2021-01-30 22:08:35 +00:00
|
|
|
# This preset adds additional hardening settings on top of the
|
|
|
|
# default ./hardened.nix preset.
|
|
|
|
# These settings trade even more functionality and performance for increased security.
|
|
|
|
|
|
|
|
# This preset enables usbguard. Use `services.usbguard.rules` to whitelist
|
|
|
|
# select devices.
|
|
|
|
#
|
|
|
|
# See madaidan's Linux Hardening Guide for detailed explanations:
|
|
|
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html
|
|
|
|
|
|
|
|
{
|
|
|
|
imports = [
|
|
|
|
# Build on standard hardened preset
|
|
|
|
./hardened.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
# Prevent boot console kernel log information leaks
|
|
|
|
"kernel.printk" = "3 3 3 3";
|
|
|
|
|
|
|
|
# Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to
|
|
|
|
# prevent unprivileged attackers from loading vulnerable line disciplines with
|
|
|
|
# the TIOCSETD ioctl
|
|
|
|
"dev.tty.ldisc_autoload" = "0";
|
|
|
|
|
|
|
|
# The SysRq key exposes a lot of potentially dangerous debugging functionality
|
|
|
|
# to unprivileged users
|
|
|
|
"kernel.sysrq" = "4";
|
|
|
|
|
|
|
|
# Protect against time-wait assassination by dropping RST packets for sockets
|
|
|
|
# in the time-wait state
|
|
|
|
"net.ipv4.tcp_rfc1337" = "1";
|
|
|
|
|
|
|
|
# Disable accepting IPv6 router advertisements
|
|
|
|
"net.ipv6.conf.all.accept_ra" = "0";
|
|
|
|
"net.ipv6.default.accept_ra" = "0";
|
|
|
|
|
|
|
|
# Disable TCP SACK. SACK is commonly exploited and unnecessary for many
|
|
|
|
# circumstances so it should be disabled if you don't require it
|
|
|
|
"net.ipv4.tcp_sack" = "0";
|
|
|
|
"net.ipv4.tcp_dsack" = "0";
|
|
|
|
|
|
|
|
# Restrict usage of ptrace to only processes with the CAP_SYS_PTRACE
|
|
|
|
# capability
|
|
|
|
"kernel.yama.ptrace_scope" = "2";
|
|
|
|
|
|
|
|
# Prevent creating files in potentially attacker-controlled environments such
|
|
|
|
# as world-writable directories to make data spoofing attacks more difficult
|
|
|
|
"fs.protected_fifos" = "2";
|
|
|
|
"fs.protected_regular" = "2";
|
|
|
|
|
|
|
|
# Avoid leaking system time with TCP timestamps
|
|
|
|
"net.ipv4.tcp_timestamps" = "0";
|
|
|
|
|
|
|
|
# Disable core dumps
|
|
|
|
"syskernel.core_pattern" = "|/bin/false";
|
|
|
|
"fs.suid_dumpable" = "0";
|
|
|
|
|
|
|
|
# Only swap when absolutely necessary
|
|
|
|
"vm.swappiness" = "1";
|
|
|
|
};
|
|
|
|
|
|
|
|
boot.kernelParams = [
|
|
|
|
# Disable slab merging which significantly increases the difficulty of heap
|
|
|
|
# exploitation by preventing overwriting objects from merged caches and by
|
|
|
|
# making it harder to influence slab cache layout
|
|
|
|
"slab_nomerge"
|
|
|
|
|
|
|
|
# Disable vsyscalls as they are obsolete and have been replaced with vDSO.
|
|
|
|
# vsyscalls are also at fixed addresses in memory, making them a potential
|
|
|
|
# target for ROP attacks
|
|
|
|
"vsyscall=none"
|
|
|
|
|
|
|
|
# Disable debugfs which exposes a lot of sensitive information about the
|
|
|
|
# kernel
|
|
|
|
"debugfs=off"
|
|
|
|
|
|
|
|
# Sometimes certain kernel exploits will cause what is known as an "oops".
|
|
|
|
# This parameter will cause the kernel to panic on such oopses, thereby
|
|
|
|
# preventing those exploits
|
|
|
|
"oops=panic"
|
|
|
|
|
|
|
|
# Only allow kernel modules that have been signed with a valid key to be
|
|
|
|
# loaded, which increases security by making it much harder to load a
|
|
|
|
# malicious kernel module
|
|
|
|
"module.sig_enforce=1"
|
|
|
|
|
|
|
|
# The kernel lockdown LSM can eliminate many methods that user space code
|
|
|
|
# could abuse to escalate to kernel privileges and extract sensitive
|
|
|
|
# information. This LSM is necessary to implement a clear security boundary
|
|
|
|
# between user space and the kernel
|
|
|
|
"lockdown=confidentiality"
|
|
|
|
|
|
|
|
# These parameters prevent information leaks during boot and must be used
|
|
|
|
# in combination with the kernel.printk
|
2021-12-09 20:04:14 +00:00
|
|
|
"quiet" "loglevel=0"
|
2021-01-30 22:08:35 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
boot.blacklistedKernelModules = [
|
|
|
|
# Obscure networking protocols
|
|
|
|
"dccp"
|
|
|
|
"sctp"
|
|
|
|
"rds"
|
|
|
|
"tipc"
|
|
|
|
"n-hdlc"
|
|
|
|
"x25"
|
|
|
|
"decnet"
|
|
|
|
"econet"
|
|
|
|
"af_802154"
|
|
|
|
"ipx"
|
|
|
|
"appletalk"
|
|
|
|
"psnap"
|
|
|
|
"p8023"
|
|
|
|
"p8022"
|
|
|
|
"can"
|
|
|
|
"atm"
|
|
|
|
# Various rare filesystems
|
|
|
|
"jffs2"
|
|
|
|
"hfsplus"
|
|
|
|
"squashfs"
|
|
|
|
"udf"
|
|
|
|
"cifs"
|
|
|
|
"nfs"
|
|
|
|
"nfsv3"
|
|
|
|
"nfsv4"
|
|
|
|
"gfs2"
|
|
|
|
# vivid driver is only useful for testing purposes and has been the cause
|
|
|
|
# of privilege escalation vulnerabilities
|
|
|
|
"vivid"
|
|
|
|
# Disable Bluetooth
|
|
|
|
"bluetooth"
|
|
|
|
"btusb"
|
|
|
|
# Disable webcam
|
|
|
|
"uvcvideo"
|
|
|
|
# Disable Thunderbolt and FireWire to prevent DMA attacks
|
|
|
|
"thunderbolt"
|
|
|
|
"firewire-core"
|
|
|
|
];
|
|
|
|
|
|
|
|
services.usbguard.enable = true;
|
|
|
|
}
|