refactor: complete rewrite

modules/nixos/base/security/apparmor.nix

@@ -0,0 +1,68 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  inherit (builtins) attrValues;
+  inherit (lib) getExe;
+in {
+  security = {
+    apparmor = {
+      enable = true;
+
+      # packages to include with apparmors path
+      packages = [pkgs.apparmor-profiles];
+
+      # kill any process that does not have a apparmor profile enabled
+      killUnconfinedConfinables = true;
+
+      # apparmor policies
+      # FIXME
+      policies = {
+        "default_deny" = {
+          enforce = false;
+          enable = false;
+          profile = ''
+            profile default_deny /** { }
+          '';
+        };
+        "nix" = {
+          enforce = false;
+          enable = false;
+          profile = ''
+            ${getExe config.nix.package} {
+              unconfined,
+            }
+          '';
+        };
+        "sudo" = {
+          enforce = false;
+          enable = false;
+          profile = ''
+            ${getExe pkgs.sudo} {
+              file /** rwlkUx,
+            }
+          '';
+        };
+      };
+    };
+  };
+
+  # enable apparmor mode for dbus
+  services.dbus.apparmor = "enabled";
+
+  # apparmor packages to add to path
+  environment.systemPackages = attrValues {
+    inherit
+      (pkgs)
+      apparmor-utils
+      apparmor-bin-utils
+      apparmor-kernel-patches
+      apparmor-parser
+      apparmor-profiles
+      apparmor-pam
+      libapparmor
+      ;
+  };
+}

modules/nixos/base/security/auditing.nix

@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  security = {
+    audit = {
+      enable = true;
+      rules = ["-a exit, always -F arch=b64 -s execve"];
+    };
+  };
+  environment.systemPackages = [pkgs.lynis];
+}

modules/nixos/base/security/default.nix

@@ -0,0 +1,10 @@
+{
+  imports = [
+    ./tcp.nix
+    ./sudo.nix
+    ./kernel.nix
+    ./firewall.nix
+    ./auditing.nix
+    ./apparmor.nix
+  ];
+}

modules/nixos/base/security/firewall.nix

@@ -0,0 +1,8 @@
+{
+  networking.firewall = {
+    enable = true;
+
+    # dont respond to icmpv4 pings.
+    allowPing = false;
+  };
+}

