nixos/defaults/security.nix

   1 { inputs, pkgs, lib, config, ... }:
   2 {
   3 boot.kernelPackages = pkgs.linuxPackages_hardened;
   4 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
   5 #environment.memoryAllocator.provider = "libc";
   6 nix.allowedUsers = [ "@users" ];
   7 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
   8 security.allowSimultaneousMultithreading = false;
   9 security.apparmor.enable = true;
  10 security.forcePageTableIsolation = true;
  11 security.lockKernelModules = lib.mkDefault true;
  12 security.protectKernelImage = true;
  13 security.virtualisation.flushL1DataCache = "always";
  14 boot.blacklistedKernelModules = [
  15   # Obscure network protocols
  16   "ax25"
  17   "netrom"
  18   "rose"
  19
  20   # Old or rare or insufficiently audited filesystems
  21   "adfs"
  22   "affs"
  23   "bfs"
  24   "befs"
  25   "cramfs"
  26   "efs"
  27   "erofs"
  28   "exofs"
  29   "freevxfs"
  30   "f2fs"
  31   "hfs"
  32   "hpfs"
  33   "jfs"
  34   "minix"
  35   "nilfs2"
  36   "ntfs"
  37   "omfs"
  38   "qnx4"
  39   "qnx6"
  40   "sysv"
  41   "ufs"
  42 ];
  43 boot.kernel.sysctl = {
  44   # Mitigate kernel pointer leaks
  45   "kernel.kptr_restrict" = 2;
  46   # Restricts the kernel log to the CAP_SYSLOG capability
  47   "kernel.dmesg_restrict" = 1;
  48   # Prevent information leaks
  49   #kernel.printk = "3 3 3 3";
  50   # Restrict eBPF to the CAP_BPF capability
  51   # and enable JIT hardening techniques
  52   # such as constant blinding.
  53   "kernel.unprivileged_bpf_disabled" = 1;
  54   "net.core.bpf_jit_harden" = 2;
  55   # Restricts loading TTY line disciplines
  56   # to the CAP_SYS_MODULE capability to prevent
  57   # unprivileged attackers from loading vulnerable
  58   # line disciplines with the TIOCSETD ioctl
  59   "dev.tty.ldisc_autoload" = 0;
  60   # The userfaultfd() syscall is often abused to exploit
  61   # use-after-free flaws.
  62   # Due to this, this sysctl is used to restrict
  63   # this syscall to the CAP_SYS_PTRACE capability.
  64   "vm.unprivileged_userfaultfd" = 0;
  65   # kexec is a system call that is used
  66   # to boot another kernel during runtime.
  67   "kernel.kexec_load_disabled" = 1;
  68   # User namespaces are a feature in the kernel which aim to
  69   # improve sandboxing and make it easily accessible for
  70   # unprivileged users however, this feature exposes
  71   # significant kernel attack surface for privilege
  72   # escalation so this sysctl restricts the usage of user
  73   # namespaces to the CAP_SYS_ADMIN capability.
  74   "kernel.unprivileged_userns_clone" = 0;
  75   # Restricts all usage of performance events to the
  76   # CAP_PERFMON capability
  77   "kernel.perf_event_paranoid" = 3;
  78   # Helps protect against SYN flood attacks
  79   "net.ipv4.tcp_syncookies" = 1;
  80   # Protects against time-wait assassination
  81   # by dropping RST packets for sockets
  82   # in the time-wait state.
  83   "net.ipv4.tcp_rfc1337" = 1;
  84   # Disable ICMP redirect acceptance and sending to prevent
  85   # man-in-the-middle attacks and minimize information disclosure.
  86   "net.ipv4.conf.all.accept_redirects" = 0;
  87   "net.ipv4.conf.default.accept_redirects" = 0;
  88   "net.ipv4.conf.all.secure_redirects" = 0;
  89   "net.ipv4.conf.default.secure_redirects" = 0;
  90   "net.ipv6.conf.all.accept_redirects" = 0;
  91   "net.ipv6.conf.default.accept_redirects" = 0;
  92   "net.ipv4.conf.all.send_redirects" = 0;
  93   "net.ipv4.conf.default.send_redirects" = 0;
  94   # Disable source routing, a mechanism
  95   # that allows users to redirect network traffic.
  96   "net.ipv4.conf.all.accept_source_route" = 0;
  97   "net.ipv4.conf.default.accept_source_route" = 0;
  98   "net.ipv6.conf.all.accept_source_route" = 0;
  99   "net.ipv6.conf.default.accept_source_route" = 0;
 100   /*
 101   # Disable TCP SACK, which is commonly exploited
 102   # and unnecessary for many circumstances.
 103   # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
 104   "net.ipv4.tcp_sack" = 0;
 105   "net.ipv4.tcp_dsack" = 0;
 106   "net.ipv4.tcp_fack" = 0;
 107   */
 108   # Generate a random IPv6 address
 109   "net.ipv6.conf.all.use_tempaddr" = 2;
 110   "net.ipv6.conf.default.use_tempaddr" = 2;
 111   # Restricts usage of ptrace to only processes
 112   # with the CAP_SYS_PTRACE capability
 113   "kernel.yama.ptrace_scope" = 2;
 114   # Do source validation by confirming reverse path
 115   "net.ipv4.conf.all.rp_filter" = 1;
 116   "net.ipv4.conf.default.rp_filter" = 1;
 117 };
 118 boot.kernelParams = [
 119   "slab_nomerge"
 120   "slub_debug=FZ"
 121   #"init_on_alloc=1"
 122   #"init_on_free=1"
 123   "page_alloc.shuffle=1"
 124   "pti=on"
 125   "vsyscall=none"
 126   "debugfs=off"
 127   "oops=panic"
 128   # Disabled because zfs and wireguard modules are not signed
 129   "module.sig_enforce=0"
 130   "lockdown=confidentiality"
 131   "mce=0"
 132   #"quiet"
 133   #"loglevel=0"
 134 ];
 135 }