pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / profiles / hardened.nix
at 23.11-pre 3.8 kB view raw
1# A profile with most (vanilla) hardening options enabled by default, 2# potentially at the cost of stability, features and performance. 3# 4# This profile enables options that are known to affect system 5# stability. If you experience any stability issues when using the 6# profile, try disabling it. If you report an issue and use this 7# profile, always mention that you do. 8 9{ config, lib, pkgs, ... }: 10 11with lib; 12 13{ 14 meta = { 15 maintainers = [ maintainers.joachifm maintainers.emily ]; 16 }; 17 18 boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; 19 20 nix.settings.allowed-users = mkDefault [ "@users" ]; 21 22 environment.memoryAllocator.provider = mkDefault "scudo"; 23 environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; 24 25 security.lockKernelModules = mkDefault true; 26 27 security.protectKernelImage = mkDefault true; 28 29 security.allowSimultaneousMultithreading = mkDefault false; 30 31 security.forcePageTableIsolation = mkDefault true; 32 33 # This is required by podman to run containers in rootless mode. 34 security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable; 35 36 security.virtualisation.flushL1DataCache = mkDefault "always"; 37 38 security.apparmor.enable = mkDefault true; 39 security.apparmor.killUnconfinedConfinables = mkDefault true; 40 41 boot.kernelParams = [ 42 # Slab/slub sanity checks, redzoning, and poisoning 43 "slub_debug=FZP" 44 45 # Overwrite free'd memory 46 "page_poison=1" 47 48 # Enable page allocator randomization 49 "page_alloc.shuffle=1" 50 ]; 51 52 boot.blacklistedKernelModules = [ 53 # Obscure network protocols 54 "ax25" 55 "netrom" 56 "rose" 57 58 # Old or rare or insufficiently audited filesystems 59 "adfs" 60 "affs" 61 "bfs" 62 "befs" 63 "cramfs" 64 "efs" 65 "erofs" 66 "exofs" 67 "freevxfs" 68 "f2fs" 69 "hfs" 70 "hpfs" 71 "jfs" 72 "minix" 73 "nilfs2" 74 "ntfs" 75 "omfs" 76 "qnx4" 77 "qnx6" 78 "sysv" 79 "ufs" 80 ]; 81 82 # Restrict ptrace() usage to processes with a pre-defined relationship 83 # (e.g., parent/child) 84 boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; 85 86 # Hide kptrs even for processes with CAP_SYSLOG 87 boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; 88 89 # Disable bpf() JIT (to eliminate spray attacks) 90 boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; 91 92 # Disable ftrace debugging 93 boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; 94 95 # Enable strict reverse path filtering (that is, do not attempt to route 96 # packets that "obviously" do not belong to the iface's network; dropped 97 # packets are logged as martians). 98 boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; 99 boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; 100 boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; 101 boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; 102 103 # Ignore broadcast ICMP (mitigate SMURF) 104 boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; 105 106 # Ignore incoming ICMP redirects (note: default is needed to ensure that the 107 # setting is applied to interfaces added after the sysctls are set) 108 boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; 109 boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false; 110 boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false; 111 boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false; 112 boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false; 113 boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false; 114 115 # Ignore outgoing ICMP redirects (this is ipv4 only) 116 boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; 117 boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; 118}