]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/security.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
+perf/weight(coredumps): limit coredumps
[julm/julm-nix.git] / nixos / profiles / security.nix
1 {
2 pkgs,
3 lib,
4 config,
5 ...
6 }:
7 with lib;
8 {
9 options = {
10 coredumps = {
11 enable = mkEnableOption "capturing core dumps";
12 limit = mkOption {
13 type = types.ints.positive;
14 default = 1073741824 / 512; # 1G worth of 512-byte abstract disk blocks
15 description = "Maximum size for core dumps, when enabled.";
16 };
17 };
18 security.kernel.mitigations = mkOption {
19 type = types.str;
20 default = "auto,nosmt";
21 example = "off";
22 description = ''
23 Control optional mitigations for CPU vulnerabilities. This is a set of
24 curated, arch-independent options, each of which is an aggregation of
25 existing arch-specific options.
26 '';
27 };
28 };
29 config = lib.mkMerge [
30 {
31 boot.kernelPackages = mkDefault pkgs.linuxPackages;
32 #boot.kernelPackages = pkgs.linuxPackages_latest;
33 #boot.kernelPackages = pkgs.linuxPackages_hardened;
34 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
35 #environment.memoryAllocator.provider = "libc";
36 nix.settings.allowed-users = [ "@users" ];
37 /*
38 nix.settings.substituters = [
39 "https://nix-community.cachix.org"
40 ];
41 nix.settings.trusted-public-keys = [
42 "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
43 ];
44 */
45 nix.settings.trusted-users = [
46 "root"
47 "@wheel"
48 ];
49 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
50 security.allowSimultaneousMultithreading = false;
51 security.apparmor.enable = mkDefault true;
52 security.forcePageTableIsolation = true;
53 security.lockKernelModules = mkDefault true;
54 security.protectKernelImage = true;
55 security.virtualisation.flushL1DataCache = "always";
56 # Only allow members of the wheel group to execute sudo by setting
57 # the executable’s permissions accordingly.
58 # This prevents users that are not members of wheel
59 # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
60 security.sudo.execWheelOnly = true;
61 boot.blacklistedKernelModules = [
62 # Obscure network protocols
63 "ax25"
64 "netrom"
65 "rose"
66
67 # Old or rare or insufficiently audited filesystems
68 "adfs"
69 "affs"
70 "bfs"
71 "befs"
72 "cramfs"
73 "efs"
74 "erofs"
75 "exofs"
76 "freevxfs"
77 "f2fs"
78 "hfs"
79 "hpfs"
80 "jfs"
81 "minix"
82 "nilfs2"
83 "ntfs"
84 "omfs"
85 "qnx4"
86 "qnx6"
87 "sysv"
88 "ufs"
89 ];
90 # kernel-hardening-checker -c /proc/config.gz -l /proc/cmdline -s <(sudo sysctl -a) -m show_fail
91 boot.kernel.sysctl = {
92 # Mitigate kernel pointer leaks
93 "kernel.kptr_restrict" = 2;
94 # Restricts the kernel log to the CAP_SYSLOG capability
95 "kernel.dmesg_restrict" = 1;
96 # Prevent information leaks
97 #kernel.printk = "3 3 3 3";
98 # Restrict eBPF to the CAP_BPF capability
99 # and enable JIT hardening techniques
100 # such as constant blinding.
101 "kernel.unprivileged_bpf_disabled" = 1;
102 "net.core.bpf_jit_harden" = 2;
103 # Restricts loading TTY line disciplines
104 # to the CAP_SYS_MODULE capability to prevent
105 # unprivileged attackers from loading vulnerable
106 # line disciplines with the TIOCSETD ioctl
107 "dev.tty.ldisc_autoload" = 0;
108 # The userfaultfd() syscall is often abused to exploit
109 # use-after-free flaws.
110 # Due to this, this sysctl is used to restrict
111 # this syscall to the CAP_SYS_PTRACE capability.
112 "vm.unprivileged_userfaultfd" = 0;
113 # kexec is a system call that is used
114 # to boot another kernel during runtime.
115 "kernel.kexec_load_disabled" = 1;
116 # User namespaces are a feature in the kernel which aim to
117 # improve sandboxing and make it easily accessible for
118 # unprivileged users however, this feature exposes
119 # significant kernel attack surface for privilege
120 # escalation so this sysctl restricts the usage of user
121 # namespaces to the CAP_SYS_ADMIN capability.