modules/nixos/base/security/kernel.nix

@@ -0,0 +1,198 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) optionals mkForce concatLists;
+  inherit (builtins) elem;
+  inherit (config.ooknet.hardware) features;
+in {
+  # see:
+  # <https://madaidans-insecurities.github.io/guides/linux-hardening.html>
+  # github:notashelf/nyx
+
+  security = {
+    # Protects the kernel from being tampered with at runtime. prevents the ability to hibernate.
+    protectKernelImage = true;
+
+    # page table isolation (PTI) is a kernel option designed to protect against
+    # side-channel attacks, including Meltdown & Spectre vunerabilities.
+    forcePageTableIsolation = true;
+
+    # locking kernel modules during runtime breaks certain services by stopping them from being
+    # loaded at runtime. we use some of these services, so we disable this kernel option.
+    lockKernelModules = false;
+
+    # we enable simultaneous multithreading (SMT) because while it increases our attack surface
+    # disabling it comes at a large perfomance loss.
+    allowSimultaneousMultithreading = true;
+
+    # slight increase in attack surface, but allows for sandboxing
+    allowUserNamespaces = true;
+
+    # we don't need unpivileged user namespaces unless we are messing with containers so we disable
+    unprivilegedUsernsClone = false;
+  };
+
+  boot = {
+    kernel = {
+      sysctl = {
+        # obfuscate kernel pointers to protect against attacks that rely on memory layout of the kernel
+        "kernel.kptr_restrict" = 2;
+
+        # we don't make use of sysrq so we disable it to protect ourselves against potential physical attacks
+        "kernel.sysrq" = mkForce 0;
+
+        # limits the exposer of the kernel memory address via dmesg
+        "kernel.dmesg_restrict" = 1;
+
+        # we are not a kernel developer so we disable this to prevent potential information leaks & attacks
+        "kernel.ftrace_enabled" = false;
+
+        # disables performance events for all non-root users, root can only acess events that are explicitly
+        # enabled.
+        "kernel.perf_event_paranoid" = 3;
+
+        # disables the use of berkeley packet filter (BPF) to unpriviliged users.
+        "kernel.unprivileged_bpf_disabled" = 1;
+
+        # prevents potentially leaking sensitive information from the boot console kernel log.
+        "kernel.printk" = "3 3 3 3";
+
+        # just-in-time (JIT) compiler for the berkeley packet filter (BPF). disable this as we dont make use
+        # of it and reduces potential security risks.
+        "net.core.bpf_jit_enable" = false;
+
+        # disables core dumps for SUID and SGID this reduces the risk of exposing sensitive information
+        # that might reside in the memory at the time of a crash
+        "fs.suid_dumpable" = 0;
+
+        # enforces strict access to files only allows the user or root to write regular files
+        "fs.protected_regular" = 2;
+        "fs.protected_fifos" = 2;
+
+        # disables the automatic loading of TTY line disciplines
+        "dev.tty.ldisc_autoload" = "0";
+      };
+    };
+
+    # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+    kernelParams = [
+      # kernel errors can trigger something known as an "oops", by settings oops=panic we add a fail-safe
+      # mechanism to ensure that in the advent of an oops the system reboots, preventing the system from running
+      # in a potentially compromised state.
+      "oops=panic"
+
+      # enforces signature checking on all kernel modules before they are loaded.
+      "module.sig_enforce=1"
+
+      # enables memory page poisoning, increasing the difficulty for attackers to exploit
+      # use-after-free vulnerabillities.
+      "page_poison=on"
+
+      # enables kernel adress space layout randomization (KASLR) which mitigates memory exploits
+      # & increases system entropy.
+      "page_alloc.shuffle=1"
+
+      # randomizes the kernel stack offset, mitigating stack-based attacks.
+      "randomize_kstack_offset=on"
+
+      # lockdown aims to restrict certain kernel functionality that could be exploited by an attacker with
+      # user space code.
+      "lockdown=confidentiality"
+
+      # disables a common interface that contains sensitive info on the kernel
+      "debugfs=off"
+
+      # prevent kernel from blanking plymouth out of the frame buffer console
+      "fbcon=nodefer"
+
+      # enables auditing of integrity measurement events
+      "integrity_audit=1"
+
+      # increases memory safety by modifying the state of the memory objects more closely & helps detecting
+      # & identifying bugs
+      "slub_debug=FZP"
+
+      # disables the legacy vyscall mechanism, reducing attack surface.
+      "vsyscall=none"
+
+      # reduce exposure to heap attacks by preventing different slab caches from being merged.
+      "slab_nomerge"
+
+      "rootflags=noatime"
+      "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
+    ];
+    blacklistedKernelModules = concatLists [
+      # Obscure network protocols
+      [
+        "dccp" # Datagram Congestion Control Protocol
+        "sctp" # Stream Control Transmission Protocol
+        "rds" # Reliable Datagram Sockets
+        "tipc" # Transparent Inter-Process Communication
+        "n-hdlc" # High-level Data Link Control
+        "netrom" # NetRom
+        "x25" # X.25
+        "ax25" # Amatuer X.25
+        "rose" # ROSE
+        "decnet" # DECnet
+        "econet" # Econet
+        "af_802154" # IEEE 802.15.4
+        "ipx" # Internetwork Packet Exchange
+        "appletalk" # Appletalk
+        "psnap" # SubnetworkAccess Protocol
+        "p8022" # IEEE 802.3
+        "p8023" # Novell raw IEEE 802.3
+        "can" # Controller Area Network
+        "atm" # ATM
+      ]
+
+      # Old or rare or insufficiently audited filesystems
+      [
+        "adfs" # Active Directory Federation Services
+        "affs" # Amiga Fast File System
+        "befs" # "Be File System"
+        "bfs" # BFS, used by SCO UnixWare OS for the /stand slice
+        "cifs" # Common Internet File System
+        "cramfs" # compressed ROM/RAM file system
+        "efs" # Extent File System
+        "erofs" # Enhanced Read-Only File System
+        "exofs" # EXtended Object File System
+        "freevxfs" # Veritas filesystem driver
+        "f2fs" # Flash-Friendly File System
+        "vivid" # Virtual Video Test Driver (unnecessary, and a historical cause of escalation issues)
+        "gfs2" # Global File System 2
+        "hpfs" # High Performance File System (used by OS/2)
+        "hfs" # Hierarchical File System (Macintosh)
+        "hfsplus" # " same as above, but with extended attributes
+        "jffs2" # Journalling Flash File System (v2)
+        "jfs" # Journaled File System - only useful for VMWare sessions
+        "ksmbd" # SMB3 Kernel Server
+        "minix" # minix fs - used by the minix OS
+        "nfsv3" # " (v3)
+        "nfsv4" # Network File System (v4)
+        "nfs" # Network File System
+        "nilfs2" # New Implementation of a Log-structured File System
+        "omfs" # Optimized MPEG Filesystem
+        "qnx4" # extent-based file system used by the QNX4 and QNX6 OSes
+        "qnx6" # "
+        "squashfs" # compressed read-only file system (used by live CDs)
+        "sysv" # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
+        "udf" # https://docs.kernel.org/5.15/filesystems/udf.html
+      ]
+
+      # Disable Thunderbolt and FireWire to prevent DMA attacks
+      [
+        "thunderbolt"
+        "firewire-core"
+      ]
+
+      # if bluetooth is enabled, whitelist the module
+      # necessary for bluetooth dongles to work
+      (optionals (! (elem "bluetooth" features)) [
+        "bluetooth" # let bluetooth work
+        "btusb" # let bluetooth dongles work
+      ])
+    ];
+  };
+}

