move hardened to profiles

2023-06-23 18:28:56 +03:00 · 2023-06-23 18:28:56 +03:00 · 5ac65124b0
commit 5ac65124b0
parent c0cb0cdafa
5 changed files with 100 additions and 153 deletions
--- a/machines/Home-Hypervisor/boot.nix
+++ b/machines/Home-Hypervisor/boot.nix
@ -83,7 +83,12 @@ in {
      "vm.dirty_background_ratio" = 1;
      "vm.dirty_ratio" = 40;
      "vm.page-cluster" = 0;
+
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "fq";
+      # disable ipv6
+      "net.ipv6.conf.all.disable_ipv6" = true;
+      "net.ipv6.conf.default.disable_ipv6" = true;
    };
-    # cleanTmpDir = true;
  };
 }
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@ -4,10 +4,10 @@ let
 in {
  imports = with inputs.self; [
    ./boot.nix
-    ./hardened-extended.nix
    ./hardware-configuration.nix
    ./virtualisation.nix
    ./disks.nix
+    nixosProfiles.hardened

    nixosRoles.hypervisor
    nixosProfiles.acme
@ -84,6 +84,8 @@ in {
    zfs rollback -r rpool/user/home@empty
  '';

+  environment.memoryAllocator.provider = "libc";
+
  # build hell
  environment.noXlibs = lib.mkForce false;
  # minimal profile
--- a/machines/Home-Hypervisor/hardened-extended.nix
+++ b/machines/Home-Hypervisor/hardened-extended.nix
@ -1,117 +0,0 @@
-# This preset adds additional hardening settings on top of the
-# default ./hardened.nix preset.
-# These settings trade even more functionality and performance for increased security.
-#
-# See madaidan's Linux Hardening Guide for detailed explanations:
-# https://madaidans-insecurities.github.io/guides/linux-hardening.html
-
-{
-  imports = [
-    # Build on standard hardened preset
-    ./hardened.nix
-  ];
-
-  boot.kernel.sysctl = {
-    # Prevent boot console kernel log information leaks
-    "kernel.printk" = "3 3 3 3";
-    # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to
-    # prevent unprivileged attackers from loading vulnerable line disciplines with
-    # the TIOCSETD ioctl
-    "dev.tty.ldisc_autoload" = false;
-    # The SysRq key exposes a lot of potentially dangerous debugging functionality
-    # to unprivileged users
-    "kernel.sysrq" = false;
-    # Disable accepting IPv6 router advertisements
-    "net.ipv6.conf.all.accept_ra" = false;
-    "net.ipv6.default.accept_ra" = false;
-    # Disable TCP SACK. SACK is commonly exploited and unnecessary for many
-    # circumstances so it should be disabled if you don't require it
-    "net.ipv4.tcp_sack" = false;
-    "net.ipv4.tcp_dsack" = false;
-    # Restrict usage of ptrace to only processes with the CAP_SYS_PTRACE
-    # capability
-    "kernel.yama.ptrace_scope" = "2";
-    # Prevent creating files in potentially attacker-controlled environments such
-    # as world-writable directories to make data spoofing attacks more difficult
-    "fs.protected_fifos" = "2";
-    "fs.protected_regular" = "2";
-    # Avoid leaking system time with TCP timestamps
-    "net.ipv4.tcp_timestamps" = false;
-    # Disable core dumps
-    "syskernel.core_pattern" = "|/bin/false";
-    "fs.suid_dumpable" = false;
-  };
-
-  boot.kernelParams = [
-    # Disable slab merging which significantly increases the difficulty of heap
-    # exploitation by preventing overwriting objects from merged caches and by
-    # making it harder to influence slab cache layout
-    "slab_nomerge"
-    # Disable vsyscalls as they are obsolete and have been replaced with vDSO.
-    # vsyscalls are also at fixed addresses in memory, making them a potential
-    # target for ROP attacks
-    "vsyscall=none"
-    # Disable debugfs which exposes a lot of sensitive information about the
-    # kernel
-    "debugfs=off"
-    # Sometimes certain kernel exploits will cause what is known as an "oops".
-    # This parameter will cause the kernel to panic on such oopses, thereby
-    # preventing those exploits
-    "oops=panic"
-    # Only allow kernel modules that have been signed with a valid key to be
-    # loaded, which increases security by making it much harder to load a
-    # malicious kernel module
-    "module.sig_enforce=1"
-    # The kernel lockdown LSM can eliminate many methods that user space code
-    # could abuse to escalate to kernel privileges and extract sensitive
-    # information. This LSM is necessary to implement a clear security boundary
-    # between user space and the kernel
-    "lockdown=confidentiality"
-    # These parameters prevent information leaks during boot and must be used
-    # in combination with the kernel.printk
-    "quiet" "loglevel=0"
-  ];
-
-  boot.blacklistedKernelModules = [
-    # Obscure networking protocols
-    "dccp"
-    "sctp"
-    "rds"
-    "tipc"
-    "n-hdlc"
-    "x25"
-    "decnet"
-    "econet"