122 "kernel.unprivileged_userns_clone" = 0;
123 # Restricts all usage of performance events to the
124 # CAP_PERFMON capability
125 "kernel.perf_event_paranoid" = 3;
126 # Helps protect against SYN flood attacks
127 "net.ipv4.tcp_syncookies" = 1;
128 # Protects against time-wait assassination
129 # by dropping RST packets for sockets
130 # in the time-wait state.
131 "net.ipv4.tcp_rfc1337" = 1;
132 # Disable ICMP redirect acceptance and sending to prevent
133 # man-in-the-middle attacks and minimize information disclosure.
134 "net.ipv4.conf.all.accept_redirects" = 0;
135 "net.ipv4.conf.default.accept_redirects" = 0;
136 "net.ipv4.conf.all.secure_redirects" = 0;
137 "net.ipv4.conf.default.secure_redirects" = 0;
138 "net.ipv6.conf.all.accept_redirects" = 0;
139 "net.ipv6.conf.default.accept_redirects" = 0;
140 "net.ipv4.conf.all.send_redirects" = 0;
141 "net.ipv4.conf.default.send_redirects" = 0;
142 # Disable source routing, a mechanism
143 # that allows users to redirect network traffic.
144 "net.ipv4.conf.all.accept_source_route" = 0;
145 "net.ipv4.conf.default.accept_source_route" = 0;
146 "net.ipv6.conf.all.accept_source_route" = 0;
147 "net.ipv6.conf.default.accept_source_route" = 0;
148 /*
149 # Disable TCP SACK, which is commonly exploited
150 # and unnecessary for many circumstances.
151 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
152 "net.ipv4.tcp_sack" = 0;
153 "net.ipv4.tcp_dsack" = 0;
154 "net.ipv4.tcp_fack" = 0;
155 */
156 # Generate a random IPv6 address
157 "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
158 "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
159 # Restricts usage of ptrace to only processes
160 # with the CAP_SYS_PTRACE capability
161 "kernel.yama.ptrace_scope" = 2;
162 # Do source validation by confirming reverse path
163 "net.ipv4.conf.all.rp_filter" = 1;
164 "net.ipv4.conf.default.rp_filter" = 1;
165 # Any process which has changed privilege levels or is execute only will not be dumped.
166 "fs.suid_dumpable" = 0;
167 "fs.protected_fifos" = 2;
168 "fs.protected_regular" = 2;
169 # TIOCSTI is a dangerous legacy operation that can be disabled on most systems.
170 "dev.tty.legacy_tiocsti" = 0;
171 # User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.
172 #"user.max_user_namespaces" = mkDefault 0;
173 };
174 # DOC: https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
175 boot.kernelParams = [
176 "oops=panic"
177 #"quiet"
178 #"loglevel=0"
179 # Disable merging of slabs with similar size. May be necessary if there is
180 # some reason to distinguish allocs to different slabs, especially in
181 # hardened environments where the risk of heap overflows and layout control
182 # by attackers can usually be frustrated by disabling merging. This will
183 # reduce most of the exposure of a heap attack to a single cache (risks via
184 # metadata attacks are mostly unchanged). Debug options disable merging on
185 # their own.
186 "slab_nomerge"
187 # See slub_debug
188 # https://gitlab.tails.boum.org/tails/tails/-/issues/19613#note_215741
189 "slub_debug=FZ"
190 # Control whether the page allocator should randomize its free lists.
191 "page_alloc.shuffle=1"
192 # Kernel detects whether your CPU model is vulnerable to issues that PTI mitigates
193 # Disabling this feature removes hardening, but improves performance of system calls and interrupts.
194 "pti=auto"
195 # Controls the behavior of vsyscalls
196 # (i.e. calls to fixed addresses of 0xffffffffff600x00 from legacy code).
197 # Most statically-linked binaries and older versions of glibc use these calls.
198 # With none, vsyscalls don't work at all.
199 # This makes them quite hard to use for exploits but might break your system.
200 "vsyscall=none"
201 # Filesystem is not registered and clients get a -EPERM as result
202 # when trying to register files or directories within debugfs.
203 "debugfs=off"
204 # Disabled because the wireguard module is not signed
205 "module.sig_enforce=0"
206 # Disable kernel features that allow userland to modify the running kernel
207 # or to extract confidential information from the kernel.
