nix-bitcoin/modules/presets/hardened-extended.nix

142 lines
4.2 KiB
Nix
Raw Normal View History

2021-01-30 14:08:35 -08:00
# This preset adds additional hardening settings on top of the
# default ./hardened.nix preset.
# These settings trade even more functionality and performance for increased security.
# This preset enables usbguard. Use `services.usbguard.rules` to whitelist
# select devices.
#
# See madaidan's Linux Hardening Guide for detailed explanations:
# https://madaidans-insecurities.github.io/guides/linux-hardening.html
{
imports = [
# Build on standard hardened preset
./hardened.nix
];
boot.kernel.sysctl = {
# Prevent boot console kernel log information leaks
"kernel.printk" = "3 3 3 3";
# Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to
# prevent unprivileged attackers from loading vulnerable line disciplines with
# the TIOCSETD ioctl
"dev.tty.ldisc_autoload" = "0";
# The SysRq key exposes a lot of potentially dangerous debugging functionality
# to unprivileged users
"kernel.sysrq" = "4";
# Protect against time-wait assassination by dropping RST packets for sockets
# in the time-wait state
"net.ipv4.tcp_rfc1337" = "1";
# Disable accepting IPv6 router advertisements
"net.ipv6.conf.all.accept_ra" = "0";
"net.ipv6.default.accept_ra" = "0";
# Disable TCP SACK. SACK is commonly exploited and unnecessary for many
# circumstances so it should be disabled if you don't require it
"net.ipv4.tcp_sack" = "0";
"net.ipv4.tcp_dsack" = "0";
# Restrict usage of ptrace to only processes with the CAP_SYS_PTRACE
# capability
"kernel.yama.ptrace_scope" = "2";
# Prevent creating files in potentially attacker-controlled environments such
# as world-writable directories to make data spoofing attacks more difficult
"fs.protected_fifos" = "2";
"fs.protected_regular" = "2";
# Avoid leaking system time with TCP timestamps
"net.ipv4.tcp_timestamps" = "0";
# Disable core dumps
"syskernel.core_pattern" = "|/bin/false";
"fs.suid_dumpable" = "0";
# Only swap when absolutely necessary
"vm.swappiness" = "1";
};
boot.kernelParams = [
# Disable slab merging which significantly increases the difficulty of heap
# exploitation by preventing overwriting objects from merged caches and by
# making it harder to influence slab cache layout
"slab_nomerge"
# Disable vsyscalls as they are obsolete and have been replaced with vDSO.
# vsyscalls are also at fixed addresses in memory, making them a potential
# target for ROP attacks
"vsyscall=none"
# Disable debugfs which exposes a lot of sensitive information about the
# kernel
"debugfs=off"
# Sometimes certain kernel exploits will cause what is known as an "oops".
# This parameter will cause the kernel to panic on such oopses, thereby
# preventing those exploits
"oops=panic"
# Only allow kernel modules that have been signed with a valid key to be
# loaded, which increases security by making it much harder to load a
# malicious kernel module
"module.sig_enforce=1"
# The kernel lockdown LSM can eliminate many methods that user space code
# could abuse to escalate to kernel privileges and extract sensitive
# information. This LSM is necessary to implement a clear security boundary
# between user space and the kernel
"lockdown=confidentiality"
# These parameters prevent information leaks during boot and must be used
# in combination with the kernel.printk
"quiet loglevel=0"
];
boot.blacklistedKernelModules = [
# Obscure networking protocols
"dccp"
"sctp"
"rds"
"tipc"
"n-hdlc"
"x25"
"decnet"
"econet"
"af_802154"
"ipx"
"appletalk"
"psnap"
"p8023"
"p8022"
"can"
"atm"
# Various rare filesystems
"jffs2"
"hfsplus"
"squashfs"
"udf"
"cifs"
"nfs"
"nfsv3"
"nfsv4"
"gfs2"
# vivid driver is only useful for testing purposes and has been the cause
# of privilege escalation vulnerabilities
"vivid"
# Disable Bluetooth
"bluetooth"
"btusb"
# Disable webcam
"uvcvideo"
# Disable Thunderbolt and FireWire to prevent DMA attacks
"thunderbolt"
"firewire-core"
];
services.usbguard.enable = true;
}