feat: add BIO/NCSC hardening modules (opt-in)

bram.buijs commented

2026-06-18 08:37:04 +00:00

Collaborator

Adds a set of hardening capabilities, each one file under modules/<category>/
following the existing layout, as discussed in #6. All opt-in -
profiles-dawo-generic enables none of them; a host imports what it wants.

Modules:

boot/hardening, memory-hardening kernelParams
nixos/hardening, sysctl, sudo wheel-only, tmp mount options, login banner
services/openssh, strict SSH (no root, MaxAuthTries, modern crypto)
services/journald, persistent logs (source, no shipper)
services/chrony, NL NTP
services/usbguard, block new / allow present; default-off and needs an
allowlist (services.usbguard.rules), otherwise it blocks newly plugged
devices
nixos/{apparmor,pam-u2f,pam-oath,pki-overheid}, services/{pcscd,auditd}
(auditd stubbed for the auditctl bug), networking/{dns-tls,egress-deny}
(egress-deny a no-op until the allowlist is built)

Each module header carries its norm/origin, and docs/standards.md maps every
item to BIO/NCSC, CIS-DIL, the ANSSI R-numbers and the DISA STIG, including what
came from securix/bureautix (file + R-number). docs/modules.md documents the
enable workflow. Deliberate deviations (no module-load disable, no IPv6 disable,
SMT/Spectre set left out) are listed in standards.md. No SIEM shipper by
design, the endpoint only provides the generic sources.

Evaluates green across the config.

Build/deploy proof to follow: verifying on a Lenovo T495s before merge.

Adds a set of hardening capabilities, each one file under `modules/<category>/` following the existing layout, as discussed in #6. All opt-in - `profiles-dawo-generic` enables none of them; a host imports what it wants. Modules: - `boot/hardening`, memory-hardening kernelParams - `nixos/hardening`, sysctl, sudo wheel-only, tmp mount options, login banner - `services/openssh`, strict SSH (no root, MaxAuthTries, modern crypto) - `services/journald`, persistent logs (source, no shipper) - `services/chrony`, NL NTP - `services/usbguard`, block new / allow present; **default-off and needs an allowlist** (`services.usbguard.rules`), otherwise it blocks newly plugged devices - `nixos/{apparmor,pam-u2f,pam-oath,pki-overheid}`, `services/{pcscd,auditd}` (auditd stubbed for the auditctl bug), `networking/{dns-tls,egress-deny}` (egress-deny a no-op until the allowlist is built) Each module header carries its norm/origin, and `docs/standards.md` maps every item to BIO/NCSC, CIS-DIL, the ANSSI R-numbers and the DISA STIG, including what came from securix/bureautix (file + R-number). `docs/modules.md` documents the enable workflow. Deliberate deviations (no module-load disable, no IPv6 disable, SMT/Spectre set left out) are listed in `standards.md`. No SIEM shipper by design, the endpoint only provides the generic sources. Evaluates green across the config. Build/deploy proof to follow: verifying on a Lenovo T495s before merge.

bram.buijs added 1 commit

2026-06-18 08:37:04 +00:00

feat: BIO/NCSC hardening (opt-in) bbecd94823

Hardening capabilities, one file each under modules/<category>, following the existing layout. All opt-in: profiles-dawo-generic enables none of them; a host imports what it wants. services-usbguard is default-off and needs an allowlist. Norm and origin per item in docs/standards.md (BIO/NCSC, with CIS-DIL / ANSSI / DISA STIG cross-refs and securix/bureautix provenance); docs/modules.md documents the enable workflow. No SIEM shipper by design.

bram.buijs referenced this pull request

2026-06-18 08:37:05 +00:00

feat: overheid baseline (hardening opt-in, users, T495s host, 26.05 pin) #7

bram.buijs referenced this pull request

2026-06-18 12:04:59 +00:00

WIP: feat(hardening): blocks architecture with core and hardened tiers #16

bram.buijs commented

2026-06-18 12:23:09 +00:00

Author

Collaborator

Superseded by #16, which reworks this onto the blocks model (#8): mandatory-core and opt-in hardened tiers, mkForce/mkDefault, build-time asserts. Closing this one in favour of #16.

bram.buijs closed this pull request

2026-06-18 12:23:09 +00:00

Pull request closed

Please reopen this pull request to perform a merge.

Rows
Columns

feat: add BIO/NCSC hardening modules (opt-in) #12

Pull request closed