208 "lockdown=confidentiality"
209 # https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.rst
210 "mce=bootlog"
211 "mitigations=${config.security.kernel.mitigations}" # kspp | self_protection
212 #"spectre_v2=on" # defconfig | self_protection
213 #"spectre_v2_user=on" # defconfig | self_protection
214 #"spec_store_bypass_disable=on" # defconfig | self_protection
215 #"l1tf=on" # defconfig | self_protection
216 #"mds=on" # defconfig | self_protection
217 #"tsx_async_abort=on" # defconfig | self_protection
218 #"srbds=on" # defconfig | self_protection
219 #"mmio_stale_data=on" # defconfig | self_protection
220 #"retbleed=on" # defconfig | self_protection
221 #"spec_rstack_overflow=on" # defconfig | self_protection
222 # Disable AVX to mitigate systems without microcode mitigation. No effect if the microcode mitigation is present. Known to cause crashes in userspace with buggy AVX enumeration.
223 #"gather_data_sampling=force" # defconfig | self_protection
224 # https://www.phoronix.com/news/randomize_kstack_offset-perf
225 "randomize_kstack_offset=1" # kspp | self_protection
226 # See https://unix.stackexchange.com/questions/592538/what-are-the-implication-of-using-iommu-force-in-the-boot-kernel-options
227 "iommu=force" # clipos | self_protection
228 # DMA unmap operations invalidate IOMMU hardware TLBs synchronously.
229 "iommu.strict=1" # kspp | self_protection
230 "kfence.sample_interval=100" # a13xp0p0v | self_protection
231 "kfence.deferrable=1"
232
233 # Unconditionally disables IA32 emulation
234 # CompatibilityNode: steam-run-free needs it,
235 # see https://github.com/NixOS/nixpkgs/pull/442783
236 #"ia32_emulation=0" # a13xp0p0v |cut_attack_surface
237
238 # A bit too much
239 # https://patchwork.kernel.org/project/linux-security-module/patch/20190626121943.131390-2-glider@google.com/#22731857
240 #"init_on_alloc=1" # kspp | self_protection
241 #"init_on_free=1" # kspp | self_protection
242 ];
243 programs.firejail = {
244 enable = true;
245 };
246 services.journald.extraConfig = ''
247 Compress=true
248 MaxRetentionSec=1month
249 Storage=persistent
250 SystemMaxUse=100M
251 '';
252 systemd.coredump = {
253 enable = mkDefault false;
254 extraConfig = ''
255 Compress=true
256 DefaultLimitCORE=${toString config.coredumps.limit}:${toString config.coredumps.limit}
257 MaxUse=${toString config.coredumps.limit}
258 Storage=external
259 '';
260 };
261 security.pam.loginLimits = [
262 {
263 domain = "*";
264 item = "core";
265 type = "-";
266 value = toString config.coredumps.limit;
267 }
268 ];
269 services.openssh = {
270 # Avoid TOFU MITM by providing well known public keys here.
271 knownHosts = {
272 "git.sr.ht".hostNames = [ "git.sr.ht" ];
273 "git.sr.ht".publicKey =
274 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
275
276 "github.com".hostNames = [ "github.com" ];
277 "github.com".publicKey =
278 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
279
280 "gitlab.com".hostNames = [ "gitlab.com" ];
281 "gitlab.com".publicKey =
282 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
283 };
284 openFirewall = mkDefault true;
285 settings = {
286 Ciphers = [
287 # Not hardware accelerated, but fast enough and somehow more secure
288 # (packet sizes are encrypted and less vulnerable to timing attacks).
289 "chacha20-poly1305@openssh.com"
290 # A bit more throughput.
291 "aes128-gcm@openssh.com"
292 "aes256-gcm@openssh.com"
293 ];
294 KbdInteractiveAuthentication = mkDefault false;
295 # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
296 KexAlgorithms = [
297 "curve25519-sha256"
298 "curve25519-sha256@libssh.org"
299 "diffie-hellman-group16-sha512"
300 "diffie-hellman-group18-sha512"
301 "sntrup761x25519-sha512@openssh.com"
302 ];
303 PasswordAuthentication = false;
304 # Remove any remote gpg-agent's socket.
