]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/security.nix
aubergine: nftables: enable forwarding to/from wifi
[julm/julm-nix.git] / nixos / profiles / security.nix
1 { pkgs, lib, ... }:
2 {
3 boot.kernelPackages = pkgs.linuxPackages;
4 #boot.kernelPackages = pkgs.linuxPackages_latest;
5 #boot.kernelPackages = pkgs.linuxPackages_hardened;
6 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
7 #environment.memoryAllocator.provider = "libc";
8 nix.settings.allowed-users = [ "@users" ];
9 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
10 security.allowSimultaneousMultithreading = false;
11 security.apparmor.enable = lib.mkDefault true;
12 security.forcePageTableIsolation = true;
13 security.lockKernelModules = lib.mkDefault true;
14 security.protectKernelImage = true;
15 security.virtualisation.flushL1DataCache = "always";
16 boot.blacklistedKernelModules = [
17 # Obscure network protocols
18 "ax25"
19 "netrom"
20 "rose"
21
22 # Old or rare or insufficiently audited filesystems
23 "adfs"
24 "affs"
25 "bfs"
26 "befs"
27 "cramfs"
28 "efs"
29 "erofs"
30 "exofs"
31 "freevxfs"
32 "f2fs"
33 "hfs"
34 "hpfs"
35 "jfs"
36 "minix"
37 "nilfs2"
38 "ntfs"
39 "omfs"
40 "qnx4"
41 "qnx6"
42 "sysv"
43 "ufs"
44 ];
45 boot.kernel.sysctl = {
46 # Mitigate kernel pointer leaks
47 "kernel.kptr_restrict" = 2;
48 # Restricts the kernel log to the CAP_SYSLOG capability
49 "kernel.dmesg_restrict" = 1;
50 # Prevent information leaks
51 #kernel.printk = "3 3 3 3";
52 # Restrict eBPF to the CAP_BPF capability
53 # and enable JIT hardening techniques
54 # such as constant blinding.
55 "kernel.unprivileged_bpf_disabled" = 1;
56 "net.core.bpf_jit_harden" = 2;
57 # Restricts loading TTY line disciplines
58 # to the CAP_SYS_MODULE capability to prevent
59 # unprivileged attackers from loading vulnerable
60 # line disciplines with the TIOCSETD ioctl
61 "dev.tty.ldisc_autoload" = 0;
62 # The userfaultfd() syscall is often abused to exploit
63 # use-after-free flaws.
64 # Due to this, this sysctl is used to restrict
65 # this syscall to the CAP_SYS_PTRACE capability.
66 "vm.unprivileged_userfaultfd" = 0;
67 # kexec is a system call that is used
68 # to boot another kernel during runtime.
69 "kernel.kexec_load_disabled" = 1;
70 # User namespaces are a feature in the kernel which aim to
71 # improve sandboxing and make it easily accessible for
72 # unprivileged users however, this feature exposes
73 # significant kernel attack surface for privilege
74 # escalation so this sysctl restricts the usage of user
75 # namespaces to the CAP_SYS_ADMIN capability.
76 "kernel.unprivileged_userns_clone" = 0;
77 # Restricts all usage of performance events to the
78 # CAP_PERFMON capability
79 "kernel.perf_event_paranoid" = 3;
80 # Helps protect against SYN flood attacks
81 "net.ipv4.tcp_syncookies" = 1;
82 # Protects against time-wait assassination
83 # by dropping RST packets for sockets
84 # in the time-wait state.
85 "net.ipv4.tcp_rfc1337" = 1;
86 # Disable ICMP redirect acceptance and sending to prevent
87 # man-in-the-middle attacks and minimize information disclosure.
88 "net.ipv4.conf.all.accept_redirects" = 0;
89 "net.ipv4.conf.default.accept_redirects" = 0;
90 "net.ipv4.conf.all.secure_redirects" = 0;
91 "net.ipv4.conf.default.secure_redirects" = 0;
92 "net.ipv6.conf.all.accept_redirects" = 0;
93 "net.ipv6.conf.default.accept_redirects" = 0;
94 "net.ipv4.conf.all.send_redirects" = 0;
95 "net.ipv4.conf.default.send_redirects" = 0;
96 # Disable source routing, a mechanism
97 # that allows users to redirect network traffic.
98 "net.ipv4.conf.all.accept_source_route" = 0;
99 "net.ipv4.conf.default.accept_source_route" = 0;
100 "net.ipv6.conf.all.accept_source_route" = 0;
101 "net.ipv6.conf.default.accept_source_route" = 0;
102 /*
103 # Disable TCP SACK, which is commonly exploited
104 # and unnecessary for many circumstances.
105 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
106 "net.ipv4.tcp_sack" = 0;
107 "net.ipv4.tcp_dsack" = 0;
108 "net.ipv4.tcp_fack" = 0;
109 */
110 # Generate a random IPv6 address
111 "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
112 "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
113 # Restricts usage of ptrace to only processes
114 # with the CAP_SYS_PTRACE capability
115 "kernel.yama.ptrace_scope" = 2;
116 # Do source validation by confirming reverse path
117 "net.ipv4.conf.all.rp_filter" = 1;
118 "net.ipv4.conf.default.rp_filter" = 1;
119 };
120 boot.kernelParams = [
121 "slab_nomerge"
122 "slub_debug=FZ"
123 #"init_on_alloc=1"
124 #"init_on_free=1"
125 "page_alloc.shuffle=1"
126 "pti=on"
127 "vsyscall=none"
128 "debugfs=off"
129 "oops=panic"
130 # Disabled because zfs and wireguard modules are not signed
131 "module.sig_enforce=0"
132 "lockdown=confidentiality"
133 "mce=0"
134 #"quiet"
135 #"loglevel=0"
136 ];
137 services.journald.extraConfig = ''
138 Compress=true
139 MaxRetentionSec=1month
140 Storage=persistent
141 SystemMaxUse=100M
142 '';
143 systemd.coredump = {
144 enable = lib.mkDefault false;
145 extraConfig = ''
146 Compress=true
147 MaxUse=1024M
148 Storage=external
149 '';
150 };
151 services.openssh = {
152 openFirewall = lib.mkDefault false;
153 passwordAuthentication = false;
154 };
155 }