198 lines
7.5 KiB
Nix
198 lines
7.5 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
...
|
|
}: let
|
|
inherit (lib) optionals mkForce concatLists;
|
|
inherit (builtins) elem;
|
|
inherit (config.ooknet.hardware) features;
|
|
in {
|
|
# see:
|
|
# <https://madaidans-insecurities.github.io/guides/linux-hardening.html>
|
|
# github:notashelf/nyx
|
|
|
|
security = {
|
|
# Protects the kernel from being tampered with at runtime. prevents the ability to hibernate.
|
|
protectKernelImage = true;
|
|
|
|
# page table isolation (PTI) is a kernel option designed to protect against
|
|
# side-channel attacks, including Meltdown & Spectre vunerabilities.
|
|
forcePageTableIsolation = true;
|
|
|
|
# locking kernel modules during runtime breaks certain services by stopping them from being
|
|
# loaded at runtime. we use some of these services, so we disable this kernel option.
|
|
lockKernelModules = false;
|
|
|
|
# we enable simultaneous multithreading (SMT) because while it increases our attack surface
|
|
# disabling it comes at a large perfomance loss.
|
|
allowSimultaneousMultithreading = true;
|
|
|
|
# slight increase in attack surface, but allows for sandboxing
|
|
allowUserNamespaces = true;
|
|
|
|
# we don't need unpivileged user namespaces unless we are messing with containers so we disable
|
|
unprivilegedUsernsClone = false;
|
|
};
|
|
|
|
boot = {
|
|
kernel = {
|
|
sysctl = {
|
|
# obfuscate kernel pointers to protect against attacks that rely on memory layout of the kernel
|
|
"kernel.kptr_restrict" = 2;
|
|
|
|
# we don't make use of sysrq so we disable it to protect ourselves against potential physical attacks
|
|
"kernel.sysrq" = mkForce 0;
|
|
|
|
# limits the exposer of the kernel memory address via dmesg
|
|
"kernel.dmesg_restrict" = 1;
|
|
|
|
# we are not a kernel developer so we disable this to prevent potential information leaks & attacks
|
|
"kernel.ftrace_enabled" = false;
|
|
|
|
# disables performance events for all non-root users, root can only acess events that are explicitly
|
|
# enabled.
|
|
"kernel.perf_event_paranoid" = 3;
|
|
|
|
# disables the use of berkeley packet filter (BPF) to unpriviliged users.
|
|
"kernel.unprivileged_bpf_disabled" = 1;
|
|
|
|
# prevents potentially leaking sensitive information from the boot console kernel log.
|
|
"kernel.printk" = "3 3 3 3";
|
|
|
|
# just-in-time (JIT) compiler for the berkeley packet filter (BPF). disable this as we dont make use
|
|
# of it and reduces potential security risks.
|
|
"net.core.bpf_jit_enable" = false;
|
|
|
|
# disables core dumps for SUID and SGID this reduces the risk of exposing sensitive information
|
|
# that might reside in the memory at the time of a crash
|
|
"fs.suid_dumpable" = 0;
|
|
|
|
# enforces strict access to files only allows the user or root to write regular files
|
|
"fs.protected_regular" = 2;
|
|
"fs.protected_fifos" = 2;
|
|
|
|
# disables the automatic loading of TTY line disciplines
|
|
"dev.tty.ldisc_autoload" = "0";
|
|
};
|
|
};
|
|
|
|
# https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
|
kernelParams = [
|
|
# kernel errors can trigger something known as an "oops", by settings oops=panic we add a fail-safe
|
|
# mechanism to ensure that in the advent of an oops the system reboots, preventing the system from running
|
|
# in a potentially compromised state.
|
|
"oops=panic"
|
|
|
|
# enforces signature checking on all kernel modules before they are loaded.
|
|
"module.sig_enforce=1"
|
|
|
|
# enables memory page poisoning, increasing the difficulty for attackers to exploit
|
|
# use-after-free vulnerabillities.
|
|
"page_poison=on"
|
|
|
|
# enables kernel adress space layout randomization (KASLR) which mitigates memory exploits
|
|
# & increases system entropy.
|
|
"page_alloc.shuffle=1"
|
|
|
|
# randomizes the kernel stack offset, mitigating stack-based attacks.
|
|
"randomize_kstack_offset=on"
