]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/defaults/security.nix
sourcehut: only enable Docker when needed
[sourcephile-nix.git] / nixos / defaults / security.nix
1 { inputs, pkgs, lib, config, ... }:
2 {
3 boot.kernelPackages = pkgs.linuxPackages_hardened;
4 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
5 #environment.memoryAllocator.provider = "libc";
6 nix.allowedUsers = [ "@users" ];
7 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
8 security.allowSimultaneousMultithreading = false;
9 security.apparmor.enable = true;
10 security.forcePageTableIsolation = true;
11 security.lockKernelModules = lib.mkDefault true;
12 security.protectKernelImage = true;
13 security.virtualisation.flushL1DataCache = "always";
14 boot.blacklistedKernelModules = [
15 # Obscure network protocols
16 "ax25"
17 "netrom"
18 "rose"
19
20 # Old or rare or insufficiently audited filesystems
21 "adfs"
22 "affs"
23 "bfs"
24 "befs"
25 "cramfs"
26 "efs"
27 "erofs"
28 "exofs"
29 "freevxfs"
30 "f2fs"
31 "hfs"
32 "hpfs"
33 "jfs"
34 "minix"
35 "nilfs2"
36 "ntfs"
37 "omfs"
38 "qnx4"
39 "qnx6"
40 "sysv"
41 "ufs"
42 ];
43 boot.kernel.sysctl = {
44 # Mitigate kernel pointer leaks
45 "kernel.kptr_restrict" = 2;
46 # Restricts the kernel log to the CAP_SYSLOG capability
47 "kernel.dmesg_restrict" = 1;
48 # Prevent information leaks
49 #kernel.printk = "3 3 3 3";
50 # Restrict eBPF to the CAP_BPF capability
51 # and enable JIT hardening techniques
52 # such as constant blinding.
53 "kernel.unprivileged_bpf_disabled" = 1;
54 "net.core.bpf_jit_harden" = 2;
55 # Restricts loading TTY line disciplines
56 # to the CAP_SYS_MODULE capability to prevent
57 # unprivileged attackers from loading vulnerable
58 # line disciplines with the TIOCSETD ioctl
59 "dev.tty.ldisc_autoload" = 0;
60 # The userfaultfd() syscall is often abused to exploit
61 # use-after-free flaws.
62 # Due to this, this sysctl is used to restrict
63 # this syscall to the CAP_SYS_PTRACE capability.
64 "vm.unprivileged_userfaultfd" = 0;
65 # kexec is a system call that is used
66 # to boot another kernel during runtime.
67 "kernel.kexec_load_disabled" = 1;
68 # User namespaces are a feature in the kernel which aim to
69 # improve sandboxing and make it easily accessible for
70 # unprivileged users however, this feature exposes
71 # significant kernel attack surface for privilege
72 # escalation so this sysctl restricts the usage of user
73 # namespaces to the CAP_SYS_ADMIN capability.
74 "kernel.unprivileged_userns_clone" = 0;
75 # Restricts all usage of performance events to the
76 # CAP_PERFMON capability
77 "kernel.perf_event_paranoid" = 3;
78 # Helps protect against SYN flood attacks
79 "net.ipv4.tcp_syncookies" = 1;
80 # Protects against time-wait assassination
81 # by dropping RST packets for sockets
82 # in the time-wait state.
83 "net.ipv4.tcp_rfc1337" = 1;
84 # Disable ICMP redirect acceptance and sending to prevent
85 # man-in-the-middle attacks and minimize information disclosure.
86 "net.ipv4.conf.all.accept_redirects" = 0;
87 "net.ipv4.conf.default.accept_redirects" = 0;
88 "net.ipv4.conf.all.secure_redirects" = 0;
89 "net.ipv4.conf.default.secure_redirects" = 0;
90 "net.ipv6.conf.all.accept_redirects" = 0;
91 "net.ipv6.conf.default.accept_redirects" = 0;
92 "net.ipv4.conf.all.send_redirects" = 0;
93 "net.ipv4.conf.default.send_redirects" = 0;
94 # Disable source routing, a mechanism
95 # that allows users to redirect network traffic.
96 "net.ipv4.conf.all.accept_source_route" = 0;
97 "net.ipv4.conf.default.accept_source_route" = 0;
98 "net.ipv6.conf.all.accept_source_route" = 0;
99 "net.ipv6.conf.default.accept_source_route" = 0;
100 /*
101 # Disable TCP SACK, which is commonly exploited
102 # and unnecessary for many circumstances.
103 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
104 "net.ipv4.tcp_sack" = 0;
105 "net.ipv4.tcp_dsack" = 0;
106 "net.ipv4.tcp_fack" = 0;
107 */
108 # Generate a random IPv6 address
109 "net.ipv6.conf.all.use_tempaddr" = 2;
110 "net.ipv6.conf.default.use_tempaddr" = 2;
111 # Restricts usage of ptrace to only processes
112 # with the CAP_SYS_PTRACE capability
113 "kernel.yama.ptrace_scope" = 2;
114 # Do source validation by confirming reverse path
115 "net.ipv4.conf.all.rp_filter" = 1;
116 "net.ipv4.conf.default.rp_filter" = 1;
117 };
118 boot.kernelParams = [
119 "slab_nomerge"
120 "slub_debug=FZ"
121 #"init_on_alloc=1"
122 #"init_on_free=1"
123 "page_alloc.shuffle=1"
124 "pti=on"
125 "vsyscall=none"
126 "debugfs=off"
127 "oops=panic"
128 # Disabled because zfs and wireguard modules are not signed
129 "module.sig_enforce=0"
130 "lockdown=confidentiality"
131 "mce=0"
132 #"quiet"
133 #"loglevel=0"
134 ];
135 }