-    "af_802154"
-    "ipx"
-    "appletalk"
-    "psnap"
-    "p8023"
-    "p8022"
-    "can"
-    "atm"
-    # Various rare filesystems
-    "jffs2"
-    "hfsplus"
-    "squashfs"
-    "udf"
-    "cifs"
-    "nfs"
-    "nfsv3"
-    # "nfsv4"
-    "gfs2"
-    # vivid driver is only useful for testing purposes and has been the cause
-    # of privilege escalation vulnerabilities
-    "vivid"
-    # Disable Bluetooth
-    "bluetooth"
-    "btusb"
-    # Disable webcam
-    "uvcvideo"
-    # Disable Thunderbolt and FireWire to prevent DMA attacks
-    "thunderbolt"
-    "firewire-core"
-  ];
-
-  # services.usbguard.enable = true;
-}
--- a/machines/Home-Hypervisor/hardened.nix
+++ b/machines/Home-Hypervisor/hardened.nix
@ -1,34 +0,0 @@
-{ modulesPath, config, pkgs, lib, ... }: {
-  imports = [
-    "${toString modulesPath}/profiles/hardened.nix"
-  ];
-
-  boot.kernel.sysctl = {
-    # "kernel.sysrq" = false;
-    "net.core.default_qdisc" = "sch_fq_codel";
-    "net.ipv4.conf.all.accept_source_route" = false;
-    "net.ipv4.icmp_ignore_bogus_error_responses" = true;
-    "net.ipv4.tcp_congestion_control" = "bbr";
-    "net.ipv4.tcp_fastopen" = 3;
-    "net.ipv4.tcp_rfc1337" = true;
-    "net.ipv4.tcp_syncookies" = true;
-    "net.ipv6.conf.all.accept_source_route" = false;
-    # disable ipv6
-    "net.ipv6.conf.all.disable_ipv6" = true;
-    "net.ipv6.conf.default.disable_ipv6" = true;
-  };
-
-  # security.lockKernelModules = false;
-  security.allowSimultaneousMultithreading = true;
-  security.virtualisation.flushL1DataCache = "cond";
-  # security.forcePageTableIsolation = false;
-
-  # scudo memalloc is unstable
-  # environment.memoryAllocator.provider = lib.mkForce "libc";
-  environment.memoryAllocator.provider = lib.mkForce "graphene-hardened";
-
-  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = false;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "0";
-  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "0";
-}
--- a/profiles/hardened.nix
+++ b/profiles/hardened.nix
@ -0,0 +1,91 @@
+{ modulesPath, config, pkgs, lib, ... }: {
+  imports = [
+    (modulesPath + "/profiles/hardened.nix")
+  ];
+
+  boot.kernel.sysctl = {
+    "dev.tty.ldisc_autoload" = lib.mkDefault false;
+    "fs.protected_fifos" = lib.mkDefault "2";
+    "fs.protected_regular" = lib.mkDefault "2";
+    "fs.suid_dumpable" = lib.mkDefault false;
+    "kernel.printk" = lib.mkForce "3 3 3 3";
+    "kernel.sysrq" = lib.mkDefault false;
+    "kernel.yama.ptrace_scope" = "2";
+    "net.ipv4.tcp_timestamps" = lib.mkDefault false;
+    "syskernel.core_pattern" = lib.mkDefault "|/bin/false";
+
+    "net.ipv4.tcp_congestion_control" = lib.mkDefault "bbr";
+    "net.core.default_qdisc" = lib.mkDefault "cake";
+    "net.ipv4.conf.all.accept_source_route" = lib.mkDefault false;
+    "net.ipv4.conf.all.log_martians" = false;
+    "net.ipv4.conf.all.rp_filter" = "0";
+    "net.ipv4.conf.default.log_martians" = false;
+    "net.ipv4.conf.default.rp_filter" = "0";
+    "net.ipv4.icmp_ignore_bogus_error_responses" = lib.mkDefault true;
+    "net.ipv4.tcp_dsack" = lib.mkDefault false;
+    "net.ipv4.tcp_fastopen" = lib.mkDefault 3;
+    "net.ipv4.tcp_rfc1337" = lib.mkDefault true;
+    "net.ipv4.tcp_sack" = lib.mkDefault false;
+    "net.ipv4.tcp_syncookies" = lib.mkDefault true;
+    "net.ipv6.conf.all.accept_ra" = lib.mkDefault false;
+    "net.ipv6.conf.all.accept_source_route" = lib.mkDefault false;
+    "net.ipv6.default.accept_ra" = lib.mkDefault false;
+  };
+
+  boot.kernelParams = [
+    "debugfs=off"
+    "lockdown=confidentiality"
+    "module.sig_enforce=1"
+    "oops=panic"
+    "quiet" "loglevel=0"
+    "slab_nomerge"
+    "vsyscall=none"
+  ];
+
+  boot.blacklistedKernelModules = [
+    # Obscure networking protocols
+    "dccp"
+    "sctp"
+    "rds"
+    "tipc"
+    "n-hdlc"
+    "x25"
+    "decnet"
+    "econet"
+    "af_802154"
+    "ipx"
+    "appletalk"
+    "psnap"
+    "p8023"
+    "p8022"
+    "can"
+    "atm"
+    # Various rare filesystems
+    "jffs2"
+    "hfsplus"
+    "squashfs"
+    "udf"
+    "cifs"
+    "nfs"
+    "nfsv3"
+    "gfs2"
+    "vivid"
+    # Disable Bluetooth
+    "bluetooth"
+    "btusb"
+    # Disable webcam
+    "uvcvideo"
+    # Disable Thunderbolt and FireWire to prevent DMA attacks
+    "thunderbolt"
+    "firewire-core"
+  ];
+
+  # security.lockKernelModules = false;
+  security.allowSimultaneousMultithreading = true;
+  security.virtualisation.flushL1DataCache = "cond";
+  # security.forcePageTableIsolation = false;
+
+  # scudo memalloc is unstable
+  environment.memoryAllocator.provider = lib.mkDefault "scudo";
+  # environment.memoryAllocator.provider = lib.mkDefault "graphene-hardened";
+}