# A profile with most (vanilla) hardening options enabled by default, # potentially at the cost of features and performance. { lib, pkgs, ... }: with lib; { meta = { maintainers = [ maintainers.joachifm ]; }; boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; nix.allowedUsers = mkDefault [ "@users" ]; environment.memoryAllocator.provider = mkDefault "scudo"; environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; security.hideProcessInformation = mkDefault true; security.lockKernelModules = mkDefault true; security.allowUserNamespaces = mkDefault false; security.protectKernelImage = mkDefault true; security.allowSimultaneousMultithreading = mkDefault false; security.forcePageTableIsolation = mkDefault true; security.virtualisation.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; boot.kernelParams = [ # Slab/slub sanity checks, redzoning, and poisoning "slub_debug=FZP" # Overwrite free'd memory "page_poison=1" # Enable page allocator randomization "page_alloc.shuffle=1" ]; boot.blacklistedKernelModules = [ # Obscure network protocols "ax25" "netrom" "rose" # Old or rare or insufficiently audited filesystems "adfs" "affs" "bfs" "befs" "cramfs" "efs" "erofs" "exofs" "freevxfs" "f2fs" "hfs" "hpfs" "jfs" "minix" "nilfs2" "qnx4" "qnx6" "sysv" "ufs" ]; # Restrict ptrace() usage to processes with a pre-defined relationship # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; # Hide kptrs even for processes with CAP_SYSLOG boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; # Raise ASLR entropy for 64bit & 32bit, respectively. # # Note: mmap_rnd_compat_bits may not exist on 64bit. boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; # Allowing users to mmap() memory starting at virtual address 0 can turn a # NULL dereference bug in the kernel into code execution with elevated # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory # space. This breaks applications that require mapping the 0 page, such as # dosemu or running 16bit applications under wine. It also breaks older # versions of qemu. # # The value is taken from the KSPP recommendations (Debian uses 4096). boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; # Enable strict reverse path filtering (that is, do not attempt to route # packets that "obviously" do not belong to the iface's network; dropped # packets are logged as martians). boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; # Ignore broadcast ICMP (mitigate SMURF) boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; # Ignore incoming ICMP redirects (note: default is needed to ensure that the # setting is applied to interfaces added after the sysctls are set) boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false; # Ignore outgoing ICMP redirects (this is ipv4 only) boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false; }