From 24ae20c85453e52f5bf8004a4265b3965cbd822e Mon Sep 17 00:00:00 2001
From: Price Hiller <price@orion-technologies.io>
Date: Fri, 27 Sep 2024 02:36:09 -0500
Subject: [PATCH] feat(hosts/orion): improve security options

---
 hosts/orion/modules/polkit.nix   |  6 ----
 hosts/orion/modules/security.nix | 49 ++++++++++++++++++++++++++++++++
 hosts/orion/os/boot.nix          |  3 +-
 3 files changed, 50 insertions(+), 8 deletions(-)
 delete mode 100644 hosts/orion/modules/polkit.nix
 create mode 100644 hosts/orion/modules/security.nix

diff --git a/hosts/orion/modules/polkit.nix b/hosts/orion/modules/polkit.nix
deleted file mode 100644
index 93cbf93f..00000000
--- a/hosts/orion/modules/polkit.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{ ... }:
-{
-  security.polkit = {
-    enable = true;
-  };
-}
diff --git a/hosts/orion/modules/security.nix b/hosts/orion/modules/security.nix
new file mode 100644
index 00000000..197a54f4
--- /dev/null
+++ b/hosts/orion/modules/security.nix
@@ -0,0 +1,49 @@
+{ ... }:
+{
+  security = {
+    polkit = {
+      enable = true;
+    };
+    sudo.execWheelOnly = true;
+    auditd.enable = true;
+    audit = {
+      enable = true;
+      rules = [
+        # Program Executions
+        "-a exit,always -F arch=b64 -S execve -F key=progexec"
+
+        # Home path access/modification
+        "-a always,exit -F arch=b64 -F dir=/home -F perm=war -F key=homeaccess"
+
+        # Kexec usage
+        "-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC"
+
+        # Root directory access/modification
+        "-a always,exit -F arch=b64 -F dir=/root -F key=roothomeaccess -F perm=war"
+
+        # Failed Modifications of critcal paths
+        "-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
+        "-a always,exit -F arch=b64 -S open -F dir=/persist -F success=0 -F key=unauthedfileaccess"
+
+        # File deletion events by users
+        "-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
+
+        # Root command executions
+        "-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
+      ];
+    };
+  };
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.log_martions" = true;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.log_martions" = true;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+  };
+}
\ No newline at end of file
diff --git a/hosts/orion/os/boot.nix b/hosts/orion/os/boot.nix
index 3de51367..61b5e422 100644
--- a/hosts/orion/os/boot.nix
+++ b/hosts/orion/os/boot.nix
@@ -39,7 +39,6 @@ in
     };
     kernelPackages = pkgs.linuxPackages_latest;
     kernelModules = [ "kvm-intel" ];
-    kernelParams = [ "audit=1" ];
     extraModulePackages = [ ];
     initrd = {
       availableKernelModules = [
@@ -56,4 +55,4 @@ in
       };
     };
   };
-}
+}
\ No newline at end of file