Browse Source

service: disable journald on graphical

master
parent
commit
804fc2c179
Signed by: govanify GPG Key ID: DE62E1E2A6145556
5 changed files with 63 additions and 2 deletions
  1. +1
    -1
      components/hardening.nix
  2. +10
    -1
      components/headfull/graphical/wm.nix
  3. +2
    -0
      profiles/default.nix
  4. +50
    -0
      profiles/graphical.nix
  5. BIN
      secrets/infrastructure/xanadu/boot-dm.nix

+ 1
- 1
components/hardening.nix View File

@ -71,6 +71,6 @@ in
nix.useSandbox = true;
# ssh attacks & co are flooding my logs
services.fail2ban.enable = true;
services.fail2ban.enable = mkDefault true;
};
}

+ 10
- 1
components/headfull/graphical/wm.nix View File

@ -325,6 +325,15 @@ in
};
};
# sway drops its privileges as soon as it finishes setting up its display,
# well before it parses any configuration. The chance of this being
# exploitable is ~0. It would have gathered those rights regardless if
# PolKit was installed, so this is just a workaround to avoid having the
# whole machinery
security.wrappers = {
sway.source = "${pkgs.sway}/bin/sway";
};
systemd.user.services.swaywm = {
description = "Sway - Wayland window manager";
documentation = [ "man:sway(5)" ];
@ -337,7 +346,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = ''
${pkgs.sway}/bin/sway
/run/wrappers/bin/sway
'';
Restart = "on-failure";
RestartSec = 1;


+ 2
- 0
profiles/default.nix View File

@ -106,6 +106,8 @@ with lib;
services.nscd.enable = false;
system.nssModules = mkForce [ ];
#security.polkit.enable = false;
navi.components = {
bootloader = {
enable = true;


+ 50
- 0
profiles/graphical.nix View File

@ -75,6 +75,56 @@ with lib;
];
# I'll probably be chastised as a heretic for what I'm about to say but here
# we goooooooooo.
# We don't need logging on graphical devices
# What? Why? The agony! To understand all of that let me try to explain the
# reasoning behind all of this.
# First of all, your graphical devices don't run services continuously that
# have a state and are of critical importance. If you do, you have a server,
# which optionally hosts a graphical device.
# Second of all, all logging doesn't magically go away! The kernel ring
# buffer exists, up until a reboot that is.
# Now, let's consider in a user facing device why one person would want to
# see its logs, I see three main reasons:
# 1. checking the boot time/understanding the boot process
# 2. inspecting a weird crash
# 3. forensics, forensics, forensics
#
# so, for 1. you can just get dmesg, easy, you don't care about previous
# boots. for 2. you can still use dmesg but, you will say, what of crashes
# of applications of previous boots? Well you can still inspect the
# coredump, which will give substantially more information. And what of a
# kernel crash you will say? Well there's a funny thing here, if the kernel
# crashes, afaik journald won't log the crash, so we're screwed regardless
# unless we setup a Kdump.
# And, for 3., you'll realize that if you don't have services, you have
# nothing to log! What do you want to do forensics onto? Empty air? Unless
# your malicious actor likes to use syslog as a playground nothing of
# interest will be logged there, and if you're interested about when stuff
# happened coredumps have timestamps. A well engineered exploit won't log
# shit in the syslog, so you'll need to find another way to find what was
# exploited regardless.
# For those reasons, graphical only devices will not get journald.
# *bonk*
systemd.services.systemd-journal-flush.enable = lib.mkForce false;
systemd.services.systemd-journald.enable = lib.mkForce false;
systemd.sockets.systemd-journald-audit.enable = lib.mkForce false;
systemd.sockets.systemd-journald-dev-log.enable = lib.mkForce false;
systemd.sockets.systemd-journald.enable = lib.mkForce false;
# a side-effect of disabling journaling is that we cannot have fail2ban. But
# the effect is somewhat limited as the only "service" which fail2ban looks
# at on user facing devices is ssh, which is pubkey only. But if we have no
# logs we don't really care about it on headfull devices, really, either the
# attacker has your pubkey, and you have much, _much_ bigger problems, or
# you'll just slam your head against a wall. Also, for the people thinking
# you'd need to enable loggin in case of this case of figure, I'll let you
# know there are other ways to do forensics for such a situation and that if
# the attacker is able to hide one log, he's able to hide all of them, and
# the inverse is true.
services.fail2ban.enable = false;
# give you the rights to inspect traffic as this is a single user box/not a
# server, android funsies and realtime audio access for ardour and jack
programs.wireshark.enable = true;


BIN
secrets/infrastructure/xanadu/boot-dm.nix View File


Loading…
Cancel
Save