nixos/tests: add tests for exercising various hardening features
This test exercises the linux_hardened kernel along with the various hardening features (enabled via the hardened profile). Move hidepid test from misc, so that misc can go back to testing a vanilla configuration.
This commit is contained in:
parent
ab4fa1cce4
commit
ffa83edf4a
|
@ -248,6 +248,7 @@ in rec {
|
|||
tests.gocd-server = callTest tests/gocd-server.nix {};
|
||||
tests.gnome3 = callTest tests/gnome3.nix {};
|
||||
tests.gnome3-gdm = callTest tests/gnome3-gdm.nix {};
|
||||
tests.hardened = callTest tests/hardened.nix { };
|
||||
tests.hibernate = callTest tests/hibernate.nix {};
|
||||
tests.hound = callTest tests/hound.nix {};
|
||||
tests.i3wm = callTest tests/i3wm.nix {};
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
import ./make-test.nix ({ pkgs, ...} : {
|
||||
name = "hardened";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ joachifm ];
|
||||
};
|
||||
|
||||
machine =
|
||||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
{ users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
|
||||
users.users.sybil = { isNormalUser = true; group = "wheel"; };
|
||||
imports = [ ../modules/profiles/hardened.nix ];
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
# Test hidepid
|
||||
subtest "hidepid", sub {
|
||||
$machine->succeed("grep -Fq hidepid=2 /proc/mounts");
|
||||
$machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]");
|
||||
$machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]");
|
||||
};
|
||||
|
||||
# Test kernel module hardening
|
||||
subtest "lock-modules", sub {
|
||||
$machine->waitForUnit("multi-user.target");
|
||||
# note: this better a be module we normally wouldn't load ...
|
||||
$machine->fail("modprobe dccp");
|
||||
};
|
||||
'';
|
||||
})
|
|
@ -25,8 +25,6 @@ import ./make-test.nix ({ pkgs, ...} : {
|
|||
};
|
||||
users.users.sybil = { isNormalUser = true; group = "wheel"; };
|
||||
security.sudo = { enable = true; wheelNeedsPassword = false; };
|
||||
security.hideProcessInformation = true;
|
||||
users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
|
||||
};
|
||||
|
||||
testScript =
|
||||
|
@ -119,12 +117,5 @@ import ./make-test.nix ({ pkgs, ...} : {
|
|||
subtest "sudo", sub {
|
||||
$machine->succeed("su - sybil -c 'sudo true'");
|
||||
};
|
||||
|
||||
# Test hidepid
|
||||
subtest "hidepid", sub {
|
||||
$machine->succeed("grep -Fq hidepid=2 /proc/mounts");
|
||||
$machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]");
|
||||
$machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]");
|
||||
};
|
||||
'';
|
||||
})
|
||||
|
|
Loading…
Reference in New Issue