PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Update

Browse Source
This commit is contained in:
Tommy 2023-06-25 08:56:36 -07:00 committed by GitHub
parent 71c2ab20f6
commit 9f9bd0c156
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/posts/linux/Desktop Linux Hardening.md
View File

@ -386,6 +386,8 @@ If decide on using NTS with chronyd, consider using multiple, independent time p
GrapheneOS uses a [quite nice chrony configuration](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) for their infrastructure. I recommend that you replicate their `chrony.conf` on your system.
![Verifying NTS configuration](/images/nts.png)
### Pluggable Authentication Modules (PAM)
[PAM](https://wiki.archlinux.org/title/PAM)'s [settings can be hardened](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam) to improve authentication security (though keep in mind the bypassable nature of PAM as opposed to encryption).

47
content/posts/macos/Secure Time Synchronization on macOS.md
View File

@ -80,9 +80,18 @@ sudo apt install -y chrony
sudo systemctl enable --now chronyd
```
## Configuring chronyd
Enable automatic updates:
Next, configure `chronyd` to use NTS. On Fedora, the configuration file is `/etc/chrony.conf`. We will use [GrapheneOS's configuration](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) as a reference.
```bash
#This is an example for Fedora:
sudo dnf install dnf-automatic
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer
```
## Configuring chrony
Next, configure `chrony` to use NTS. On Fedora, the configuration file is `/etc/chrony.conf`. We will use [GrapheneOS's configuration](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) as a reference.
Your configuration should look something like this:
@ -109,9 +118,9 @@ cmdport 0
allow 10.0.2.2/32
```
Explanations:
If you are confused about what this configuration is doing, here are some quick explanations:
We get our time from 4 different sources:
* We get our time from 4 different sources:
`
server time.cloudflare.com iburst nts
@ -120,11 +129,37 @@ server nts.netnod.se iburst nts
server ptbtime1.ptb.de iburst nts
`
Should there be a discrepancy, a time change will only happen if at least 2 sources agree on it:
* Should there be a discrepancy, a time change will only happen if at least 2 sources agree on it:
`minsources 2`
Finally, we add this line to the configuration file to allow macOS to get time from it:
* Finally, we add this line to the configuration file to allow macOS to get time from it:
`allow 10.0.2.2/32`.
Note that `10.0.2.2/32` is the default IP address of the macOS host from the virtual machine's perspective. If you changed the Host Address using the Advanced Settings in the virtual machine's network configuration, you need to adjust it accordingly here.
Once you are happy with the configuration, restart `chronyd`:
```bash
sudo systemctl restart chronyd
```
Verify that NTS is working:
```
sudo chronyc -N authdata
```
![Verifying NTS configuration](/images/nts.png)
## Open the firewall
We will need to open port 123/udp inside of the virtual machine to allow connections from the macOS host:
```bash
#This is an example for Fedora:
sudo firewall-cmd --permanent --add-service=ntp
sudo firewall-cmd --reload
```

BIN
static/images/nts.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 296 KiB