nixos/profiles/security.nix

   1 { pkgs, lib, ... }:
   2 with lib;
   3 {
   4   boot.kernelPackages = mkDefault pkgs.linuxPackages;
   5   #boot.kernelPackages = pkgs.linuxPackages_latest;
   6   #boot.kernelPackages = pkgs.linuxPackages_hardened;
   7   #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
   8   #environment.memoryAllocator.provider = "libc";
   9   nix.settings.allowed-users = [ "@users" ];
  10   nix.settings.trusted-substituters = [
  11     "https://nix-community.cachix.org"
  12   ];
  13   nix.settings.trusted-public-keys = [
  14     "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
  15   ];
  16   networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
  17   security.allowSimultaneousMultithreading = false;
  18   security.apparmor.enable = mkDefault true;
  19   security.forcePageTableIsolation = true;
  20   security.lockKernelModules = mkDefault true;
  21   security.protectKernelImage = true;
  22   security.virtualisation.flushL1DataCache = "always";
  23   # Only allow members of the wheel group to execute sudo by setting
  24   # the executable’s permissions accordingly.
  25   # This prevents users that are not members of wheel
  26   # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
  27   security.sudo.execWheelOnly = true;
  28   boot.blacklistedKernelModules = [
  29     # Obscure network protocols
  30     "ax25"
  31     "netrom"
  32     "rose"
  33
  34     # Old or rare or insufficiently audited filesystems
  35     "adfs"
  36     "affs"
  37     "bfs"
  38     "befs"
  39     "cramfs"
  40     "efs"
  41     "erofs"
  42     "exofs"
  43     "freevxfs"
  44     "f2fs"
  45     "hfs"
  46     "hpfs"
  47     "jfs"
  48     "minix"
  49     "nilfs2"
  50     "ntfs"
  51     "omfs"
  52     "qnx4"
  53     "qnx6"
  54     "sysv"
  55     "ufs"
  56   ];
  57   boot.kernel.sysctl = {
  58     # Mitigate kernel pointer leaks
  59     "kernel.kptr_restrict" = 2;
  60     # Restricts the kernel log to the CAP_SYSLOG capability
  61     "kernel.dmesg_restrict" = 1;
  62     # Prevent information leaks
  63     #kernel.printk = "3 3 3 3";
  64     # Restrict eBPF to the CAP_BPF capability
  65     # and enable JIT hardening techniques
  66     # such as constant blinding.
  67     "kernel.unprivileged_bpf_disabled" = 1;
  68     "net.core.bpf_jit_harden" = 2;
  69     # Restricts loading TTY line disciplines
  70     # to the CAP_SYS_MODULE capability to prevent
  71     # unprivileged attackers from loading vulnerable
  72     # line disciplines with the TIOCSETD ioctl
  73     "dev.tty.ldisc_autoload" = 0;
  74     # The userfaultfd() syscall is often abused to exploit
  75     # use-after-free flaws.
  76     # Due to this, this sysctl is used to restrict
  77     # this syscall to the CAP_SYS_PTRACE capability.
  78     "vm.unprivileged_userfaultfd" = 0;
  79     # kexec is a system call that is used
  80     # to boot another kernel during runtime.
  81     "kernel.kexec_load_disabled" = 1;
  82     # User namespaces are a feature in the kernel which aim to
  83     # improve sandboxing and make it easily accessible for
  84     # unprivileged users however, this feature exposes
  85     # significant kernel attack surface for privilege
  86     # escalation so this sysctl restricts the usage of user
  87     # namespaces to the CAP_SYS_ADMIN capability.
  88     "kernel.unprivileged_userns_clone" = 0;
  89     # Restricts all usage of performance events to the
  90     # CAP_PERFMON capability
  91     "kernel.perf_event_paranoid" = 3;
  92     # Helps protect against SYN flood attacks
  93     "net.ipv4.tcp_syncookies" = 1;
  94     # Protects against time-wait assassination
  95     # by dropping RST packets for sockets
  96     # in the time-wait state.
