]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/defaults/security.nix
losurdo: install valgrind
[sourcephile-nix.git] / nixos / defaults / security.nix
1 { inputs, pkgs, lib, config, ... }:
2 {
3 boot.kernelPackages = pkgs.linuxPackages_hardened;
4 #environment.memoryAllocator.provider = "libc";
5 nix.allowedUsers = [ "@users" ];
6 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
7 security.allowSimultaneousMultithreading = false;
8 security.apparmor.enable = true;
9 security.forcePageTableIsolation = true;
10 security.lockKernelModules = lib.mkDefault true;
11 security.protectKernelImage = true;
12 security.virtualisation.flushL1DataCache = "always";
13 boot.blacklistedKernelModules = [
14 # Obscure network protocols
15 "ax25"
16 "netrom"
17 "rose"
18
19 # Old or rare or insufficiently audited filesystems
20 "adfs"
21 "affs"
22 "bfs"
23 "befs"
24 "cramfs"
25 "efs"
26 "erofs"
27 "exofs"
28 "freevxfs"
29 "f2fs"
30 "hfs"
31 "hpfs"
32 "jfs"
33 "minix"
34 "nilfs2"
35 "ntfs"
36 "omfs"
37 "qnx4"
38 "qnx6"
39 "sysv"
40 "ufs"
41 ];
42 boot.kernel.sysctl = {
43 # Mitigate kernel pointer leaks
44 "kernel.kptr_restrict" = 2;
45 # Restricts the kernel log to the CAP_SYSLOG capability
46 "kernel.dmesg_restrict" = 1;
47 # Prevent information leaks
48 #kernel.printk = "3 3 3 3";
49 # Restrict eBPF to the CAP_BPF capability
50 # and enable JIT hardening techniques
51 # such as constant blinding.
52 "kernel.unprivileged_bpf_disabled" = 1;
53 "net.core.bpf_jit_harden" = 2;
54 # Restricts loading TTY line disciplines
55 # to the CAP_SYS_MODULE capability to prevent
56 # unprivileged attackers from loading vulnerable
57 # line disciplines with the TIOCSETD ioctl
58 "dev.tty.ldisc_autoload" = 0;
59 # The userfaultfd() syscall is often abused to exploit
60 # use-after-free flaws.
61 # Due to this, this sysctl is used to restrict
62 # this syscall to the CAP_SYS_PTRACE capability.
63 "vm.unprivileged_userfaultfd" = 0;
64 # kexec is a system call that is used
65 # to boot another kernel during runtime.
66 "kernel.kexec_load_disabled" = 1;
67 # User namespaces are a feature in the kernel which aim to
68 # improve sandboxing and make it easily accessible for
69 # unprivileged users however, this feature exposes
70 # significant kernel attack surface for privilege
71 # escalation so this sysctl restricts the usage of user
72 # namespaces to the CAP_SYS_ADMIN capability.
73 "kernel.unprivileged_userns_clone" = 0;
74 # Restricts all usage of performance events to the
75 # CAP_PERFMON capability
76 "kernel.perf_event_paranoid" = 3;
77 # Helps protect against SYN flood attacks
78 "net.ipv4.tcp_syncookies" = 1;
79 # Protects against time-wait assassination
80 # by dropping RST packets for sockets
81 # in the time-wait state.
82 "net.ipv4.tcp_rfc1337" = 1;
83 # Disable ICMP redirect acceptance and sending to prevent
84 # man-in-the-middle attacks and minimize information disclosure.
85 "net.ipv4.conf.all.accept_redirects" = 0;
86 "net.ipv4.conf.default.accept_redirects" = 0;
87 "net.ipv4.conf.all.secure_redirects" = 0;
88 "net.ipv4.conf.default.secure_redirects" = 0;
89 "net.ipv6.conf.all.accept_redirects" = 0;
90 "net.ipv6.conf.default.accept_redirects" = 0;
91 "net.ipv4.conf.all.send_redirects" = 0;
92 "net.ipv4.conf.default.send_redirects" = 0;
93 # Disable source routing, a mechanism
94 # that allows users to redirect network traffic.
95 "net.ipv4.conf.all.accept_source_route" = 0;
96 "net.ipv4.conf.default.accept_source_route" = 0;
97 "net.ipv6.conf.all.accept_source_route" = 0;
98 "net.ipv6.conf.default.accept_source_route" = 0;
99 /*
100 # Disable TCP SACK, which is commonly exploited
101 # and unnecessary for many circumstances.
102 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
103 "net.ipv4.tcp_sack" = 0;
104 "net.ipv4.tcp_dsack" = 0;
105 "net.ipv4.tcp_fack" = 0;
106 */
107 # Generate a random IPv6 address
108 "net.ipv6.conf.all.use_tempaddr" = 2;
109 "net.ipv6.conf.default.use_tempaddr" = 2;
110 # Restricts usage of ptrace to only processes
111 # with the CAP_SYS_PTRACE capability
112 "kernel.yama.ptrace_scope" = 2;
113 # Do source validation by confirming reverse path
114 "net.ipv4.conf.all.rp_filter" = 1;
115 "net.ipv4.conf.default.rp_filter" = 1;
116 };
117 boot.kernelParams = [
118 "slab_nomerge"
119 "slub_debug=FZ"
120 #"init_on_alloc=1"
121 #"init_on_free=1"
122 "page_alloc.shuffle=1"
123 "pti=on"
124 "vsyscall=none"
125 "debugfs=off"
126 "oops=panic"
127 # Disabled because zfs and wireguard modules are not signed
128 "module.sig_enforce=0"
129 "lockdown=confidentiality"
130 "mce=0"
131 #"quiet"
132 #"loglevel=0"
133 ];
134 }