]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/defaults/security.nix
losurdo: firewall: open fw2net for Mosh
[sourcephile-nix.git] / nixos / defaults / security.nix
1 { inputs, pkgs, lib, config, ... }:
2 {
3 boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
4 #environment.memoryAllocator.provider = "libc";
5 nix.allowedUsers = [ "@users" ];
6 security.allowSimultaneousMultithreading = false;
7 security.apparmor.enable = true;
8 security.forcePageTableIsolation = true;
9 security.lockKernelModules = lib.mkDefault true;
10 security.protectKernelImage = true;
11 security.virtualisation.flushL1DataCache = "always";
12 boot.blacklistedKernelModules = [
13 # Obscure network protocols
14 "ax25"
15 "netrom"
16 "rose"
17
18 # Old or rare or insufficiently audited filesystems
19 "adfs"
20 "affs"
21 "bfs"
22 "befs"
23 "cramfs"
24 "efs"
25 "erofs"
26 "exofs"
27 "freevxfs"
28 "f2fs"
29 "hfs"
30 "hpfs"
31 "jfs"
32 "minix"
33 "nilfs2"
34 "ntfs"
35 "omfs"
36 "qnx4"
37 "qnx6"
38 "sysv"
39 "ufs"
40 ];
41 boot.kernel.sysctl = {
42 # Mitigate kernel pointer leaks
43 "kernel.kptr_restrict" = 2;
44 # Restricts the kernel log to the CAP_SYSLOG capability
45 "kernel.dmesg_restrict" = 1;
46 # Prevent information leaks
47 #kernel.printk = "3 3 3 3";
48 # Restrict eBPF to the CAP_BPF capability
49 # and enable JIT hardening techniques
50 # such as constant blinding.
51 "kernel.unprivileged_bpf_disabled" = 1;
52 "net.core.bpf_jit_harden" = 2;
53 # Restricts loading TTY line disciplines
54 # to the CAP_SYS_MODULE capability to prevent
55 # unprivileged attackers from loading vulnerable
56 # line disciplines with the TIOCSETD ioctl
57 "dev.tty.ldisc_autoload" = 0;
58 # The userfaultfd() syscall is often abused to exploit
59 # use-after-free flaws.
60 # Due to this, this sysctl is used to restrict
61 # this syscall to the CAP_SYS_PTRACE capability.
62 "vm.unprivileged_userfaultfd" = 0;
63 # kexec is a system call that is used
64 # to boot another kernel during runtime.
65 "kernel.kexec_load_disabled" = 1;
66 # User namespaces are a feature in the kernel which aim to
67 # improve sandboxing and make it easily accessible for
68 # unprivileged users however, this feature exposes
69 # significant kernel attack surface for privilege
70 # escalation so this sysctl restricts the usage of user
71 # namespaces to the CAP_SYS_ADMIN capability.
72 "kernel.unprivileged_userns_clone" = 0;
73 # Restricts all usage of performance events to the
74 # CAP_PERFMON capability
75 "kernel.perf_event_paranoid" = 3;
76 # Helps protect against SYN flood attacks
77 "net.ipv4.tcp_syncookies" = 1;
78 # Protects against time-wait assassination
79 # by dropping RST packets for sockets
80 # in the time-wait state.
81 "net.ipv4.tcp_rfc1337" = 1;
82 # Disable ICMP redirect acceptance and sending to prevent
83 # man-in-the-middle attacks and minimize information disclosure.
84 "net.ipv4.conf.all.accept_redirects" = 0;
85 "net.ipv4.conf.default.accept_redirects" = 0;
86 "net.ipv4.conf.all.secure_redirects" = 0;
87 "net.ipv4.conf.default.secure_redirects" = 0;
88 "net.ipv6.conf.all.accept_redirects" = 0;
89 "net.ipv6.conf.default.accept_redirects" = 0;
90 "net.ipv4.conf.all.send_redirects" = 0;
91 "net.ipv4.conf.default.send_redirects" = 0;
92 # Disable source routing, a mechanism
93 # that allows users to redirect network traffic.
94 "net.ipv4.conf.all.accept_source_route" = 0;
95 "net.ipv4.conf.default.accept_source_route" = 0;
96 "net.ipv6.conf.all.accept_source_route" = 0;
97 "net.ipv6.conf.default.accept_source_route" = 0;
98 /*
99 # Disable TCP SACK, which is commonly exploited
100 # and unnecessary for many circumstances.
101 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
102 "net.ipv4.tcp_sack" = 0;
103 "net.ipv4.tcp_dsack" = 0;
104 "net.ipv4.tcp_fack" = 0;
105 */
106 # generate a random IPv6 address
107 "net.ipv6.conf.all.use_tempaddr" = 2;
108 "net.ipv6.conf.default.use_tempaddr" = 2;
109 # restricts usage of ptrace to only processes
110 # with the CAP_SYS_PTRACE capability
111 "kernel.yama.ptrace_scope" = 2;
112 };
113 boot.kernelParams = [
114 "slab_nomerge"
115 "slub_debug=FZ"
116 #"init_on_alloc=1"
117 #"init_on_free=1"
118 "page_alloc.shuffle=1"
119 "pti=on"
120 "vsyscall=none"
121 "debugfs=off"
122 "oops=panic"
123 # Disabled because zfs and wireguard modules are not signed
124 "module.sig_enforce=0"
125 "lockdown=confidentiality"
126 "mce=0"
127 #"quiet"
128 #"loglevel=0"
129 ];
130 }