2017-04-06 13:54:45 +01:00
|
|
|
# A profile with most (vanilla) hardening options enabled by default,
|
|
|
|
# potentially at the cost of features and performance.
|
|
|
|
|
2018-07-20 21:56:59 +01:00
|
|
|
{ lib, pkgs, ... }:
|
2017-04-06 13:54:45 +01:00
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
{
|
2018-10-14 23:18:33 +01:00
|
|
|
meta = {
|
|
|
|
maintainers = [ maintainers.joachifm ];
|
|
|
|
};
|
|
|
|
|
2017-04-30 00:22:32 +01:00
|
|
|
boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
|
|
|
|
|
2018-11-24 14:13:03 +00:00
|
|
|
nix.allowedUsers = mkDefault [ "@users" ];
|
|
|
|
|
2017-04-06 13:54:45 +01:00
|
|
|
security.hideProcessInformation = mkDefault true;
|
|
|
|
|
2017-04-29 21:46:20 +01:00
|
|
|
security.lockKernelModules = mkDefault true;
|
|
|
|
|
2018-10-14 23:39:26 +01:00
|
|
|
security.allowUserNamespaces = mkDefault false;
|
|
|
|
|
2018-12-16 09:37:36 +00:00
|
|
|
security.protectKernelImage = mkDefault true;
|
|
|
|
|
2018-12-26 21:24:04 +00:00
|
|
|
security.allowSimultaneousMultithreading = mkDefault false;
|
|
|
|
|
2018-12-26 21:22:55 +00:00
|
|
|
security.virtualization.flushL1DataCache = mkDefault "always";
|
|
|
|
|
2017-04-06 13:54:45 +01:00
|
|
|
security.apparmor.enable = mkDefault true;
|
|
|
|
|
2017-04-29 16:27:08 +01:00
|
|
|
boot.kernelParams = [
|
2019-01-05 12:47:25 +00:00
|
|
|
# Slab/slub sanity checks, redzoning, and poisoning
|
|
|
|
"slub_debug=FZP"
|
|
|
|
|
|
|
|
# Disable slab merging to make certain heap overflow attacks harder
|
|
|
|
"slab_nomerge"
|
|
|
|
|
2017-04-30 00:22:32 +01:00
|
|
|
# Overwrite free'd memory
|
|
|
|
"page_poison=1"
|
|
|
|
|
2017-04-29 16:27:08 +01:00
|
|
|
# Disable legacy virtual syscalls
|
|
|
|
"vsyscall=none"
|
2019-01-05 12:50:36 +00:00
|
|
|
|
|
|
|
# Enable PTI even if CPU claims to be safe from meltdown
|
|
|
|
"pti=on"
|
2017-04-29 16:27:08 +01:00
|
|
|
];
|
|
|
|
|
2017-09-03 00:49:01 +01:00
|
|
|
boot.blacklistedKernelModules = [
|
|
|
|
# Obscure network protocols
|
|
|
|
"ax25"
|
|
|
|
"netrom"
|
|
|
|
"rose"
|
|
|
|
];
|
|
|
|
|
2017-04-06 13:54:45 +01:00
|
|
|
# Restrict ptrace() usage to processes with a pre-defined relationship
|
|
|
|
# (e.g., parent/child)
|
|
|
|
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
|
|
|
|
|
|
|
|
# Restrict access to kernel ring buffer (information leaks)
|
|
|
|
boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
|
|
|
|
|
|
|
|
# Hide kptrs even for processes with CAP_SYSLOG
|
|
|
|
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
|
|
|
|
|
|
|
|
# Unprivileged access to bpf() has been used for privilege escalation in
|
|
|
|
# the past
|
|
|
|
boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
|
|
|
|
|
|
|
|
# Disable bpf() JIT (to eliminate spray attacks)
|
|
|
|
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
|
|
|
|
|
|
|
|
# ... or at least apply some hardening to it
|
|
|
|
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
|
2017-04-30 13:41:56 +01:00
|
|
|
|
2017-08-12 23:17:43 +01:00
|
|
|
# Raise ASLR entropy for 64bit & 32bit, respectively.
|
|
|
|
#
|
|
|
|
# Note: mmap_rnd_compat_bits may not exist on 64bit.
|
|
|
|
boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
|
|
|
|
boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
|
2017-09-03 00:48:46 +01:00
|
|
|
|
|
|
|
# Allowing users to mmap() memory starting at virtual address 0 can turn a
|
|
|
|
# NULL dereference bug in the kernel into code execution with elevated
|
|
|
|
# privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory
|
|
|
|
# space. This breaks applications that require mapping the 0 page, such as
|
|
|
|
# dosemu or running 16bit applications under wine. It also breaks older
|
|
|
|
# versions of qemu.
|
|
|
|
#
|
|
|
|
# The value is taken from the KSPP recommendations (Debian uses 4096).
|
|
|
|
boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
|
2017-04-06 13:54:45 +01:00
|
|
|
}
|