1 { inputs, pkgs, lib, config, ... }:
3 boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
4 #environment.memoryAllocator.provider = "libc";
5 nix.allowedUsers = [ "@users" ];
6 security.allowSimultaneousMultithreading = false;
7 security.apparmor.enable = true;
8 security.forcePageTableIsolation = true;
9 security.lockKernelModules = lib.mkDefault true;
10 security.protectKernelImage = true;
11 security.virtualisation.flushL1DataCache = "always";
12 boot.blacklistedKernelModules = [
13 # Obscure network protocols
18 # Old or rare or insufficiently audited filesystems
41 boot.kernel.sysctl = {
42 # Mitigate kernel pointer leaks
43 "kernel.kptr_restrict" = 2;
44 # Restricts the kernel log to the CAP_SYSLOG capability
45 "kernel.dmesg_restrict" = 1;
46 # Prevent information leaks
47 #kernel.printk = "3 3 3 3";
48 # Restrict eBPF to the CAP_BPF capability
49 # and enable JIT hardening techniques
50 # such as constant blinding.
51 "kernel.unprivileged_bpf_disabled" = 1;
52 "net.core.bpf_jit_harden" = 2;
53 # Restricts loading TTY line disciplines
54 # to the CAP_SYS_MODULE capability to prevent
55 # unprivileged attackers from loading vulnerable
56 # line disciplines with the TIOCSETD ioctl
57 "dev.tty.ldisc_autoload" = 0;
58 # The userfaultfd() syscall is often abused to exploit
59 # use-after-free flaws.
60 # Due to this, this sysctl is used to restrict
61 # this syscall to the CAP_SYS_PTRACE capability.
62 "vm.unprivileged_userfaultfd" = 0;
63 # kexec is a system call that is used
64 # to boot another kernel during runtime.
65 "kernel.kexec_load_disabled" = 1;
66 # User namespaces are a feature in the kernel which aim to
67 # improve sandboxing and make it easily accessible for
68 # unprivileged users however, this feature exposes
69 # significant kernel attack surface for privilege
70 # escalation so this sysctl restricts the usage of user
71 # namespaces to the CAP_SYS_ADMIN capability.
72 "kernel.unprivileged_userns_clone" = 0;
73 # Restricts all usage of performance events to the
74 # CAP_PERFMON capability
75 "kernel.perf_event_paranoid" = 3;
76 # Helps protect against SYN flood attacks
77 "net.ipv4.tcp_syncookies" = 1;
78 # Protects against time-wait assassination
79 # by dropping RST packets for sockets
80 # in the time-wait state.
81 "net.ipv4.tcp_rfc1337" = 1;
82 # Disable ICMP redirect acceptance and sending to prevent
83 # man-in-the-middle attacks and minimize information disclosure.
84 "net.ipv4.conf.all.accept_redirects" = 0;
85 "net.ipv4.conf.default.accept_redirects" = 0;
86 "net.ipv4.conf.all.secure_redirects" = 0;
87 "net.ipv4.conf.default.secure_redirects" = 0;
88 "net.ipv6.conf.all.accept_redirects" = 0;
89 "net.ipv6.conf.default.accept_redirects" = 0;
90 "net.ipv4.conf.all.send_redirects" = 0;
91 "net.ipv4.conf.default.send_redirects" = 0;
92 # Disable source routing, a mechanism
93 # that allows users to redirect network traffic.
94 "net.ipv4.conf.all.accept_source_route" = 0;
95 "net.ipv4.conf.default.accept_source_route" = 0;
96 "net.ipv6.conf.all.accept_source_route" = 0;
97 "net.ipv6.conf.default.accept_source_route" = 0;
99 # Disable TCP SACK, which is commonly exploited
100 # and unnecessary for many circumstances.
101 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
102 "net.ipv4.tcp_sack" = 0;
103 "net.ipv4.tcp_dsack" = 0;
104 "net.ipv4.tcp_fack" = 0;
106 # generate a random IPv6 address
107 "net.ipv6.conf.all.use_tempaddr" = 2;
108 "net.ipv6.conf.default.use_tempaddr" = 2;
109 # restricts usage of ptrace to only processes
110 # with the CAP_SYS_PTRACE capability
111 "kernel.yama.ptrace_scope" = 2;
113 boot.kernelParams = [
118 "page_alloc.shuffle=1"
123 # Disabled because zfs and wireguard modules are not signed
124 "module.sig_enforce=0"
125 "lockdown=confidentiality"
sourcephile / git / sourcephile-nix.git / blob