xin/configs/hardened.nix

73 lines
1.3 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
with lib;
{
environment = {
memoryAllocator.provider = mkDefault "scudo";
variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
};
security = {
lockKernelModules = mkDefault true;
protectKernelImage = mkDefault true;
allowSimultaneousMultithreading = mkDefault false;
forcePageTableIsolation = mkDefault true;
apparmor = {
enable = mkDefault true;
killUnconfinedConfinables = mkDefault true;
};
};
boot = {
kernelParams = [
# Slab/slub sanity checks, redzoning, and poisoning
"slub_debug=FZP"
# Overwrite free'd memory
"page_poison=1"
# Enable page allocator randomization
"page_alloc.shuffle=1"
];
blacklistedKernelModules = [
# Virtualization
"kvm"
# Obscure network protocols
"ax25"
"netrom"
"rose"
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
kernel = {
sysctl."kernel.ftrace_enabled" = mkDefault false;
sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
};
};
}