]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/security.nix
nix: update flake input
[julm/julm-nix.git] / nixos / profiles / security.nix
1 { pkgs, lib, config, ... }:
2 {
3 boot.kernelPackages = pkgs.linuxPackages_latest;
4 #boot.kernelPackages = pkgs.linuxPackages_hardened;
5 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
6 #environment.memoryAllocator.provider = "libc";
7 nix.allowedUsers = [ "@users" ];
8 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
9 security.allowSimultaneousMultithreading = false;
10 security.apparmor.enable = lib.mkDefault true;
11 security.forcePageTableIsolation = true;
12 security.lockKernelModules = lib.mkDefault true;
13 security.protectKernelImage = true;
14 security.virtualisation.flushL1DataCache = "always";
15 boot.blacklistedKernelModules = [
16 # Obscure network protocols
17 "ax25"
18 "netrom"
19 "rose"
20
21 # Old or rare or insufficiently audited filesystems
22 "adfs"
23 "affs"
24 "bfs"
25 "befs"
26 "cramfs"
27 "efs"
28 "erofs"
29 "exofs"
30 "freevxfs"
31 "f2fs"
32 "hfs"
33 "hpfs"
34 "jfs"
35 "minix"
36 "nilfs2"
37 "ntfs"
38 "omfs"
39 "qnx4"
40 "qnx6"
41 "sysv"
42 "ufs"
43 ];
44 boot.kernel.sysctl = {
45 # Mitigate kernel pointer leaks
46 "kernel.kptr_restrict" = 2;
47 # Restricts the kernel log to the CAP_SYSLOG capability
48 "kernel.dmesg_restrict" = 1;
49 # Prevent information leaks
50 #kernel.printk = "3 3 3 3";
51 # Restrict eBPF to the CAP_BPF capability
52 # and enable JIT hardening techniques
53 # such as constant blinding.
54 "kernel.unprivileged_bpf_disabled" = 1;
55 "net.core.bpf_jit_harden" = 2;
56 # Restricts loading TTY line disciplines
57 # to the CAP_SYS_MODULE capability to prevent
58 # unprivileged attackers from loading vulnerable
59 # line disciplines with the TIOCSETD ioctl
60 "dev.tty.ldisc_autoload" = 0;
61 # The userfaultfd() syscall is often abused to exploit
62 # use-after-free flaws.
63 # Due to this, this sysctl is used to restrict
64 # this syscall to the CAP_SYS_PTRACE capability.
65 "vm.unprivileged_userfaultfd" = 0;
66 # kexec is a system call that is used
67 # to boot another kernel during runtime.
68 "kernel.kexec_load_disabled" = 1;
69 # User namespaces are a feature in the kernel which aim to
70 # improve sandboxing and make it easily accessible for
71 # unprivileged users however, this feature exposes
72 # significant kernel attack surface for privilege
73 # escalation so this sysctl restricts the usage of user
74 # namespaces to the CAP_SYS_ADMIN capability.
75 "kernel.unprivileged_userns_clone" = 0;
76 # Restricts all usage of performance events to the
77 # CAP_PERFMON capability
78 "kernel.perf_event_paranoid" = 3;
79 # Helps protect against SYN flood attacks
80 "net.ipv4.tcp_syncookies" = 1;
81 # Protects against time-wait assassination
82 # by dropping RST packets for sockets
83 # in the time-wait state.
84 "net.ipv4.tcp_rfc1337" = 1;
85 # Disable ICMP redirect acceptance and sending to prevent
86 # man-in-the-middle attacks and minimize information disclosure.
87 "net.ipv4.conf.all.accept_redirects" = 0;
88 "net.ipv4.conf.default.accept_redirects" = 0;
89 "net.ipv4.conf.all.secure_redirects" = 0;
90 "net.ipv4.conf.default.secure_redirects" = 0;
91 "net.ipv6.conf.all.accept_redirects" = 0;
92 "net.ipv6.conf.default.accept_redirects" = 0;
93 "net.ipv4.conf.all.send_redirects" = 0;
94 "net.ipv4.conf.default.send_redirects" = 0;
95 # Disable source routing, a mechanism
96 # that allows users to redirect network traffic.
97 "net.ipv4.conf.all.accept_source_route" = 0;
98 "net.ipv4.conf.default.accept_source_route" = 0;
99 "net.ipv6.conf.all.accept_source_route" = 0;
100 "net.ipv6.conf.default.accept_source_route" = 0;
101 /*
102 # Disable TCP SACK, which is commonly exploited
103 # and unnecessary for many circumstances.
104 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
105 "net.ipv4.tcp_sack" = 0;
106 "net.ipv4.tcp_dsack" = 0;
107 "net.ipv4.tcp_fack" = 0;
108 */
109 # Generate a random IPv6 address
110 "net.ipv6.conf.all.use_tempaddr" = 2;
111 "net.ipv6.conf.default.use_tempaddr" = 2;
112 # Restricts usage of ptrace to only processes
113 # with the CAP_SYS_PTRACE capability
114 "kernel.yama.ptrace_scope" = 2;
115 # Do source validation by confirming reverse path
116 "net.ipv4.conf.all.rp_filter" = 1;
117 "net.ipv4.conf.default.rp_filter" = 1;
118 };
119 boot.kernelParams = [
120 "slab_nomerge"
121 "slub_debug=FZ"
122 #"init_on_alloc=1"
123 #"init_on_free=1"
124 "page_alloc.shuffle=1"
125 "pti=on"
126 "vsyscall=none"
127 "debugfs=off"
128 "oops=panic"
129 # Disabled because zfs and wireguard modules are not signed
130 "module.sig_enforce=0"
131 "lockdown=confidentiality"
132 "mce=0"
133 #"quiet"
134 #"loglevel=0"
135 ];
136 services.journald.extraConfig = ''
137 Compress=true
138 MaxRetentionSec=1month
139 Storage=persistent
140 SystemMaxUse=100M
141 '';
142 services.openssh = {
143 openFirewall = lib.mkDefault false;
144 passwordAuthentication = false;
145 };
146 }