From 4dbe01aea3821cbb252670aa580fc1a4ee57b432 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Fri, 16 Jun 2023 00:46:19 +0300 Subject: [PATCH] test more hardening for hypervisor --- machines/Home-Hypervisor/default.nix | 5 +- .../Home-Hypervisor/hardened-extended.nix | 117 ++++++++++++++++++ .../{hardening.nix => hardened.nix} | 16 ++- profiles/overlay.nix | 11 +- 4 files changed, 134 insertions(+), 15 deletions(-) create mode 100644 machines/Home-Hypervisor/hardened-extended.nix rename machines/Home-Hypervisor/{hardening.nix => hardened.nix} (61%) diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix index 7e3bf2c..d789d74 100644 --- a/machines/Home-Hypervisor/default.nix +++ b/machines/Home-Hypervisor/default.nix @@ -4,7 +4,7 @@ let in { imports = with inputs.self; [ ./boot.nix - ./hardening.nix + ./hardened-extended.nix ./hardware-configuration.nix ./virtualisation.nix ./disks.nix @@ -114,9 +114,6 @@ in { networking.firewall.allowedUDPPorts = lib.mkDefault []; systemd.coredump.enable = false; programs.firejail.enable = true; - # scudo memalloc is unstable - environment.memoryAllocator.provider = lib.mkForce "libc"; - # environment.memoryAllocator.provider = "graphene-hardened"; networking.wireless.enable = false; networking.networkmanager.enable = false; diff --git a/machines/Home-Hypervisor/hardened-extended.nix b/machines/Home-Hypervisor/hardened-extended.nix new file mode 100644 index 0000000..8fd9e6b --- /dev/null +++ b/machines/Home-Hypervisor/hardened-extended.nix @@ -0,0 +1,117 @@ +# This preset adds additional hardening settings on top of the +# default ./hardened.nix preset. +# These settings trade even more functionality and performance for increased security. +# +# See madaidan's Linux Hardening Guide for detailed explanations: +# https://madaidans-insecurities.github.io/guides/linux-hardening.html + +{ + imports = [ + # Build on standard hardened preset + ./hardened.nix + ]; + + boot.kernel.sysctl = { + # Prevent boot console kernel log information leaks + "kernel.printk" = "3 3 3 3"; + # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to + # prevent unprivileged attackers from loading vulnerable line disciplines with + # the TIOCSETD ioctl + "dev.tty.ldisc_autoload" = false; + # The SysRq key exposes a lot of potentially dangerous debugging functionality + # to unprivileged users + "kernel.sysrq" = false; + # Disable accepting IPv6 router advertisements + "net.ipv6.conf.all.accept_ra" = false; + "net.ipv6.default.accept_ra" = false; + # Disable TCP SACK. SACK is commonly exploited and unnecessary for many + # circumstances so it should be disabled if you don't require it + "net.ipv4.tcp_sack" = false; + "net.ipv4.tcp_dsack" = false; + # Restrict usage of ptrace to only processes with the CAP_SYS_PTRACE + # capability + "kernel.yama.ptrace_scope" = "2"; + # Prevent creating files in potentially attacker-controlled environments such + # as world-writable directories to make data spoofing attacks more difficult + "fs.protected_fifos" = "2"; + "fs.protected_regular" = "2"; + # Avoid leaking system time with TCP timestamps + "net.ipv4.tcp_timestamps" = false; + # Disable core dumps + "syskernel.core_pattern" = "|/bin/false"; + "fs.suid_dumpable" = false; + }; + + boot.kernelParams = [ + # Disable slab merging which significantly increases the difficulty of heap + # exploitation by preventing overwriting objects from merged caches and by + # making it harder to influence slab cache layout + "slab_nomerge" + # Disable vsyscalls as they are obsolete and have been replaced with vDSO. + # vsyscalls are also at fixed addresses in memory, making them a potential + # target for ROP attacks + "vsyscall=none" + # Disable debugfs which exposes a lot of sensitive information about the + # kernel + "debugfs=off" + # Sometimes certain kernel exploits will cause what is known as an "oops". + # This parameter will cause the kernel to panic on such oopses, thereby + # preventing those exploits + "oops=panic" + # Only allow kernel modules that have been signed with a valid key to be + # loaded, which increases security by making it much harder