pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / profiles / hardened.nix
at 24.11-pre 3.7 kB view raw
1# A profile with most (vanilla) hardening options enabled by default, 2# potentially at the cost of stability, features and performance. 3# 4# This profile enables options that are known to affect system 5# stability. If you experience any stability issues when using the 6# profile, try disabling it. If you report an issue and use this 7# profile, always mention that you do. 8 9{ config, lib, pkgs, ... }: 10 11with lib; 12 13{ 14 meta = { 15 maintainers = [ maintainers.joachifm maintainers.emily ]; 16 }; 17 18 boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; 19 20 nix.settings.allowed-users = mkDefault [ "@users" ]; 21 22 environment.memoryAllocator.provider = mkDefault "scudo"; 23 environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; 24 25 security.lockKernelModules = mkDefault true; 26 27 security.protectKernelImage = mkDefault true; 28 29 security.allowSimultaneousMultithreading = mkDefault false; 30 31 security.forcePageTableIsolation = mkDefault true; 32 33 # This is required by podman to run containers in rootless mode. 34 security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable; 35 36 security.virtualisation.flushL1DataCache = mkDefault "always"; 37 38 security.apparmor.enable = mkDefault true; 39 security.apparmor.killUnconfinedConfinables = mkDefault true; 40 41 boot.kernelParams = [ 42 # Don't merge slabs 43 "slab_nomerge" 44 45 # Overwrite free'd pages 46 "page_poison=1" 47 48 # Enable page allocator randomization 49 "page_alloc.shuffle=1" 50 51 # Disable debugfs 52 "debugfs=off" 53 ]; 54 55 boot.blacklistedKernelModules = [ 56 # Obscure network protocols 57 "ax25" 58 "netrom" 59 "rose" 60 61 # Old or rare or insufficiently audited filesystems 62 "adfs" 63 "affs" 64 "bfs" 65 "befs" 66 "cramfs" 67 "efs" 68 "erofs" 69 "exofs" 70 "freevxfs" 71 "f2fs" 72 "hfs" 73 "hpfs" 74 "jfs" 75 "minix" 76 "nilfs2" 77 "ntfs" 78 "omfs" 79 "qnx4" 80 "qnx6" 81 "sysv" 82 "ufs" 83 ]; 84 85 # Hide kptrs even for processes with CAP_SYSLOG 86 boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; 87 88 # Disable bpf() JIT (to eliminate spray attacks) 89 boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; 90 91 # Disable ftrace debugging 92 boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; 93 94 # Enable strict reverse path filtering (that is, do not attempt to route 95 # packets that "obviously" do not belong to the iface's network; dropped 96 # packets are logged as martians). 97 boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; 98 boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; 99 boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; 100 boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; 101 102 # Ignore broadcast ICMP (mitigate SMURF) 103 boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; 104 105 # Ignore incoming ICMP redirects (note: default is needed to ensure that the 106 # setting is applied to interfaces added after the sysctls are set) 107 boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; 108 boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false; 109 boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false; 110 boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false; 111 boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false; 112 boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false; 113 114 # Ignore outgoing ICMP redirects (this is ipv4 only) 115 boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; 116 boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; 117}