nixos/profiles/security.nix

   1 { pkgs, lib, ... }:
   2 with lib;
   3 {
   4   boot.kernelPackages = mkDefault pkgs.linuxPackages;
   5   #boot.kernelPackages = pkgs.linuxPackages_latest;
   6   #boot.kernelPackages = pkgs.linuxPackages_hardened;
   7   #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
   8   #environment.memoryAllocator.provider = "libc";
   9   nix.settings.allowed-users = [ "@users" ];
  10   nix.settings.trusted-substituters = [
  11     "https://nix-community.cachix.org"
  12   ];
  13   nix.settings.trusted-public-keys = [
  14     "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
  15   ];
  16   nix.settings.trusted-users = [
  17     "root"
  18     "@wheel"
  19   ];
  20   networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
  21   security.allowSimultaneousMultithreading = false;
  22   security.apparmor.enable = mkDefault true;
  23   security.forcePageTableIsolation = true;
  24   security.lockKernelModules = mkDefault true;
  25   security.protectKernelImage = true;
  26   security.virtualisation.flushL1DataCache = "always";
  27   # Only allow members of the wheel group to execute sudo by setting
  28   # the executable’s permissions accordingly.
  29   # This prevents users that are not members of wheel
  30   # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
  31   security.sudo.execWheelOnly = true;
  32   boot.blacklistedKernelModules = [
  33     # Obscure network protocols
  34     "ax25"
  35     "netrom"
  36     "rose"
  37
  38     # Old or rare or insufficiently audited filesystems
  39     "adfs"
  40     "affs"
  41     "bfs"
  42     "befs"
  43     "cramfs"
  44     "efs"
  45     "erofs"
  46     "exofs"
  47     "freevxfs"
  48     "f2fs"
  49     "hfs"
  50     "hpfs"
  51     "jfs"
  52     "minix"
  53     "nilfs2"
  54     "ntfs"
  55     "omfs"
  56     "qnx4"
  57     "qnx6"
  58     "sysv"
  59     "ufs"
  60   ];
  61   boot.kernel.sysctl = {
  62     # Mitigate kernel pointer leaks
  63     "kernel.kptr_restrict" = 2;
  64     # Restricts the kernel log to the CAP_SYSLOG capability
  65     "kernel.dmesg_restrict" = 1;
  66     # Prevent information leaks
  67     #kernel.printk = "3 3 3 3";
  68     # Restrict eBPF to the CAP_BPF capability
  69     # and enable JIT hardening techniques
  70     # such as constant blinding.
  71     "kernel.unprivileged_bpf_disabled" = 1;
  72     "net.core.bpf_jit_harden" = 2;
  73     # Restricts loading TTY line disciplines
  74     # to the CAP_SYS_MODULE capability to prevent
  75     # unprivileged attackers from loading vulnerable
  76     # line disciplines with the TIOCSETD ioctl
  77     "dev.tty.ldisc_autoload" = 0;
  78     # The userfaultfd() syscall is often abused to exploit
  79     # use-after-free flaws.
  80     # Due to this, this sysctl is used to restrict
  81     # this syscall to the CAP_SYS_PTRACE capability.
  82     "vm.unprivileged_userfaultfd" = 0;
  83     # kexec is a system call that is used
  84     # to boot another kernel during runtime.
  85     "kernel.kexec_load_disabled" = 1;
  86     # User namespaces are a feature in the kernel which aim to
  87     # improve sandboxing and make it easily accessible for
  88     # unprivileged users however, this feature exposes
  89     # significant kernel attack surface for privilege
  90     # escalation so this sysctl restricts the usage of user
  91     # namespaces to the CAP_SYS_ADMIN capability.
  92     "kernel.unprivileged_userns_clone" = 0;
  93     # Restricts all usage of performance events to the
  94     # CAP_PERFMON capability
  95     "kernel.perf_event_paranoid" = 3;
  96     # Helps protect against SYN flood attacks
  97     "net.ipv4.tcp_syncookies" = 1;
  98     # Protects against time-wait assassination
  99     # by dropping RST packets for sockets
 100     # in the time-wait state.
