]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/security.nix
bash: add ffmpeg-{opus,audio}
[julm/julm-nix.git] / nixos / profiles / security.nix
1 { pkgs, lib, ... }:
2 with lib;
3 {
4 boot.kernelPackages = mkDefault pkgs.linuxPackages;
5 #boot.kernelPackages = pkgs.linuxPackages_latest;
6 #boot.kernelPackages = pkgs.linuxPackages_hardened;
7 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
8 #environment.memoryAllocator.provider = "libc";
9 nix.settings.allowed-users = [ "@users" ];
10 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
11 security.allowSimultaneousMultithreading = false;
12 security.apparmor.enable = lib.mkDefault true;
13 security.forcePageTableIsolation = true;
14 security.lockKernelModules = lib.mkDefault true;
15 security.protectKernelImage = true;
16 security.virtualisation.flushL1DataCache = "always";
17 boot.blacklistedKernelModules = [
18 # Obscure network protocols
19 "ax25"
20 "netrom"
21 "rose"
22
23 # Old or rare or insufficiently audited filesystems
24 "adfs"
25 "affs"
26 "bfs"
27 "befs"
28 "cramfs"
29 "efs"
30 "erofs"
31 "exofs"
32 "freevxfs"
33 "f2fs"
34 "hfs"
35 "hpfs"
36 "jfs"
37 "minix"
38 "nilfs2"
39 "ntfs"
40 "omfs"
41 "qnx4"
42 "qnx6"
43 "sysv"
44 "ufs"
45 ];
46 boot.kernel.sysctl = {
47 # Mitigate kernel pointer leaks
48 "kernel.kptr_restrict" = 2;
49 # Restricts the kernel log to the CAP_SYSLOG capability
50 "kernel.dmesg_restrict" = 1;
51 # Prevent information leaks
52 #kernel.printk = "3 3 3 3";
53 # Restrict eBPF to the CAP_BPF capability
54 # and enable JIT hardening techniques
55 # such as constant blinding.
56 "kernel.unprivileged_bpf_disabled" = 1;
57 "net.core.bpf_jit_harden" = 2;
58 # Restricts loading TTY line disciplines
59 # to the CAP_SYS_MODULE capability to prevent
60 # unprivileged attackers from loading vulnerable
61 # line disciplines with the TIOCSETD ioctl
62 "dev.tty.ldisc_autoload" = 0;
63 # The userfaultfd() syscall is often abused to exploit
64 # use-after-free flaws.
65 # Due to this, this sysctl is used to restrict
66 # this syscall to the CAP_SYS_PTRACE capability.
67 "vm.unprivileged_userfaultfd" = 0;
68 # kexec is a system call that is used
69 # to boot another kernel during runtime.
70 "kernel.kexec_load_disabled" = 1;
71 # User namespaces are a feature in the kernel which aim to
72 # improve sandboxing and make it easily accessible for
73 # unprivileged users however, this feature exposes
74 # significant kernel attack surface for privilege
75 # escalation so this sysctl restricts the usage of user
76 # namespaces to the CAP_SYS_ADMIN capability.
77 "kernel.unprivileged_userns_clone" = 0;
78 # Restricts all usage of performance events to the
79 # CAP_PERFMON capability
80 "kernel.perf_event_paranoid" = 3;
81 # Helps protect against SYN flood attacks
82 "net.ipv4.tcp_syncookies" = 1;
83 # Protects against time-wait assassination
84 # by dropping RST packets for sockets
85 # in the time-wait state.
86 "net.ipv4.tcp_rfc1337" = 1;
87 # Disable ICMP redirect acceptance and sending to prevent
88 # man-in-the-middle attacks and minimize information disclosure.
89 "net.ipv4.conf.all.accept_redirects" = 0;
90 "net.ipv4.conf.default.accept_redirects" = 0;
91 "net.ipv4.conf.all.secure_redirects" = 0;
92 "net.ipv4.conf.default.secure_redirects" = 0;
93 "net.ipv6.conf.all.accept_redirects" = 0;
94 "net.ipv6.conf.default.accept_redirects" = 0;
95 "net.ipv4.conf.all.send_redirects" = 0;
96 "net.ipv4.conf.default.send_redirects" = 0;
97 # Disable source routing, a mechanism
98 # that allows users to redirect network traffic.
99 "net.ipv4.conf.all.accept_source_route" = 0;
100 "net.ipv4.conf.default.accept_source_route" = 0;
101 "net.ipv6.conf.all.accept_source_route" = 0;
102 "net.ipv6.conf.default.accept_source_route" = 0;
103 /*
104 # Disable TCP SACK, which is commonly exploited
105 # and unnecessary for many circumstances.
106 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
107 "net.ipv4.tcp_sack" = 0;
108 "net.ipv4.tcp_dsack" = 0;
109 "net.ipv4.tcp_fack" = 0;
110 */
111 # Generate a random IPv6 address
112 "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
113 "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
114 # Restricts usage of ptrace to only processes
115 # with the CAP_SYS_PTRACE capability
116 "kernel.yama.ptrace_scope" = 2;
117 # Do source validation by confirming reverse path
118 "net.ipv4.conf.all.rp_filter" = 1;
119 "net.ipv4.conf.default.rp_filter" = 1;
120 };
121 boot.kernelParams = [
122 "slab_nomerge"
123 "slub_debug=FZ"
124 #"init_on_alloc=1"
125 #"init_on_free=1"
126 "page_alloc.shuffle=1"
127 "pti=on"
128 "vsyscall=none"
129 "debugfs=off"
130 "oops=panic"
131 # Disabled because zfs and wireguard modules are not signed
132 "module.sig_enforce=0"
133 "lockdown=confidentiality"
134 "mce=0"
135 #"quiet"
136 #"loglevel=0"
137 ];
138 services.journald.extraConfig = ''
139 Compress=true
140 MaxRetentionSec=1month
141 Storage=persistent
142 SystemMaxUse=100M
143 '';
144 systemd.coredump = {
145 enable = lib.mkDefault false;
146 extraConfig = ''
147 Compress=true
148 MaxUse=1024M
149 Storage=external
150 '';
151 };
152 services.openssh = {
153 openFirewall = lib.mkDefault false;
154 settings = {
155 PasswordAuthentication = false;
156 };
157 };
158 }