|
|
|
|
# lockdown aims to restrict certain kernel functionality that could be exploited by an attacker with
|
|
# user space code.
|
|
"lockdown=confidentiality"
|
|
|
|
# disables a common interface that contains sensitive info on the kernel
|
|
"debugfs=off"
|
|
|
|
# prevent kernel from blanking plymouth out of the frame buffer console
|
|
"fbcon=nodefer"
|
|
|
|
# enables auditing of integrity measurement events
|
|
"integrity_audit=1"
|
|
|
|
# increases memory safety by modifying the state of the memory objects more closely & helps detecting
|
|
# & identifying bugs
|
|
"slub_debug=FZP"
|
|
|
|
# disables the legacy vyscall mechanism, reducing attack surface.
|
|
"vsyscall=none"
|
|
|
|
# reduce exposure to heap attacks by preventing different slab caches from being merged.
|
|
"slab_nomerge"
|
|
|
|
"rootflags=noatime"
|
|
"lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
|
|
];
|
|
blacklistedKernelModules = concatLists [
|
|
# Obscure network protocols
|
|
[
|
|
"dccp" # Datagram Congestion Control Protocol
|
|
"sctp" # Stream Control Transmission Protocol
|
|
"rds" # Reliable Datagram Sockets
|
|
"tipc" # Transparent Inter-Process Communication
|
|
"n-hdlc" # High-level Data Link Control
|
|
"netrom" # NetRom
|
|
"x25" # X.25
|
|
"ax25" # Amatuer X.25
|
|
"rose" # ROSE
|
|
"decnet" # DECnet
|
|
"econet" # Econet
|
|
"af_802154" # IEEE 802.15.4
|
|
"ipx" # Internetwork Packet Exchange
|
|
"appletalk" # Appletalk
|
|
"psnap" # SubnetworkAccess Protocol
|
|
"p8022" # IEEE 802.3
|
|
"p8023" # Novell raw IEEE 802.3
|
|
"can" # Controller Area Network
|
|
"atm" # ATM
|
|
]
|
|
|
|
# Old or rare or insufficiently audited filesystems
|
|
[
|
|
"adfs" # Active Directory Federation Services
|
|
"affs" # Amiga Fast File System
|
|
"befs" # "Be File System"
|
|
"bfs" # BFS, used by SCO UnixWare OS for the /stand slice
|
|
"cifs" # Common Internet File System
|
|
"cramfs" # compressed ROM/RAM file system
|
|
"efs" # Extent File System
|
|
"erofs" # Enhanced Read-Only File System
|
|
"exofs" # EXtended Object File System
|
|
"freevxfs" # Veritas filesystem driver
|
|
"f2fs" # Flash-Friendly File System
|
|
"vivid" # Virtual Video Test Driver (unnecessary, and a historical cause of escalation issues)
|
|
"gfs2" # Global File System 2
|
|
"hpfs" # High Performance File System (used by OS/2)
|
|
"hfs" # Hierarchical File System (Macintosh)
|
|
"hfsplus" # " same as above, but with extended attributes
|
|
"jffs2" # Journalling Flash File System (v2)
|
|
"jfs" # Journaled File System - only useful for VMWare sessions
|
|
"ksmbd" # SMB3 Kernel Server
|
|
"minix" # minix fs - used by the minix OS
|
|
"nfsv3" # " (v3)
|
|
"nfsv4" # Network File System (v4)
|
|
"nfs" # Network File System
|
|
"nilfs2" # New Implementation of a Log-structured File System
|
|
"omfs" # Optimized MPEG Filesystem
|
|
"qnx4" # extent-based file system used by the QNX4 and QNX6 OSes
|
|
"qnx6" # "
|
|
"squashfs" # compressed read-only file system (used by live CDs)
|
|
"sysv" # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
|
|
"udf" # https://docs.kernel.org/5.15/filesystems/udf.html
|
|
]
|
|
|
|
# Disable Thunderbolt and FireWire to prevent DMA attacks
|
|
[
|
|
"thunderbolt"
|
|
"firewire-core"
|
|
]
|
|
|
|
# if bluetooth is enabled, whitelist the module
|
|
# necessary for bluetooth dongles to work
|
|
(optionals (! (elem "bluetooth" features)) [
|
|
"bluetooth" # let bluetooth work
|
|
"btusb" # let bluetooth dongles work
|
|
])
|
|
];
|
|
};
|
|
}
|