 101     "net.ipv4.tcp_rfc1337" = 1;
 102     # Disable ICMP redirect acceptance and sending to prevent
 103     # man-in-the-middle attacks and minimize information disclosure.
 104     "net.ipv4.conf.all.accept_redirects" = 0;
 105     "net.ipv4.conf.default.accept_redirects" = 0;
 106     "net.ipv4.conf.all.secure_redirects" = 0;
 107     "net.ipv4.conf.default.secure_redirects" = 0;
 108     "net.ipv6.conf.all.accept_redirects" = 0;
 109     "net.ipv6.conf.default.accept_redirects" = 0;
 110     "net.ipv4.conf.all.send_redirects" = 0;
 111     "net.ipv4.conf.default.send_redirects" = 0;
 112     # Disable source routing, a mechanism
 113     # that allows users to redirect network traffic.
 114     "net.ipv4.conf.all.accept_source_route" = 0;
 115     "net.ipv4.conf.default.accept_source_route" = 0;
 116     "net.ipv6.conf.all.accept_source_route" = 0;
 117     "net.ipv6.conf.default.accept_source_route" = 0;
 118     /*
 119       # Disable TCP SACK, which is commonly exploited
 120       # and unnecessary for many circumstances.
 121       # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
 122       "net.ipv4.tcp_sack" = 0;
 123       "net.ipv4.tcp_dsack" = 0;
 124       "net.ipv4.tcp_fack" = 0;
 125     */
 126     # Generate a random IPv6 address
 127     "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
 128     "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
 129     # Restricts usage of ptrace to only processes
 130     # with the CAP_SYS_PTRACE capability
 131     "kernel.yama.ptrace_scope" = 2;
 132     # Do source validation by confirming reverse path
 133     "net.ipv4.conf.all.rp_filter" = 1;
 134     "net.ipv4.conf.default.rp_filter" = 1;
 135   };
 136   boot.kernelParams = [
 137     "slab_nomerge"
 138     "slub_debug=FZ"
 139     #"init_on_alloc=1"
 140     #"init_on_free=1"
 141     "page_alloc.shuffle=1"
 142     "pti=on"
 143     "vsyscall=none"
 144     "debugfs=off"
 145     "oops=panic"
 146     # Disabled because zfs and wireguard modules are not signed
 147     "module.sig_enforce=0"
 148     "lockdown=confidentiality"
 149     "mce=0"
 150     #"quiet"
 151     #"loglevel=0"
 152   ];
 153   services.journald.extraConfig = ''
 154     Compress=true
 155     MaxRetentionSec=1month
 156     Storage=persistent
 157     SystemMaxUse=100M
 158   '';
 159   systemd.coredump = {
 160     enable = mkDefault false;
 161     extraConfig = ''
 162       Compress=true
 163       MaxUse=1024M
 164       Storage=external
 165     '';
 166   };
 167   services.openssh = {
 168     # Avoid TOFU MITM by providing well known public keys here.
 169     knownHosts = {
 170       "git.sr.ht".hostNames = [ "git.sr.ht" ];
 171       "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
 172
 173       "github.com".hostNames = [ "github.com" ];
 174       "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
 175
 176       "gitlab.com".hostNames = [ "gitlab.com" ];
 177       "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
 178     };
 179     openFirewall = mkDefault false;
 180     settings = {
 181       KbdInteractiveAuthentication = mkDefault false;
 182       # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
 183       KexAlgorithms = [
 184         "curve25519-sha256"
 185         "curve25519-sha256@libssh.org"
 186         "diffie-hellman-group16-sha512"
 187         "diffie-hellman-group18-sha512"
 188         "sntrup761x25519-sha512@openssh.com"
 189       ];
 190       PasswordAuthentication = false;
 191       # Remove any remote gpg-agent's socket.
 192       StreamLocalBindUnlink = true;
 193       UseDns = mkDefault false;
 194       X11Forwarding = mkDefault false;
 195     };
 196   };
 197 }