nixos/profiles/security.nix

   1 { pkgs, lib, ... }:
   2 {
   3   boot.kernelPackages = pkgs.linuxPackages;
   4   #boot.kernelPackages = pkgs.linuxPackages_latest;
   5   #boot.kernelPackages = pkgs.linuxPackages_hardened;
   6   #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
   7   #environment.memoryAllocator.provider = "libc";
   8   nix.settings.allowed-users = [ "@users" ];
   9   networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
  10   security.allowSimultaneousMultithreading = false;
  11   security.apparmor.enable = lib.mkDefault true;
  12   security.forcePageTableIsolation = true;
  13   security.lockKernelModules = lib.mkDefault true;
  14   security.protectKernelImage = true;
  15   security.virtualisation.flushL1DataCache = "always";
  16   boot.blacklistedKernelModules = [
  17     # Obscure network protocols
  18     "ax25"
  19     "netrom"
  20     "rose"
  21
  22     # Old or rare or insufficiently audited filesystems
  23     "adfs"
  24     "affs"
  25     "bfs"
  26     "befs"
  27     "cramfs"
  28     "efs"
  29     "erofs"
  30     "exofs"
  31     "freevxfs"
  32     "f2fs"
  33     "hfs"
  34     "hpfs"
  35     "jfs"
  36     "minix"
  37     "nilfs2"
  38     "ntfs"
  39     "omfs"
  40     "qnx4"
  41     "qnx6"
  42     "sysv"
  43     "ufs"
  44   ];
  45   boot.kernel.sysctl = {
  46     # Mitigate kernel pointer leaks
  47     "kernel.kptr_restrict" = 2;
  48     # Restricts the kernel log to the CAP_SYSLOG capability
  49     "kernel.dmesg_restrict" = 1;
  50     # Prevent information leaks
  51     #kernel.printk = "3 3 3 3";
  52     # Restrict eBPF to the CAP_BPF capability
  53     # and enable JIT hardening techniques
  54     # such as constant blinding.
  55     "kernel.unprivileged_bpf_disabled" = 1;
  56     "net.core.bpf_jit_harden" = 2;
  57     # Restricts loading TTY line disciplines
  58     # to the CAP_SYS_MODULE capability to prevent
  59     # unprivileged attackers from loading vulnerable
  60     # line disciplines with the TIOCSETD ioctl
  61     "dev.tty.ldisc_autoload" = 0;
  62     # The userfaultfd() syscall is often abused to exploit
  63     # use-after-free flaws.
  64     # Due to this, this sysctl is used to restrict
  65     # this syscall to the CAP_SYS_PTRACE capability.
  66     "vm.unprivileged_userfaultfd" = 0;
  67     # kexec is a system call that is used
  68     # to boot another kernel during runtime.
  69     "kernel.kexec_load_disabled" = 1;
  70     # User namespaces are a feature in the kernel which aim to
  71     # improve sandboxing and make it easily accessible for
  72     # unprivileged users however, this feature exposes
  73     # significant kernel attack surface for privilege
  74     # escalation so this sysctl restricts the usage of user
  75     # namespaces to the CAP_SYS_ADMIN capability.
  76     "kernel.unprivileged_userns_clone" = 0;
  77     # Restricts all usage of performance events to the
  78     # CAP_PERFMON capability
  79     "kernel.perf_event_paranoid" = 3;
  80     # Helps protect against SYN flood attacks
  81     "net.ipv4.tcp_syncookies" = 1;
  82     # Protects against time-wait assassination
  83     # by dropping RST packets for sockets
  84     # in the time-wait state.
  85     "net.ipv4.tcp_rfc1337" = 1;
  86     # Disable ICMP redirect acceptance and sending to prevent
  87     # man-in-the-middle attacks and minimize information disclosure.
  88     "net.ipv4.conf.all.accept_redirects" = 0;
  89     "net.ipv4.conf.default.accept_redirects" = 0;
  90     "net.ipv4.conf.all.secure_redirects" = 0;
  91     "net.ipv4.conf.default.secure_redirects" = 0;
  92     "net.ipv6.conf.all.accept_redirects" = 0;
  93     "net.ipv6.conf.default.accept_redirects" = 0;
  94     "net.ipv4.conf.all.send_redirects" = 0;
  95     "net.ipv4.conf.default.send_redirects" = 0;
  96     # Disable source routing, a mechanism
  97     # that allows users to redirect network traffic.
  98     "net.ipv4.conf.all.accept_source_route" = 0;
  99     "net.ipv4.conf.default.accept_source_route" = 0;
 100     "net.ipv6.conf.all.accept_source_route" = 0;
 101     "net.ipv6.conf.default.accept_source_route" = 0;
 102     /*
 103       # Disable TCP SACK, which is commonly exploited
 104       # and unnecessary for many circumstances.
 105       # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
 106       "net.ipv4.tcp_sack" = 0;
 107       "net.ipv4.tcp_dsack" = 0;
 108       "net.ipv4.tcp_fack" = 0;
 109     */
 110     # Generate a random IPv6 address
 111     "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
 112     "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
 113     # Restricts usage of ptrace to only processes
 114     # with the CAP_SYS_PTRACE capability
 115     "kernel.yama.ptrace_scope" = 2;
 116     # Do source validation by confirming reverse path
 117     "net.ipv4.conf.all.rp_filter" = 1;
 118     "net.ipv4.conf.default.rp_filter" = 1;
 119   };
 120   boot.kernelParams = [
 121     "slab_nomerge"
 122     "slub_debug=FZ"
 123     #"init_on_alloc=1"
 124     #"init_on_free=1"
 125     "page_alloc.shuffle=1"
 126     "pti=on"
 127     "vsyscall=none"
 128     "debugfs=off"
 129     "oops=panic"
 130     # Disabled because zfs and wireguard modules are not signed
 131     "module.sig_enforce=0"
 132     "lockdown=confidentiality"
 133     "mce=0"
 134     #"quiet"
 135     #"loglevel=0"
 136   ];
 137   services.journald.extraConfig = ''
 138     Compress=true
 139     MaxRetentionSec=1month
 140     Storage=persistent
 141     SystemMaxUse=100M
 142   '';
 143   systemd.coredump = {
 144     enable = lib.mkDefault false;
 145     extraConfig = ''
 146       Compress=true
 147       MaxUse=1024M
 148       Storage=external
 149     '';
 150   };
 151   services.openssh = {
 152     openFirewall = lib.mkDefault false;
 153     settings = {
 154       PasswordAuthentication = false;
 155     };
 156   };
 157 }