  97     "net.ipv4.tcp_rfc1337" = 1;
  98     # Disable ICMP redirect acceptance and sending to prevent
  99     # man-in-the-middle attacks and minimize information disclosure.
 100     "net.ipv4.conf.all.accept_redirects" = 0;
 101     "net.ipv4.conf.default.accept_redirects" = 0;
 102     "net.ipv4.conf.all.secure_redirects" = 0;
 103     "net.ipv4.conf.default.secure_redirects" = 0;
 104     "net.ipv6.conf.all.accept_redirects" = 0;
 105     "net.ipv6.conf.default.accept_redirects" = 0;
 106     "net.ipv4.conf.all.send_redirects" = 0;
 107     "net.ipv4.conf.default.send_redirects" = 0;
 108     # Disable source routing, a mechanism
 109     # that allows users to redirect network traffic.
 110     "net.ipv4.conf.all.accept_source_route" = 0;
 111     "net.ipv4.conf.default.accept_source_route" = 0;
 112     "net.ipv6.conf.all.accept_source_route" = 0;
 113     "net.ipv6.conf.default.accept_source_route" = 0;
 114     /*
 115       # Disable TCP SACK, which is commonly exploited
 116       # and unnecessary for many circumstances.
 117       # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
 118       "net.ipv4.tcp_sack" = 0;
 119       "net.ipv4.tcp_dsack" = 0;
 120       "net.ipv4.tcp_fack" = 0;
 121     */
 122     # Generate a random IPv6 address
 123     "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
 124     "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
 125     # Restricts usage of ptrace to only processes
 126     # with the CAP_SYS_PTRACE capability
 127     "kernel.yama.ptrace_scope" = 2;
 128     # Do source validation by confirming reverse path
 129     "net.ipv4.conf.all.rp_filter" = 1;
 130     "net.ipv4.conf.default.rp_filter" = 1;
 131   };
 132   boot.kernelParams = [
 133     "slab_nomerge"
 134     "slub_debug=FZ"
 135     #"init_on_alloc=1"
 136     #"init_on_free=1"
 137     "page_alloc.shuffle=1"
 138     "pti=on"
 139     "vsyscall=none"
 140     "debugfs=off"
 141     "oops=panic"
 142     # Disabled because zfs and wireguard modules are not signed
 143     "module.sig_enforce=0"
 144     "lockdown=confidentiality"
 145     "mce=0"
 146     #"quiet"
 147     #"loglevel=0"
 148   ];
 149   services.journald.extraConfig = ''
 150     Compress=true
 151     MaxRetentionSec=1month
 152     Storage=persistent
 153     SystemMaxUse=100M
 154   '';
 155   systemd.coredump = {
 156     enable = mkDefault false;
 157     extraConfig = ''
 158       Compress=true
 159       MaxUse=1024M
 160       Storage=external
 161     '';
 162   };
 163   services.openssh = {
 164     # Avoid TOFU MITM by providing well known public keys here.
 165     knownHosts = {
 166       "git.sr.ht".hostNames = [ "git.sr.ht" ];
 167       "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
 168
 169       "github.com".hostNames = [ "github.com" ];
 170       "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
 171
 172       "gitlab.com".hostNames = [ "gitlab.com" ];
 173       "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
 174     };
 175     openFirewall = mkDefault false;
 176     settings = {
 177       KbdInteractiveAuthentication = mkDefault false;
 178       # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
 179       KexAlgorithms = [
 180         "curve25519-sha256"
 181         "curve25519-sha256@libssh.org"
 182         "diffie-hellman-group16-sha512"
 183         "diffie-hellman-group18-sha512"
 184         "sntrup761x25519-sha512@openssh.com"
 185       ];
 186       PasswordAuthentication = false;
 187       # Remove any remote gpg-agent's socket.
 188       StreamLocalBindUnlink = true;
 189       UseDns = mkDefault false;
 190       X11Forwarding = mkDefault false;
 191     };
 192   };
 193 }