profiles/security.nix

   1 { pkgs, lib, config, ... }:
   2 {
   3 boot.kernelPackages = pkgs.linuxPackages_latest;
   4 #boot.kernelPackages = pkgs.linuxPackages_hardened;
   5 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
   6 #environment.memoryAllocator.provider = "libc";
   7 nix.allowedUsers = [ "@users" ];
   8 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
   9 security.allowSimultaneousMultithreading = false;
  10 security.apparmor.enable = true;
  11 security.forcePageTableIsolation = true;
  12 security.lockKernelModules = lib.mkDefault true;
  13 security.protectKernelImage = true;
  14 security.virtualisation.flushL1DataCache = "always";
  15 boot.blacklistedKernelModules = [
  16   # Obscure network protocols
  17   "ax25"
  18   "netrom"
  19   "rose"
  20
  21   # Old or rare or insufficiently audited filesystems
  22   "adfs"
  23   "affs"
  24   "bfs"
  25   "befs"
  26   "cramfs"
  27   "efs"
  28   "erofs"
  29   "exofs"
  30   "freevxfs"
  31   "f2fs"
  32   "hfs"
  33   "hpfs"
  34   "jfs"
  35   "minix"
  36   "nilfs2"
  37   "ntfs"
  38   "omfs"
  39   "qnx4"
  40   "qnx6"
  41   "sysv"
  42   "ufs"
  43 ];
  44 boot.kernel.sysctl = {
  45   # Mitigate kernel pointer leaks
  46   "kernel.kptr_restrict" = 2;
  47   # Restricts the kernel log to the CAP_SYSLOG capability
  48   "kernel.dmesg_restrict" = 1;
  49   # Prevent information leaks
  50   #kernel.printk = "3 3 3 3";
  51   # Restrict eBPF to the CAP_BPF capability
  52   # and enable JIT hardening techniques
  53   # such as constant blinding.
  54   "kernel.unprivileged_bpf_disabled" = 1;
  55   "net.core.bpf_jit_harden" = 2;
  56   # Restricts loading TTY line disciplines
  57   # to the CAP_SYS_MODULE capability to prevent
  58   # unprivileged attackers from loading vulnerable
  59   # line disciplines with the TIOCSETD ioctl
  60   "dev.tty.ldisc_autoload" = 0;
  61   # The userfaultfd() syscall is often abused to exploit
  62   # use-after-free flaws.
  63   # Due to this, this sysctl is used to restrict
  64   # this syscall to the CAP_SYS_PTRACE capability.
  65   "vm.unprivileged_userfaultfd" = 0;
  66   # kexec is a system call that is used
  67   # to boot another kernel during runtime.
  68   "kernel.kexec_load_disabled" = 1;
  69   # User namespaces are a feature in the kernel which aim to
  70   # improve sandboxing and make it easily accessible for
  71   # unprivileged users however, this feature exposes
  72   # significant kernel attack surface for privilege
  73   # escalation so this sysctl restricts the usage of user
  74   # namespaces to the CAP_SYS_ADMIN capability.
  75   "kernel.unprivileged_userns_clone" = 0;
  76   # Restricts all usage of performance events to the
  77   # CAP_PERFMON capability
  78   "kernel.perf_event_paranoid" = 3;
  79   # Helps protect against SYN flood attacks
  80   "net.ipv4.tcp_syncookies" = 1;
  81   # Protects against time-wait assassination
  82   # by dropping RST packets for sockets
  83   # in the time-wait state.
  84   "net.ipv4.tcp_rfc1337" = 1;
  85   # Disable ICMP redirect acceptance and sending to prevent
  86   # man-in-the-middle attacks and minimize information disclosure.
  87   "net.ipv4.conf.all.accept_redirects" = 0;
  88   "net.ipv4.conf.default.accept_redirects" = 0;
  89   "net.ipv4.conf.all.secure_redirects" = 0;
  90   "net.ipv4.conf.default.secure_redirects" = 0;
  91   "net.ipv6.conf.all.accept_redirects" = 0;
  92   "net.ipv6.conf.default.accept_redirects" = 0;
  93   "net.ipv4.conf.all.send_redirects" = 0;
  94   "net.ipv4.conf.default.send_redirects" = 0;
  95   # Disable source routing, a mechanism
  96   # that allows users to redirect network traffic.
  97   "net.ipv4.conf.all.accept_source_route" = 0;
  98   "net.ipv4.conf.default.accept_source_route" = 0;
  99   "net.ipv6.conf.all.accept_source_route" = 0;
 100   "net.ipv6.conf.default.accept_source_route" = 0;
 101   /*
 102   # Disable TCP SACK, which is commonly exploited
 103   # and unnecessary for many circumstances.
 104   # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
 105   "net.ipv4.tcp_sack" = 0;
 106   "net.ipv4.tcp_dsack" = 0;
 107   "net.ipv4.tcp_fack" = 0;
 108   */
 109   # Generate a random IPv6 address
 110   "net.ipv6.conf.all.use_tempaddr" = 2;
 111   "net.ipv6.conf.default.use_tempaddr" = 2;
 112   # Restricts usage of ptrace to only processes
 113   # with the CAP_SYS_PTRACE capability
 114   "kernel.yama.ptrace_scope" = 2;
 115   # Do source validation by confirming reverse path
 116   "net.ipv4.conf.all.rp_filter" = 1;
 117   "net.ipv4.conf.default.rp_filter" = 1;
 118 };
 119 boot.kernelParams = [
 120   "slab_nomerge"
 121   "slub_debug=FZ"
 122   #"init_on_alloc=1"
 123   #"init_on_free=1"
 124   "page_alloc.shuffle=1"
 125   "pti=on"
 126   "vsyscall=none"
 127   "debugfs=off"
 128   "oops=panic"
 129   # Disabled because zfs and wireguard modules are not signed
 130   "module.sig_enforce=0"
 131   "lockdown=confidentiality"
 132   "mce=0"
 133   #"quiet"
 134   #"loglevel=0"
 135 ];
 136 }