| blob | b85a2ac7e69d20d50aac50cdb808634978060293 |
1 # A profile with most (vanilla) hardening options enabled by default,
2 # potentially at the cost of stability, features and performance.
3 #
4 # This profile enables options that are known to affect system
5 # stability. If you experience any stability issues when using the
6 # profile, try disabling it. If you report an issue and use this
7 # profile, always mention that you do.
9 { config, lib, pkgs, ... }:
11 with lib;
13 {
14 meta = {
15 maintainers = [ maintainers.joachifm maintainers.emily ];
16 };
18 boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
20 nix.settings.allowed-users = mkDefault [ "@users" ];
22 environment.memoryAllocator.provider = mkDefault "scudo";
23 environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
25 security.lockKernelModules = mkDefault true;
27 security.protectKernelImage = mkDefault true;
29 security.allowSimultaneousMultithreading = mkDefault false;
31 security.forcePageTableIsolation = mkDefault true;
33 # This is required by podman to run containers in rootless mode.
34 security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
36 security.virtualisation.flushL1DataCache = mkDefault "always";
38 security.apparmor.enable = mkDefault true;
39 security.apparmor.killUnconfinedConfinables = mkDefault true;
41 boot.kernelParams = [
42 # Don't merge slabs
43 "slab_nomerge"
45 # Overwrite free'd pages
46 "page_poison=1"
48 # Enable page allocator randomization
49 "page_alloc.shuffle=1"
51 # Disable debugfs
52 "debugfs=off"
53 ];
55 boot.blacklistedKernelModules = [
56 # Obscure network protocols
57 "ax25"
58 "netrom"
59 "rose"
61 # Old or rare or insufficiently audited filesystems
62 "adfs"
63 "affs"
64 "bfs"
65 "befs"
66 "cramfs"
67 "efs"
68 "erofs"
69 "exofs"
70 "freevxfs"
71 "f2fs"
72 "hfs"
73 "hpfs"
74 "jfs"
75 "minix"
76 "nilfs2"
77 "ntfs"
78 "omfs"
79 "qnx4"
80 "qnx6"
81 "sysv"
82 "ufs"
83 ];
85 # Hide kptrs even for processes with CAP_SYSLOG
86 boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
88 # Disable bpf() JIT (to eliminate spray attacks)
89 boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
91 # Disable ftrace debugging
92 boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
94 # Enable strict reverse path filtering (that is, do not attempt to route
95 # packets that "obviously" do not belong to the iface's network; dropped
96 # packets are logged as martians).
97 boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
98 boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
99 boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
100 boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
102 # Ignore broadcast ICMP (mitigate SMURF)
103 boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
105 # Ignore incoming ICMP redirects (note: default is needed to ensure that the
106 # setting is applied to interfaces added after the sysctls are set)
107 boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
108 boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
109 boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
110 boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
111 boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
112 boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
114 # Ignore outgoing ICMP redirects (this is ipv4 only)
115 boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
116 boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
117 }