MinBZK/DAWO-NixOS
33
3
Fork 0
Code Issues 14 Pull requests 4 Projects Releases Wiki Activity Actions

Add BIO/NCSC hardening as opt-in modules (nothing auto-enabled) #6

New issue
Closed
opened 2026-06-18 07:39:34 +00:00 by bram.buijs · 3 comments
bram.buijs commented 2026-06-18 07:39:34 +00:00
Collaborator
Copy link

The generic profile ships secure boot, the desktop and networking/client, but no system hardening, no audit/log/time sources and no USB control. For a government workstation the measuring stick is BIO + the NCSC guidelines, so today every operator adds all of that per host by hand. I run these controls on my own deployment and would like to upstream them.

Proposal: a set of hardening capabilities, one file each under modules/<category>/, following the existing layout. All opt-in, nothing is auto-enabled in profiles-dawo-generic. The generic image stays the neutral grounding; the org/host picks the posture by importing what it wants. That keeps the image org-neutral and avoids forcing policy on a consumer.

Set: boot/hardening, nixos/hardening, services/{openssh,journald,chrony}, services/usbguard (default-off and needs an allowlist, otherwise it blocks newly plugged devices, which is the obvious foot-gun), plus the more specialised nixos/{apparmor,pam-u2f,pam-oath,pki-overheid}, services/{pcscd,auditd} and networking/{dns-tls,egress-deny}.

Every control is mapped to its norm and origin in docs/standards.md (BIO/NCSC, with CIS-DIL / ANSSI R-numbers / DISA STIG cross-refs and what came from securix/bureautix). It also lists the deliberate deviations. For example module loading and IPv6 are not disabled, because those break Netbird/WireGuard and connectivity respectively, and no SIEM shipper is included, since that is the org's choice and we only provide the sources.

A draft is up on my fork for reference: bram.buijs:feat/overheid-baseline.

Question: is this welcome upstream, and is "ship everything, auto-enable nothing" the right default posture versus a small always-on base set? If so I'll open the PR.

The generic profile ships secure boot, the desktop and `networking/client`, but no system hardening, no audit/log/time sources and no USB control. For a government workstation the measuring stick is BIO + the NCSC guidelines, so today every operator adds all of that per host by hand. I run these controls on my own deployment and would like to upstream them. **Proposal:** a set of hardening capabilities, one file each under `modules/<category>/`, following the existing layout. All opt-in, nothing is auto-enabled in `profiles-dawo-generic`. The generic image stays the neutral grounding; the org/host picks the posture by importing what it wants. That keeps the image org-neutral and avoids forcing policy on a consumer. Set: `boot/hardening`, `nixos/hardening`, `services/{openssh,journald,chrony}`, `services/usbguard` (default-off and needs an allowlist, otherwise it blocks newly plugged devices, which is the obvious foot-gun), plus the more specialised `nixos/{apparmor,pam-u2f,pam-oath,pki-overheid}`, `services/{pcscd,auditd}` and `networking/{dns-tls,egress-deny}`. Every control is mapped to its norm and origin in `docs/standards.md` (BIO/NCSC, with CIS-DIL / ANSSI R-numbers / DISA STIG cross-refs and what came from securix/bureautix). It also lists the deliberate deviations. For example module loading and IPv6 are not disabled, because those break Netbird/WireGuard and connectivity respectively, and no SIEM shipper is included, since that is the org's choice and we only provide the sources. A draft is up on my fork for reference: `bram.buijs:feat/overheid-baseline`. **Question:** is this welcome upstream, and is "ship everything, auto-enable nothing" the right default posture versus a small always-on base set? If so I'll open the PR.
bram.buijs changed title from Hardening als opt-in modules (BIO/NCSC) — niks standaard aan to Hardening als opt-in modules (BIO/NCSC). Geen modules standaard aan 2026-06-18 07:44:08 +00:00
bram.buijs changed title from Hardening als opt-in modules (BIO/NCSC). Geen modules standaard aan to Add BIO/NCSC hardening as opt-in modules (nothing auto-enabled) 2026-06-18 07:49:42 +00:00
rutger.putter commented 2026-06-18 07:53:41 +00:00
Collaborator
Copy link

@bram.buijs zie de overkoepelende discussie in #8

@bram.buijs zie de overkoepelende discussie in #8
rutger.putter commented 2026-06-18 11:07:52 +00:00
Collaborator
Copy link

@bram.buijs since we're adopting the workflow you've suggested in #8 (comment) , can we close this issue and continue the conversation there?

@bram.buijs since we're adopting the workflow you've suggested in https://code.overheid.nl/MinBZK/DAWO-NixOS/issues/8#issuecomment-630 , can we close this issue and continue the conversation there?
bram.buijs commented 2026-06-18 11:59:45 +00:00
Author
Collaborator
Copy link

Yes, will close this issue.

Yes, will close this issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release/0.1.0
No results found.
Labels
Clear labels   
Compat/Breaking
Breaking change that won't be backward compatible

  
Kind/Bug
Something is not working

  
Kind/Discussion
Any topic that needs discussion before a technical solution is accepted

  
Kind/Documentation
Documentation changes

  
Kind/Enhancement
Improve existing functionality

  
Kind/Feature
New functionality

  
Kind/Security
This is security issue

  
Kind/Testing
Issue or pull request related to testing

  
Priority
Critical
 The priority is critical

  
Priority
High
 The priority is high

  
Priority
Low
 The priority is low

  
Priority
Medium
 The priority is medium

  
Reviewed
Confirmed
 Issue has been confirmed

  
Reviewed
Duplicate
 This issue or pull request already exists

  
Reviewed
Invalid
 Invalid issue

  
Reviewed
Won't Fix
 This issue won't be fixed

  
Status
Abandoned
 Somebody has started to work on this but abandoned work

  
Status
Blocked
 Something is blocking this issue or pull request

  
Status
Help Wanted
 If you're looking to help out, start here

  
Status
Need More Info
 Feedback is required to reproduce issue or to continue work

  
Prio - Hoog
Hoge prioriteit

  
Prio - Laag
Lage prioriteit

  
Prio - Middel
Medium prioriteit

  
styling
Verbeteringen aan de styling

No labels
Compat/Breaking
Kind/Bug
Kind/Discussion
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Help Wanted
Status
Need More Info
Prio - Hoog
Prio - Laag
Prio - Middel
styling
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
MinBZK/DAWO-NixOS#6
No description provided.