nixos/profiles/security.nix

   1 { pkgs, lib, ... }:
   2 with lib;
   3 {
   4   boot.kernelPackages = mkDefault pkgs.linuxPackages;
   5   #boot.kernelPackages = pkgs.linuxPackages_latest;
   6   #boot.kernelPackages = pkgs.linuxPackages_hardened;
   7   #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
   8   #environment.memoryAllocator.provider = "libc";
   9   nix.settings.allowed-users = [ "@users" ];
  10   /*
  11     nix.settings.substituters = [
  12     "https://nix-community.cachix.org"
  13     ];
  14     nix.settings.trusted-public-keys = [
  15     "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
  16     ];
  17   */
  18   nix.settings.trusted-users = [
  19     "root"
  20     "@wheel"
  21   ];
  22   networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
  23   security.allowSimultaneousMultithreading = false;
  24   security.apparmor.enable = mkDefault true;
  25   security.forcePageTableIsolation = true;
  26   security.lockKernelModules = mkDefault true;
  27   security.protectKernelImage = true;
  28   security.virtualisation.flushL1DataCache = "always";
  29   # Only allow members of the wheel group to execute sudo by setting
  30   # the executable’s permissions accordingly.
  31   # This prevents users that are not members of wheel
  32   # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
  33   security.sudo.execWheelOnly = true;
  34   boot.blacklistedKernelModules = [
  35     # Obscure network protocols
  36     "ax25"
  37     "netrom"
  38     "rose"
  39
  40     # Old or rare or insufficiently audited filesystems
  41     "adfs"
  42     "affs"
  43     "bfs"
  44     "befs"
  45     "cramfs"
  46     "efs"
  47     "erofs"
  48     "exofs"
  49     "freevxfs"
  50     "f2fs"
  51     "hfs"
  52     "hpfs"
  53     "jfs"
  54     "minix"
  55     "nilfs2"
  56     "ntfs"
  57     "omfs"
  58     "qnx4"
  59     "qnx6"
  60     "sysv"
  61     "ufs"
  62   ];
  63   boot.kernel.sysctl = {
  64     # Mitigate kernel pointer leaks
  65     "kernel.kptr_restrict" = 2;
  66     # Restricts the kernel log to the CAP_SYSLOG capability
  67     "kernel.dmesg_restrict" = 1;
  68     # Prevent information leaks
  69     #kernel.printk = "3 3 3 3";
  70     # Restrict eBPF to the CAP_BPF capability
  71     # and enable JIT hardening techniques
  72     # such as constant blinding.
  73     "kernel.unprivileged_bpf_disabled" = 1;
  74     "net.core.bpf_jit_harden" = 2;
  75     # Restricts loading TTY line disciplines
  76     # to the CAP_SYS_MODULE capability to prevent
  77     # unprivileged attackers from loading vulnerable
  78     # line disciplines with the TIOCSETD ioctl
  79     "dev.tty.ldisc_autoload" = 0;
  80     # The userfaultfd() syscall is often abused to exploit
  81     # use-after-free flaws.
  82     # Due to this, this sysctl is used to restrict
  83     # this syscall to the CAP_SYS_PTRACE capability.
  84     "vm.unprivileged_userfaultfd" = 0;
  85     # kexec is a system call that is used
  86     # to boot another kernel during runtime.
  87     "kernel.kexec_load_disabled" = 1;
  88     # User namespaces are a feature in the kernel which aim to
  89     # improve sandboxing and make it easily accessible for
  90     # unprivileged users however, this feature exposes
  91     # significant kernel attack surface for privilege
  92     # escalation so this sysctl restricts the usage of user
  93     # namespaces to the CAP_SYS_ADMIN capability.
  94     "kernel.unprivileged_userns_clone" = 0;
  95     # Restricts all usage of performance events to the
  96     # CAP_PERFMON capability
  97     "kernel.perf_event_paranoid" = 3;
  98     # Helps protect against SYN flood attacks
  99     "net.ipv4.tcp_syncookies" = 1;
 100     # Protects against time-wait assassination
 101     # by dropping RST packets for sockets
 102     # in the time-wait state.
 103     "net.ipv4.tcp_rfc1337" = 1;
 104     # Disable ICMP redirect acceptance and sending to prevent
 105     # man-in-the-middle attacks and minimize information disclosure.
