1 { inputs, pkgs, lib, config, ... }:
3 boot.kernelPackages = pkgs.linuxPackages_hardened;
4 #environment.memoryAllocator.provider = "libc";
5 nix.allowedUsers = [ "@users" ];
6 security.allowSimultaneousMultithreading = false;
7 security.apparmor.enable = true;
8 security.forcePageTableIsolation = true;
9 security.hideProcessInformation = true;
10 security.lockKernelModules = true;
11 security.protectKernelImage = true;
12 security.virtualisation.flushL1DataCache = "always";
13 boot.blacklistedKernelModules = [
14 # Obscure network protocols
19 # Old or rare or insufficiently audited filesystems
42 boot.kernel.sysctl = {
43 # Mitigate kernel pointer leaks
44 kernel.kptr_restrict = 2;
45 # Restricts the kernel log to the CAP_SYSLOG capability
46 kernel.dmesg_restrict = 1;
47 # Prevent information leaks
48 #kernel.printk = "3 3 3 3";
49 # Restrict eBPF to the CAP_BPF capability
50 # and enable JIT hardening techniques
51 # such as constant blinding.
52 kernel.unprivileged_bpf_disabled = 1;
53 net.core.bpf_jit_harden = 2;
54 # Restricts loading TTY line disciplines
55 # to the CAP_SYS_MODULE capability to prevent
56 # unprivileged attackers from loading vulnerable
57 # line disciplines with the TIOCSETD ioctl
58 dev.tty.ldisc_autoload = 0;
59 # The userfaultfd() syscall is often abused to exploit
60 # use-after-free flaws.
61 # Due to this, this sysctl is used to restrict
62 # this syscall to the CAP_SYS_PTRACE capability.
63 vm.unprivileged_userfaultfd = 0;
64 # kexec is a system call that is used
65 # to boot another kernel during runtime.
66 kernel.kexec_load_disabled = 1;
67 # User namespaces are a feature in the kernel which aim to
68 # improve sandboxing and make it easily accessible for
69 # unprivileged users however, this feature exposes
70 # significant kernel attack surface for privilege
71 # escalation so this sysctl restricts the usage of user
72 # namespaces to the CAP_SYS_ADMIN capability.
73 kernel.unprivileged_userns_clone = 0;
74 # Restricts all usage of performance events to the
75 # CAP_PERFMON capability
76 kernel.perf_event_paranoid = 3;
77 # Helps protect against SYN flood attacks
78 net.ipv4.tcp_syncookies = 1;
79 # Protects against time-wait assassination
80 # by dropping RST packets for sockets
81 # in the time-wait state.
82 net.ipv4.tcp_rfc1337 = 1;
83 # Disable ICMP redirect acceptance and sending to prevent
84 # man-in-the-middle attacks and minimize information disclosure.
85 net.ipv4.conf.all.accept_redirects = 0;
86 net.ipv4.conf.default.accept_redirects = 0;
87 net.ipv4.conf.all.secure_redirects = 0;
88 net.ipv4.conf.default.secure_redirects = 0;
89 net.ipv6.conf.all.accept_redirects = 0;
90 net.ipv6.conf.default.accept_redirects = 0;
91 net.ipv4.conf.all.send_redirects = 0;
92 net.ipv4.conf.default.send_redirects = 0;
93 # Disable source routing, a mechanism
94 # that allows users to redirect network traffic.
95 net.ipv4.conf.all.accept_source_route = 0;
96 net.ipv4.conf.default.accept_source_route = 0;
97 net.ipv6.conf.all.accept_source_route = 0;
98 net.ipv6.conf.default.accept_source_route = 0;
99 # Disable TCP SACK, which is commonly exploited
100 # and unnecessary for many circumstances.
101 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
102 net.ipv4.tcp_sack = 0;
103 net.ipv4.tcp_dsack = 0;
104 net.ipv4.tcp_fack = 0;
105 # generate a random IPv6 address
106 net.ipv6.conf.all.use_tempaddr = 2;
107 net.ipv6.conf.default.use_tempaddr = 2;
108 # restricts usage of ptrace to only processes
109 # with the CAP_SYS_PTRACE capability
110 kernel.yama.ptrace_scope = 2;
112 boot.kernelParams = [
117 "page_alloc.shuffle=1"
122 "module.sig_enforce=1"
123 "lockdown=confidentiality"