xin/configs/hardened.nix

{ lib, ... }:
with lib; {
  environment = {
    memoryAllocator.provider = mkDefault "libc";
    variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
  };

  security = {
    lockKernelModules = mkDefault true;
    protectKernelImage = mkDefault true;
    allowSimultaneousMultithreading = mkDefault false;
    forcePageTableIsolation = mkDefault true;
    apparmor = {
      enable = mkDefault true;
      killUnconfinedConfinables = mkDefault true;
    };
  };

  boot = {
    kernelParams = [
      # Slab/slub sanity checks, redzoning, and poisoning
      "slub_debug=FZP"

      # Overwrite free'd memory
      "page_poison=1"

      # Enable page allocator randomization
      "page_alloc.shuffle=1"
    ];

    blacklistedKernelModules = [
      # Virtualization
      "kvm"

      # Obscure network protocols
      "ax25"
      "netrom"
      "rose"

      # Old or rare or insufficiently audited filesystems
      "adfs"
      "affs"
      "bfs"
      "befs"
      "cramfs"
      "efs"
      "erofs"
      "exofs"
      "freevxfs"
      "f2fs"
      "hfs"
      "hpfs"
      "jfs"
      "minix"
      "nilfs2"
      "ntfs"
      "omfs"
      "qnx4"
      "qnx6"
      "sysv"
      "ufs"
    ];

    kernel = {
      sysctl."kernel.ftrace_enabled" = mkDefault false;
      sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
    };
  };
}
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`{ lib, ... }:`
all: format with alejandra 2023-07-11 09:12:50 -06:00			`with lib; {`
config: Add a hardened module that uses a few of the ideas from: https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/profiles/hardened.nix 2022-10-04 21:46:11 -06:00			`environment = {`
configs/hardened: set allocator to libc for everything also fmt 2024-01-25 18:22:36 -07:00			`memoryAllocator.provider = mkDefault "libc";`
config: Add a hardened module that uses a few of the ideas from: https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/profiles/hardened.nix 2022-10-04 21:46:11 -06:00			`variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";`
			`};`

			`security = {`
			`lockKernelModules = mkDefault true;`
			`protectKernelImage = mkDefault true;`
			`allowSimultaneousMultithreading = mkDefault false;`
			`forcePageTableIsolation = mkDefault true;`
			`apparmor = {`
			`enable = mkDefault true;`
			`killUnconfinedConfinables = mkDefault true;`
			`};`
			`};`

			`boot = {`
			`kernelParams = [`
			`# Slab/slub sanity checks, redzoning, and poisoning`
			`"slub_debug=FZP"`

			`# Overwrite free'd memory`
			`"page_poison=1"`

			`# Enable page allocator randomization`
			`"page_alloc.shuffle=1"`
			`];`

			`blacklistedKernelModules = [`
			`# Virtualization`
			`"kvm"`

			`# Obscure network protocols`
			`"ax25"`
			`"netrom"`
			`"rose"`

			`# Old or rare or insufficiently audited filesystems`
			`"adfs"`
			`"affs"`
			`"bfs"`
			`"befs"`
			`"cramfs"`
			`"efs"`
			`"erofs"`
			`"exofs"`
			`"freevxfs"`
			`"f2fs"`
			`"hfs"`
			`"hpfs"`
			`"jfs"`
			`"minix"`
			`"nilfs2"`
			`"ntfs"`
			`"omfs"`
			`"qnx4"`
			`"qnx6"`
			`"sysv"`
			`"ufs"`
			`];`

			`kernel = {`
			`sysctl."kernel.ftrace_enabled" = mkDefault false;`
			`sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;`
			`};`
			`};`
			`}`