 106     "net.ipv4.conf.all.accept_redirects" = 0;
 107     "net.ipv4.conf.default.accept_redirects" = 0;
 108     "net.ipv4.conf.all.secure_redirects" = 0;
 109     "net.ipv4.conf.default.secure_redirects" = 0;
 110     "net.ipv6.conf.all.accept_redirects" = 0;
 111     "net.ipv6.conf.default.accept_redirects" = 0;
 112     "net.ipv4.conf.all.send_redirects" = 0;
 113     "net.ipv4.conf.default.send_redirects" = 0;
 114     # Disable source routing, a mechanism
 115     # that allows users to redirect network traffic.
 116     "net.ipv4.conf.all.accept_source_route" = 0;
 117     "net.ipv4.conf.default.accept_source_route" = 0;
 118     "net.ipv6.conf.all.accept_source_route" = 0;
 119     "net.ipv6.conf.default.accept_source_route" = 0;
 120     /*
 121       # Disable TCP SACK, which is commonly exploited
 122       # and unnecessary for many circumstances.
 123       # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
 124       "net.ipv4.tcp_sack" = 0;
 125       "net.ipv4.tcp_dsack" = 0;
 126       "net.ipv4.tcp_fack" = 0;
 127     */
 128     # Generate a random IPv6 address
 129     "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
 130     "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
 131     # Restricts usage of ptrace to only processes
 132     # with the CAP_SYS_PTRACE capability
 133     "kernel.yama.ptrace_scope" = 2;
 134     # Do source validation by confirming reverse path
 135     "net.ipv4.conf.all.rp_filter" = 1;
 136     "net.ipv4.conf.default.rp_filter" = 1;
 137   };
 138   boot.kernelParams = [
 139     "slab_nomerge"
 140     "slub_debug=FZ"
 141     #"init_on_alloc=1"
 142     #"init_on_free=1"
 143     "page_alloc.shuffle=1"
 144     "pti=on"
 145     "vsyscall=none"
 146     "debugfs=off"
 147     "oops=panic"
 148     # Disabled because zfs and wireguard modules are not signed
 149     "module.sig_enforce=0"
 150     "lockdown=confidentiality"
 151     "mce=0"
 152     #"quiet"
 153     #"loglevel=0"
 154   ];
 155   services.journald.extraConfig = ''
 156     Compress=true
 157     MaxRetentionSec=1month
 158     Storage=persistent
 159     SystemMaxUse=100M
 160   '';
 161   systemd.coredump = {
 162     enable = mkDefault false;
 163     extraConfig = ''
 164       Compress=true
 165       MaxUse=1024M
 166       Storage=external
 167     '';
 168   };
 169   services.openssh = {
 170     # Avoid TOFU MITM by providing well known public keys here.
 171     knownHosts = {
 172       "git.sr.ht".hostNames = [ "git.sr.ht" ];
 173       "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
 174
 175       "github.com".hostNames = [ "github.com" ];
 176       "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
 177
 178       "gitlab.com".hostNames = [ "gitlab.com" ];
 179       "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
 180     };
 181     openFirewall = mkDefault false;
 182     settings = {
 183       Ciphers = [
 184         # Not hardware accelerated, but fast enough and somehow more secure
 185         # (packet sizes are encrypted and less vulnerable to timing attacks).
 186         "chacha20-poly1305@openssh.com"
 187         # A bit more throughput.
 188         "aes128-gcm@openssh.com"
 189         "aes256-gcm@openssh.com"
 190       ];
 191       KbdInteractiveAuthentication = mkDefault false;
 192       # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
 193       KexAlgorithms = [
 194         "curve25519-sha256"
 195         "curve25519-sha256@libssh.org"
 196         "diffie-hellman-group16-sha512"
 197         "diffie-hellman-group18-sha512"
 198         "sntrup761x25519-sha512@openssh.com"
 199       ];
 200       PasswordAuthentication = false;
 201       # Remove any remote gpg-agent's socket.
 202       StreamLocalBindUnlink = true;
 203       UseDns = mkDefault false;
 204       X11Forwarding = mkDefault false;
 205     };
 206   };
 207 }