sudo: restrict to wheel group

[julm/julm-nix.git] / nixos / profiles / security.nix

{ pkgs, lib, ... }:
with lib;
{
  boot.kernelPackages = mkDefault pkgs.linuxPackages;
  #boot.kernelPackages = pkgs.linuxPackages_latest;
  #boot.kernelPackages = pkgs.linuxPackages_hardened;
  #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
  #environment.memoryAllocator.provider = "libc";
  nix.settings.allowed-users = [ "@users" ];
  networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
  security.allowSimultaneousMultithreading = false;
  security.apparmor.enable = lib.mkDefault true;
  security.forcePageTableIsolation = true;
  security.lockKernelModules = lib.mkDefault true;
  security.protectKernelImage = true;
  security.virtualisation.flushL1DataCache = "always";
  # Only allow members of the wheel group to execute sudo by setting
  # the executable’s permissions accordingly.
  # This prevents users that are not members of wheel
  # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
  security.sudo.execWheelOnly = true;
  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "ax25"
    "netrom"
    "rose"

    # Old or rare or insufficiently audited filesystems
    "adfs"
    "affs"
    "bfs"
    "befs"
    "cramfs"
    "efs"
    "erofs"
    "exofs"
    "freevxfs"
    "f2fs"
    "hfs"
    "hpfs"
    "jfs"
    "minix"
    "nilfs2"
    "ntfs"
    "omfs"
    "qnx4"
    "qnx6"
    "sysv"
    "ufs"
  ];
  boot.kernel.sysctl = {
    # Mitigate kernel pointer leaks
    "kernel.kptr_restrict" = 2;
    # Restricts the kernel log to the CAP_SYSLOG capability
    "kernel.dmesg_restrict" = 1;
    # Prevent information leaks
    #kernel.printk = "3 3 3 3";
    # Restrict eBPF to the CAP_BPF capability
    # and enable JIT hardening techniques
    # such as constant blinding.
    "kernel.unprivileged_bpf_disabled" = 1;
    "net.core.bpf_jit_harden" = 2;
    # Restricts loading TTY line disciplines
    # to the CAP_SYS_MODULE capability to prevent
    # unprivileged attackers from loading vulnerable
    # line disciplines with the TIOCSETD ioctl
    "dev.tty.ldisc_autoload" = 0;
    # The userfaultfd() syscall is often abused to exploit
    # use-after-free flaws.
    # Due to this, this sysctl is used to restrict
    # this syscall to the CAP_SYS_PTRACE capability.
    "vm.unprivileged_userfaultfd" = 0;
    # kexec is a system call that is used
    # to boot another kernel during runtime.
    "kernel.kexec_load_disabled" = 1;
    # User namespaces are a feature in the kernel which aim to
    # improve sandboxing and make it easily accessible for
    # unprivileged users however, this feature exposes
    # significant kernel attack surface for privilege
    # escalation so this sysctl restricts the usage of user
    # namespaces to the CAP_SYS_ADMIN capability.
    "kernel.unprivileged_userns_clone" = 0;
    # Restricts all usage of performance events to the
    # CAP_PERFMON capability
    "kernel.perf_event_paranoid" = 3;
    # Helps protect against SYN flood attacks
    "net.ipv4.tcp_syncookies" = 1;
    # Protects against time-wait assassination
    # by dropping RST packets for sockets
    # in the time-wait state.
    "net.ipv4.tcp_rfc1337" = 1;
    # Disable ICMP redirect acceptance and sending to prevent
    # man-in-the-middle attacks and minimize information disclosure.
    "net.ipv4.conf.all.accept_redirects" = 0;
    "net.ipv4.conf.default.accept_redirects" = 0;
    "net.ipv4.conf.all.secure_redirects" = 0;
    "net.ipv4.conf.default.secure_redirects" = 0;
    "net.ipv6.conf.all.accept_redirects" = 0;
    "net.ipv6.conf.default.accept_redirects" = 0;
    "net.ipv4.conf.all.send_redirects" = 0;
    "net.ipv4.conf.default.send_redirects" = 0;
    # Disable source routing, a mechanism
    # that allows users to redirect network traffic.
    "net.ipv4.conf.all.accept_source_route" = 0;
    "net.ipv4.conf.default.accept_source_route" = 0;
    "net.ipv6.conf.all.accept_source_route" = 0;
    "net.ipv6.conf.default.accept_source_route" = 0;
    /*
      # Disable TCP SACK, which is commonly exploited
      # and unnecessary for many circumstances.
      # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
      "net.ipv4.tcp_sack" = 0;
      "net.ipv4.tcp_dsack" = 0;
      "net.ipv4.tcp_fack" = 0;
    */
    # Generate a random IPv6 address
    "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
    "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
    # Restricts usage of ptrace to only processes
    # with the CAP_SYS_PTRACE capability
    "kernel.yama.ptrace_scope" = 2;
    # Do source validation by confirming reverse path
    "net.ipv4.conf.all.rp_filter" = 1;
    "net.ipv4.conf.default.rp_filter" = 1;
  };
  boot.kernelParams = [
    "slab_nomerge"
    "slub_debug=FZ"
    #"init_on_alloc=1"
    #"init_on_free=1"
    "page_alloc.shuffle=1"
    "pti=on"
    "vsyscall=none"
    "debugfs=off"
    "oops=panic"
    # Disabled because zfs and wireguard modules are not signed
    "module.sig_enforce=0"
    "lockdown=confidentiality"
    "mce=0"
    #"quiet"
    #"loglevel=0"
  ];
  services.journald.extraConfig = ''
    Compress=true
    MaxRetentionSec=1month
    Storage=persistent
    SystemMaxUse=100M
  '';
  systemd.coredump = {
    enable = lib.mkDefault false;
    extraConfig = ''
      Compress=true
      MaxUse=1024M
      Storage=external
    '';
  };
  services.openssh = {
    openFirewall = lib.mkDefault false;
    settings = {
      PasswordAuthentication = false;
    };
  };
}