305 StreamLocalBindUnlink = true;
306 UseDns = mkDefault false;
307 X11Forwarding = mkDefault false;
308 };
309 };
310 }
311 (mkIf (!config.systemd.coredump.enable) {
312 systemd.settings.Manager = {
313 DefaultLimitCORE = "0:0";
314 };
315 security.pam.loginLimits = [
316 {
317 domain = "*";
318 item = "core";
319 type = "-";
320 value = "0";
321 }
322 ];
323 # Explanation: to prevent the kernel from ever generating core dumps,
324 # make it try to write to a nonexistent directory.
325 # It doesn't work to specify /dev/null;
326 # that will cause the kernel to *replace* /dev/null with the
327 # core dump if a process running as root dumps core.
328 boot.kernel.sysctl."kernel.core_pattern" = "/nonexistent/core";
329 })
330 ];
331 /*
332 TODO: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
333 =========================================================================================================================
334 option_name | type |desired_val | decision | reason | check_result
335 =========================================================================================================================
336 CONFIG_WERROR |kconfig| y |defconfig | self_protection | FAIL: "is not set"
337 CONFIG_X86_KERNEL_IBT |kconfig| y |defconfig | self_protection | FAIL: "is not set"
338 CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | FAIL: "is not set"
339 CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | FAIL: "is not set"
340 CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set"
341 CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set"
342 CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
343 CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set"
344 CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | self_protection | FAIL: "is not set"
345 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | self_protection | FAIL: is not found
346 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | self_protection | FAIL: is not found
347 CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set"
348 CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
349 CONFIG_KFENCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
350 CONFIG_KFENCE_SAMPLE_INTERVAL |kconfig| is not off |a13xp0p0v | self_protection | FAIL: CONFIG_KFENCE is not "y"
351 CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: "is not set"
352 CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
353 CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: "is not set"
354 CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | FAIL: "is not set"
355 CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | FAIL: is not found
356 CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | FAIL: is not found
357 CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: is not found
358 CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
359 CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | FAIL: "is not set"
360 CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | FAIL: "is not set"
361 CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found
362 CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found
363 CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
364 CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
365 CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: "is not set"
366 CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
367 CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
368 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | FAIL: "is not set"
369 CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y"
370 CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y"
371 CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | FAIL: "4096"
372 CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
373 CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
374 CONFIG_SLS |kconfig| y | kspp | self_protection | FAIL: "is not set"
375 CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | FAIL: "is not set"
376 CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | FAIL: "m"
377 CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | FAIL: "y"
378 CONFIG_LIST_HARDENED |kconfig| y |a13xp0p0v | self_protection | FAIL: is not found
379 CONFIG_RANDOM_KMALLOC_CACHES |kconfig| y |a13xp0p0v | self_protection | FAIL: is not found
380 CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | FAIL: "y"
381 CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y"
382 CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y"
383 CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | FAIL: "y"
384 CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
385 CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
386 CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
387 CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
388 CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
389 CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
390 CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
391 CONFIG_COMPAT |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
392 CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
393 CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
394 CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
395 CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
396 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
397 CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
398 CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
399 CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
400 CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
401 CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
402 CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
403 CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
404 CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
405 CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
406 CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
407 CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
408 CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
409 CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
410 CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
411 CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
412 CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
413 CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
414 CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
415 CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
416 CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
417 CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
418 CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
419 CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
420 CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
421 CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
422 CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
423 CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
424 CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
425 CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
426 CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
427 CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
428 CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m"
429 CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
430 CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
431 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
432 CONFIG_AIO |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
433 CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
434 CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
435 CONFIG_IP_DCCP |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
436 CONFIG_IP_SCTP |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
437 CONFIG_FTRACE |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
438 CONFIG_INPUT_EVBUG |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
439 CONFIG_XFS_SUPPORT_V4 |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
440 CONFIG_TRIM_UNUSED_KSYMS |kconfig| y |a13xp0p0v |cut_attack_surface| FAIL: "is not set"
441 CONFIG_COREDUMP |kconfig| is not set | clipos | harden_userspace | FAIL: "y"
442 CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 |a13xp0p0v | harden_userspace | FAIL: "28"
443 CONFIG_X86_USER_SHADOW_STACK |kconfig| y |a13xp0p0v | harden_userspace | FAIL: is not found
444 */
445 }
julm's NixOS and home-manager configs