modules/nixos/base/security/sudo.nix

@@ -0,0 +1,15 @@
+{
+  security = {
+    sudo = {
+      # allow wheel user to execute sudo without a password
+      wheelNeedsPassword = false;
+      # only allow users in the wheel access to sudo
+      execWheelOnly = true;
+      extraConfig = ''
+        Defaults pwfeedback # password feedback
+        Defaults lecture = never # disable warning message
+        Defaults timestamp_timeout=10 # set sudo timeout to 10 minutes
+      '';
+    };
+  };
+}

modules/nixos/base/security/tcp.nix

@@ -0,0 +1,76 @@
+{
+  # this is a collection of tcp related sysctl commands that are floating around,
+  # unsure who the original author is
+
+  # see:
+  # <https://madaidans-insecurities.github.io/guides/linux-hardening.html>
+  # github:fort-nix/nix-bitcoin
+  # github:hlissner/dotfiles
+  # github:notashelf/nyx
+  boot = {
+    kernel.sysctl = {
+      # TCP hardening
+      # Prevent bogus ICMP errors from filling up logs.
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      # Reverse path filtering causes the kernel to do source validation of
+      # packets received from all interfaces. This can mitigate IP spoofing.
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      # Do not accept IP source route packets (we're not a router)
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      # Don't send ICMP redirects (again, we're on a router)
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # Refuse ICMP redirects (MITM mitigations)
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      # Protects against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # Incomplete protection again TIME-WAIT assassination
+      "net.ipv4.tcp_rfc1337" = 1;
+      # And other stuff
+      "net.ipv4.conf.all.log_martians" = true;
+      "net.ipv4.conf.default.log_martians" = true;
+      "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+      "net.ipv6.conf.default.accept_ra" = 0;
+      "net.ipv6.conf.all.accept_ra" = 0;
+      "net.ipv4.tcp_timestamps" = 0;
+
+      # TCP optimization
+      # TCP Fast Open is a TCP extension that reduces network latency by packing
+      # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+      # both incoming and outgoing connections:
+      "net.ipv4.tcp_fastopen" = 3;
+      # Bufferbloat mitigations + slight improvement in throughput & latency
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
+
+      # Other stuff that I am too lazy to document
+      "net.core.optmem_max" = 65536;
+      "net.core.rmem_default" = 1048576;
+      "net.core.rmem_max" = 16777216;
+      "net.core.somaxconn" = 8192;
+      "net.core.wmem_default" = 1048576;
+      "net.core.wmem_max" = 16777216;
+      "net.ipv4.ip_local_port_range" = "16384 65535";
+      "net.ipv4.tcp_max_syn_backlog" = 8192;
+      "net.ipv4.tcp_max_tw_buckets" = 2000000;
+      "net.ipv4.tcp_mtu_probing" = 1;
+      "net.ipv4.tcp_rmem" = "4096 1048576 2097152";
+      "net.ipv4.tcp_slow_start_after_idle" = 0;
+      "net.ipv4.tcp_tw_reuse" = 1;
+      "net.ipv4.tcp_wmem" = "4096 65536 16777216";
+      "net.ipv4.udp_rmem_min" = 8192;
+      "net.ipv4.udp_wmem_min" = 8192;
+      "net.netfilter.nf_conntrack_generic_timeout" = 60;
+      "net.netfilter.nf_conntrack_max" = 1048576;
+      "net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
+      "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1;
+    };
+  };
+}