||||
| blacklist tdfxfb |  | ||||||
| blacklist vesafb |  | ||||||
| blacklist vfb |  | ||||||
| blacklist vt8623fb |  | ||||||
| blacklist udlfb |  | ||||||
|  | @ -1 +0,0 @@ | ||||||
| * hard core 0 |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo |  | ||||||
| systemctl enable --user --now update-user-flatpaks.timer |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| GSSAPIAuthentication no |  | ||||||
| VerifyHostKeyDNS yes |  | ||||||
|  | @ -1,4 +0,0 @@ | ||||||
| Defaults !requiretty |  | ||||||
| user ALL=(ALL) ALL |  | ||||||
| 
 |  | ||||||
| # vim: ft=sudoers |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [Coredump] |  | ||||||
| Storage=none |  | ||||||
|  | @ -1,28 +0,0 @@ | ||||||
| [Service] |  | ||||||
| # Hardening |  | ||||||
| CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT |  | ||||||
| LockPersonality=true |  | ||||||
| MemoryDenyWriteExecute=true |  | ||||||
| #PrivateDevices=true #breaks tun usage |  | ||||||
| #ProtectProc=invisible |  | ||||||
| PrivateTmp=yes |  | ||||||
| ProtectClock=true |  | ||||||
| ProtectControlGroups=true |  | ||||||
| ProtectHome=read-only |  | ||||||
| ProtectKernelLogs=true |  | ||||||
| #ProtectKernelModules=true |  | ||||||
| #ProtectSystem=strict |  | ||||||
| #ReadOnlyPaths=/etc/NetworkManager |  | ||||||
| ReadOnlyPaths=-/home |  | ||||||
| #ReadWritePaths=-/etc/NetworkManager/system-connections |  | ||||||
| ReadWritePaths=-/etc/sysconfig/network-scripts |  | ||||||
| ReadWritePaths=/var/lib/NetworkManager |  | ||||||
| ReadWritePaths=-/var/run/NetworkManager |  | ||||||
| ReadWritePaths=-/run/NetworkManager |  | ||||||
| RemoveIPC=true |  | ||||||
| RestrictNamespaces=true |  | ||||||
| RestrictRealtime=true |  | ||||||
| RestrictSUIDSGID=true |  | ||||||
| SystemCallArchitectures=native |  | ||||||
| SystemCallFilter=@system-service |  | ||||||
| UMask=0077 |  | ||||||
|  | @ -1,6 +0,0 @@ | ||||||
| [Unit] |  | ||||||
| Description=Update user Flatpaks |  | ||||||
| 
 |  | ||||||
| [Service] |  | ||||||
| Type=oneshot |  | ||||||
| ExecStart=/usr/bin/flatpak --user update -y |  | ||||||
|  | @ -1,9 +0,0 @@ | ||||||
| [Unit] |  | ||||||
| Description=Update user Flatpaks daily |  | ||||||
| 
 |  | ||||||
| [Timer] |  | ||||||
| OnCalendar=daily |  | ||||||
| Persistent=true |  | ||||||
| 
 |  | ||||||
| [Install] |  | ||||||
| WantedBy=timers.target |  | ||||||
|  | @ -1,4 +0,0 @@ | ||||||
| [zram0] |  | ||||||
| zram-fraction = 1 |  | ||||||
| max-zram-size = 8192 |  | ||||||
| compression-algorithm = zstd |  | ||||||
|  | @ -1,2 +0,0 @@ | ||||||
| [preferred] |  | ||||||
| default=gtk; |  | ||||||
|  | @ -1,49 +0,0 @@ | ||||||
| --- |  | ||||||
| - name: Check that the sudo-dom0-prompt exists |  | ||||||
|   stat: |  | ||||||
|     path: '/etc/authselect/custom/sudo-dom0-prompt' |  | ||||||
|   register: stat_result |  | ||||||
| 
 |  | ||||||
| - name: Create authselect profile |  | ||||||
|   shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam |  | ||||||
|   when: not stat_result.stat.exists |  | ||||||
| 
 |  | ||||||
| - name: Copy authselect file |  | ||||||
|   ansible.builtin.copy: |  | ||||||
|     src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' |  | ||||||
|     dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' |  | ||||||
|     mode: '0644' |  | ||||||
| 
 |  | ||||||
| - name: Copy authselect folder |  | ||||||
|   ansible.builtin.copy: |  | ||||||
|     src: '/etc/authselect/system-auth' |  | ||||||
|     dest: '/etc/authselect/custom/sudo-dom0-prompt' |  | ||||||
|     mode: '0755' |  | ||||||
| 
 |  | ||||||
| - name: Copy authselect file |  | ||||||
|   ansible.builtin.copy: |  | ||||||
|     src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' |  | ||||||
|     dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' |  | ||||||
|     mode: '0644' |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| - name: Select authselect profile |  | ||||||
|   shell: authselect select custom/sudo-dom0-prompt |  | ||||||
| 
 |  | ||||||
| - name: Fix sudoers.d |  | ||||||
|   ansible.builtin.copy: |  | ||||||
|     src: 'etc/sudoers.d/qubes' |  | ||||||
|     dest: '/etc/sudoers.d/qubes' |  | ||||||
|     mode: '0440' |  | ||||||
| 
 |  | ||||||
| - name: Check that allow all rule doesn't exist |  | ||||||
|   stat: |  | ||||||
|     path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' |  | ||||||
|   register: allow_all_result |  | ||||||
| 
 |  | ||||||
| - name: Delete allow all rule |  | ||||||
|   ansible.builtin.file: |  | ||||||
|     path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' |  | ||||||
|     state: 'absent' |  | ||||||
|   when: allow_all_result.stat.exists |  | ||||||
| 
 |  | ||||||
							
								
								
									
										7
									
								
								roles/suid_role/tasks/main.yaml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								roles/suid_role/tasks/main.yaml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,7 @@ | ||||||
|  | --- | ||||||
|  | - name: Check that the sudo-dom0-prompt exists | ||||||
|  |   stat: | ||||||
|  |     path: '/etc/authselect/custom/sudo-dom0-prompt' | ||||||
|  |   register: stat_result | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | @ -22,6 +22,7 @@ | ||||||
|     name: |     name: | ||||||
|       - '*' |       - '*' | ||||||
|     state: 'latest' |     state: 'latest' | ||||||
|  | 
 | ||||||
| - name: Install trivalent/ffmpeg packages | - name: Install trivalent/ffmpeg packages | ||||||
|   ansible.builtin.dnf5: |   ansible.builtin.dnf5: | ||||||
|     name: |     name: | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 mustard
						mustard