to load a + # malicious kernel module + "module.sig_enforce=1" + # The kernel lockdown LSM can eliminate many methods that user space code + # could abuse to escalate to kernel privileges and extract sensitive + # information. This LSM is necessary to implement a clear security boundary + # between user space and the kernel + "lockdown=confidentiality" + # These parameters prevent information leaks during boot and must be used + # in combination with the kernel.printk + "quiet" "loglevel=0" + ]; + + boot.blacklistedKernelModules = [ + # Obscure networking protocols + "dccp" + "sctp" + "rds" + "tipc" + "n-hdlc" + "x25" + "decnet" + "econet" + "af_802154" + "ipx" + "appletalk" + "psnap" + "p8023" + "p8022" + "can" + "atm" + # Various rare filesystems + "jffs2" + "hfsplus" + "squashfs" + "udf" + "cifs" + "nfs" + "nfsv3" + # "nfsv4" + "gfs2" + # vivid driver is only useful for testing purposes and has been the cause + # of privilege escalation vulnerabilities + "vivid" + # Disable Bluetooth + "bluetooth" + "btusb" + # Disable webcam + "uvcvideo" + # Disable Thunderbolt and FireWire to prevent DMA attacks + "thunderbolt" + "firewire-core" + ]; + + # services.usbguard.enable = true; +} diff --git a/machines/Home-Hypervisor/hardening.nix b/machines/Home-Hypervisor/hardened.nix similarity index 61% rename from machines/Home-Hypervisor/hardening.nix rename to machines/Home-Hypervisor/hardened.nix index ed17e60..5fac43f 100644 --- a/machines/Home-Hypervisor/hardening.nix +++ b/machines/Home-Hypervisor/hardened.nix @@ -4,7 +4,7 @@ ]; boot.kernel.sysctl = { - "kernel.sysrq" = false; + # "kernel.sysrq" = false; "net.core.default_qdisc" = "sch_fq_codel"; "net.ipv4.conf.all.accept_source_route" = false; "net.ipv4.icmp_ignore_bogus_error_responses" = true; @@ -18,13 +18,17 @@ "net.ipv6.conf.default.disable_ipv6" = true; }; - security.lockKernelModules = false; + # security.lockKernelModules = false; security.allowSimultaneousMultithreading = true; security.virtualisation.flushL1DataCache = "cond"; # security.forcePageTableIsolation = false; - # boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = false; - # boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "0"; - # boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = false; - # boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "0"; + # scudo memalloc is unstable + # environment.memoryAllocator.provider = lib.mkForce "libc"; + environment.memoryAllocator.provider = lib.mkForce "graphene-hardened"; + + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = false; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "0"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = false; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "0"; } \ No newline at end of file diff --git a/profiles/overlay.nix b/profiles/overlay.nix index 73a4e2c..85d70fa 100644 --- a/profiles/overlay.nix +++ b/profiles/overlay.nix @@ -7,6 +7,7 @@ let }; nur = import inputs.nur { nurpkgs = import inputs.nixpkgs { + # inherit system; system = "x86_64-linux"; }; }; @@ -17,6 +18,11 @@ with lib; { nur.repos.ataraxiasjel.overlays.grub2-argon2 (final: prev: { + attic = inputs.attic.packages.${system}.attic; + attic-static = inputs.attic.packages.${system}.attic-static; + cassowary-py = inputs.cassowary.packages.${system}.cassowary; + dhcpcd = prev.dhcpcd.override { enablePrivSep = false; }; + hoyolab-daily-bot = inputs.hoyolab-daily-bot.packages.${system}.default; nix-alien = inputs.nix-alien.packages.${system}.nix-alien; nix-index-update = inputs.nix-alien.packages.${system}.nix-index-update; prismlauncher = inputs.prismlauncher.packages.${system}.default; @@ -35,11 +41,6 @@ with lib; { }); nix-direnv = inputs.nix-direnv.packages.${system}.default.override { nix = final.nix; }; - attic = inputs.attic.packages.${system}.attic; - attic-static = inputs.attic.packages.${system}.attic-static; - cassowary-py = inputs.cassowary.packages.${system}.cassowary; - hoyolab-daily-bot = inputs.hoyolab-daily-bot.packages.${system}.default; - pass-secret-service = prev.pass-secret-service.overrideAttrs (_: { installCheckPhase = null; postInstall = ''