nixos/profiles/security.nix

   1 { pkgs, lib, ... }:
   2 with lib;
   3 {
   4   boot.kernelPackages = mkDefault pkgs.linuxPackages;
   5   #boot.kernelPackages = pkgs.linuxPackages_latest;
   6   #boot.kernelPackages = pkgs.linuxPackages_hardened;
   7   #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
   8   #environment.memoryAllocator.provider = "libc";
   9   nix.settings.allowed-users = [ "@users" ];
  10   networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
  11   security.allowSimultaneousMultithreading = false;
  12   security.apparmor.enable = lib.mkDefault true;
  13   security.forcePageTableIsolation = true;
  14   security.lockKernelModules = lib.mkDefault true;
  15   security.protectKernelImage = true;
  16   security.virtualisation.flushL1DataCache = "always";
  17   boot.blacklistedKernelModules = [
  18     # Obscure network protocols
  19     "ax25"
  20     "netrom"
  21     "rose"
  22
  23     # Old or rare or insufficiently audited filesystems
  24     "adfs"
  25     "affs"
  26     "bfs"
  27     "befs"
  28     "cramfs"
  29     "efs"
  30     "erofs"
  31     "exofs"
  32     "freevxfs"
  33     "f2fs"
  34     "hfs"
  35     "hpfs"
  36     "jfs"
  37     "minix"
  38     "nilfs2"
  39     "ntfs"
  40     "omfs"
  41     "qnx4"
  42     "qnx6"
  43     "sysv"
  44     "ufs"
  45   ];
  46   boot.kernel.sysctl = {
  47     # Mitigate kernel pointer leaks
  48     "kernel.kptr_restrict" = 2;
  49     # Restricts the kernel log to the CAP_SYSLOG capability
  50     "kernel.dmesg_restrict" = 1;
  51     # Prevent information leaks
  52     #kernel.printk = "3 3 3 3";
  53     # Restrict eBPF to the CAP_BPF capability
  54     # and enable JIT hardening techniques
  55     # such as constant blinding.
  56     "kernel.unprivileged_bpf_disabled" = 1;
  57     "net.core.bpf_jit_harden" = 2;
  58     # Restricts loading TTY line disciplines
  59     # to the CAP_SYS_MODULE capability to prevent
  60     # unprivileged attackers from loading vulnerable
  61     # line disciplines with the TIOCSETD ioctl
  62     "dev.tty.ldisc_autoload" = 0;
  63     # The userfaultfd() syscall is often abused to exploit
  64     # use-after-free flaws.
  65     # Due to this, this sysctl is used to restrict
  66     # this syscall to the CAP_SYS_PTRACE capability.
  67     "vm.unprivileged_userfaultfd" = 0;
  68     # kexec is a system call that is used
  69     # to boot another kernel during runtime.
  70     "kernel.kexec_load_disabled" = 1;
  71     # User namespaces are a feature in the kernel which aim to
  72     # improve sandboxing and make it easily accessible for
  73     # unprivileged users however, this feature exposes
  74     # significant kernel attack surface for privilege
  75     # escalation so this sysctl restricts the usage of user
  76     # namespaces to the CAP_SYS_ADMIN capability.
  77     "kernel.unprivileged_userns_clone" = 0;
  78     # Restricts all usage of performance events to the
  79     # CAP_PERFMON capability
  80     "kernel.perf_event_paranoid" = 3;
  81     # Helps protect against SYN flood attacks
  82     "net.ipv4.tcp_syncookies" = 1;
  83     # Protects against time-wait assassination
  84     # by dropping RST packets for sockets
  85     # in the time-wait state.
  86     "net.ipv4.tcp_rfc1337" = 1;
  87     # Disable ICMP redirect acceptance and sending to prevent
  88     # man-in-the-middle attacks and minimize information disclosure.
  89     "net.ipv4.conf.all.accept_redirects" = 0;
  90     "net.ipv4.conf.default.accept_redirects" = 0;
  91     "net.ipv4.conf.all.secure_redirects" = 0;
  92     "net.ipv4.conf.default.secure_redirects" = 0;
  93     "net.ipv6.conf.all.accept_redirects" = 0;
  94     "net.ipv6.conf.default.accept_redirects" = 0;
  95     "net.ipv4.conf.all.send_redirects" = 0;
  96     "net.ipv4.conf.default.send_redirects" = 0;
  97     # Disable source routing, a mechanism
  98     # that allows users to redirect network traffic.
  99     "net.ipv4.conf.all.accept_source_route" = 0;
 100     "net.ipv4.conf.default.accept_source_route" = 0;
 101     "net.ipv6.conf.all.accept_source_route" = 0;
 102     "net.ipv6.conf.default.accept_source_route" = 0;
 103     /*
 104       # Disable TCP SACK, which is commonly exploited
 105       # and unnecessary for many circumstances.
 106       # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
 107       "net.ipv4.tcp_sack" = 0;
 108       "net.ipv4.tcp_dsack" = 0;
 109       "net.ipv4.tcp_fack" = 0;
 110     */
 111     # Generate a random IPv6 address
 112     "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
 113     "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
 114     # Restricts usage of ptrace to only processes
 115     # with the CAP_SYS_PTRACE capability
 116     "kernel.yama.ptrace_scope" = 2;
 117     # Do source validation by confirming reverse path
 118     "net.ipv4.conf.all.rp_filter" = 1;
 119     "net.ipv4.conf.default.rp_filter" = 1;
 120   };
 121   boot.kernelParams = [
 122     "slab_nomerge"
 123     "slub_debug=FZ"
 124     #"init_on_alloc=1"
 125     #"init_on_free=1"
 126     "page_alloc.shuffle=1"
 127     "pti=on"
 128     "vsyscall=none"
 129     "debugfs=off"
 130     "oops=panic"
 131     # Disabled because zfs and wireguard modules are not signed
 132     "module.sig_enforce=0"
 133     "lockdown=confidentiality"
 134     "mce=0"
 135     #"quiet"
 136     #"loglevel=0"
 137   ];
 138   services.journald.extraConfig = ''
 139     Compress=true
 140     MaxRetentionSec=1month
 141     Storage=persistent
 142     SystemMaxUse=100M
 143   '';
 144   systemd.coredump = {
 145     enable = lib.mkDefault false;
 146     extraConfig = ''
 147       Compress=true
 148       MaxUse=1024M
 149       Storage=external
 150     '';
 151   };
 152   services.openssh = {
 153     openFirewall = lib.mkDefault false;
 154     settings = {
 155       PasswordAuthentication = false;
 156     };
 157   };
 158 }