--- /dev/null
+{ inputs, pkgs, lib, config, ... }:
+{
+boot.kernelPackages = pkgs.linuxPackages_hardened;
+#environment.memoryAllocator.provider = "libc";
+nix.allowedUsers = [ "@users" ];
+security.allowSimultaneousMultithreading = false;
+security.apparmor.enable = true;
+security.forcePageTableIsolation = true;
+security.hideProcessInformation = true;
+security.lockKernelModules = true;
+security.protectKernelImage = true;
+security.virtualisation.flushL1DataCache = "always";
+boot.blacklistedKernelModules = [
+ # Obscure network protocols
+ "ax25"
+ "netrom"
+ "rose"
+
+ # Old or rare or insufficiently audited filesystems
+ "adfs"
+ "affs"
+ "bfs"
+ "befs"
+ "cramfs"
+ "efs"
+ "erofs"
+ "exofs"
+ "freevxfs"
+ "f2fs"
+ "hfs"
+ "hpfs"
+ "jfs"
+ "minix"
+ "nilfs2"
+ "ntfs"
+ "omfs"
+ "qnx4"
+ "qnx6"
+ "sysv"
+ "ufs"
+];
+boot.kernel.sysctl = {
+ # Mitigate kernel pointer leaks
+ kernel.kptr_restrict = 2;
+ # Restricts the kernel log to the CAP_SYSLOG capability
+ kernel.dmesg_restrict = 1;
+ # Prevent information leaks
+ #kernel.printk = "3 3 3 3";
+ # Restrict eBPF to the CAP_BPF capability
+ # and enable JIT hardening techniques
+ # such as constant blinding.
+ kernel.unprivileged_bpf_disabled = 1;
+ net.core.bpf_jit_harden = 2;
+ # Restricts loading TTY line disciplines
+ # to the CAP_SYS_MODULE capability to prevent
+ # unprivileged attackers from loading vulnerable
+ # line disciplines with the TIOCSETD ioctl
+ dev.tty.ldisc_autoload = 0;
+ # The userfaultfd() syscall is often abused to exploit
+ # use-after-free flaws.
+ # Due to this, this sysctl is used to restrict
+ # this syscall to the CAP_SYS_PTRACE capability.
+ vm.unprivileged_userfaultfd = 0;
+ # kexec is a system call that is used
+ # to boot another kernel during runtime.
+ kernel.kexec_load_disabled = 1;
+ # User namespaces are a feature in the kernel which aim to
+ # improve sandboxing and make it easily accessible for
+ # unprivileged users however, this feature exposes
+ # significant kernel attack surface for privilege
+ # escalation so this sysctl restricts the usage of user
+ # namespaces to the CAP_SYS_ADMIN capability.
+ kernel.unprivileged_userns_clone = 0;
+ # Restricts all usage of performance events to the
+ # CAP_PERFMON capability
+ kernel.perf_event_paranoid = 3;
+ # Helps protect against SYN flood attacks
+ net.ipv4.tcp_syncookies = 1;
+ # Protects against time-wait assassination
+ # by dropping RST packets for sockets
+ # in the time-wait state.
+ net.ipv4.tcp_rfc1337 = 1;
+ # Disable ICMP redirect acceptance and sending to prevent
+ # man-in-the-middle attacks and minimize information disclosure.
+ net.ipv4.conf.all.accept_redirects = 0;
+ net.ipv4.conf.default.accept_redirects = 0;
+ net.ipv4.conf.all.secure_redirects = 0;
+ net.ipv4.conf.default.secure_redirects = 0;
+ net.ipv6.conf.all.accept_redirects = 0;
+ net.ipv6.conf.default.accept_redirects = 0;
+ net.ipv4.conf.all.send_redirects = 0;
+ net.ipv4.conf.default.send_redirects = 0;
+ # Disable source routing, a mechanism
+ # that allows users to redirect network traffic.
+ net.ipv4.conf.all.accept_source_route = 0;
+ net.ipv4.conf.default.accept_source_route = 0;
+ net.ipv6.conf.all.accept_source_route = 0;
+ net.ipv6.conf.default.accept_source_route = 0;
+ # Disable TCP SACK, which is commonly exploited
+ # and unnecessary for many circumstances.
+ # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
+ net.ipv4.tcp_sack = 0;
+ net.ipv4.tcp_dsack = 0;
+ net.ipv4.tcp_fack = 0;
+ # generate a random IPv6 address
+ net.ipv6.conf.all.use_tempaddr = 2;
+ net.ipv6.conf.default.use_tempaddr = 2;
+ # restricts usage of ptrace to only processes
+ # with the CAP_SYS_PTRACE capability
+ kernel.yama.ptrace_scope = 2;
+};
+boot.kernelParams = [
+ "slab_nomerge"
+ "slub_debug=FZ"
+ #"init_on_alloc=1"
+ #"init_on_free=1"
+ "page_alloc.shuffle=1"
+ "pti=on"
+ "vsyscall=none"
+ "debugfs=off"
+ "oops=panic"
+ "module.sig_enforce=1"
+ "lockdown=confidentiality"
+ "mce=0"
+ #"quiet"
+ #"loglevel=0"
+];
+}
sourcephile / git / sourcephile-nix.git / commitdiff