From 5ac65124b0ac8ee40a0b332dea8f2b24a114404c Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Fri, 23 Jun 2023 18:28:56 +0300 Subject: [PATCH] move hardened to profiles --- machines/Home-Hypervisor/boot.nix | 7 +- machines/Home-Hypervisor/default.nix | 4 +- .../Home-Hypervisor/hardened-extended.nix | 117 ------------------ machines/Home-Hypervisor/hardened.nix | 34 ----- profiles/hardened.nix | 91 ++++++++++++++ 5 files changed, 100 insertions(+), 153 deletions(-) delete mode 100644 machines/Home-Hypervisor/hardened-extended.nix delete mode 100644 machines/Home-Hypervisor/hardened.nix create mode 100644 profiles/hardened.nix diff --git a/machines/Home-Hypervisor/boot.nix b/machines/Home-Hypervisor/boot.nix index b159700..3502627 100644 --- a/machines/Home-Hypervisor/boot.nix +++ b/machines/Home-Hypervisor/boot.nix @@ -83,7 +83,12 @@ in { "vm.dirty_background_ratio" = 1; "vm.dirty_ratio" = 40; "vm.page-cluster" = 0; + + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "fq"; + # disable ipv6 + "net.ipv6.conf.all.disable_ipv6" = true; + "net.ipv6.conf.default.disable_ipv6" = true; }; - # cleanTmpDir = true; }; } diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix index d789d74..0b15518 100644 --- a/machines/Home-Hypervisor/default.nix +++ b/machines/Home-Hypervisor/default.nix @@ -4,10 +4,10 @@ let in { imports = with inputs.self; [ ./boot.nix - ./hardened-extended.nix ./hardware-configuration.nix ./virtualisation.nix ./disks.nix + nixosProfiles.hardened nixosRoles.hypervisor nixosProfiles.acme @@ -84,6 +84,8 @@ in { zfs rollback -r rpool/user/home@empty ''; + environment.memoryAllocator.provider = "libc"; + # build hell environment.noXlibs = lib.mkForce false; # minimal profile diff --git a/machines/Home-Hypervisor/hardened-extended.nix b/machines/Home-Hypervisor/hardened-extended.nix deleted file mode 100644 index 8fd9e6b..0000000 --- a/machines/Home-Hypervisor/hardened-extended.nix +++ /dev/null @@ -1,117 +0,0 @@ -# This preset adds additional hardening settings on top of the -# default ./hardened.nix preset. -# These settings trade even more functionality and performance for increased security. -# -# See madaidan's Linux Hardening Guide for detailed explanations: -# https://madaidans-insecurities.github.io/guides/linux-hardening.html - -{ - imports = [ - # Build on standard hardened preset - ./hardened.nix - ]; - - boot.kernel.sysctl = { - # Prevent boot console kernel log information leaks - "kernel.printk" = "3 3 3 3"; - # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to - # prevent unprivileged attackers from loading vulnerable line disciplines with - # the TIOCSETD ioctl - "dev.tty.ldisc_autoload" = false; - # The SysRq key exposes a lot of potentially dangerous debugging functionality - # to unprivileged users - "kernel.sysrq" = false; - # Disable accepting IPv6 router advertisements - "net.ipv6.conf.all.accept_ra" = false; - "net.ipv6.default.accept_ra" = false; - # Disable TCP SACK. SACK is commonly exploited and unnecessary for many - # circumstances so it should be disabled if you don't require it - "net.ipv4.tcp_sack" = false; - "net.ipv4.tcp_dsack" = false; - # Restrict usage of ptrace to only processes with the CAP_SYS_PTRACE - # capability - "kernel.yama.ptrace_scope" = "2"; - # Prevent creating files in potentially attacker-controlled environments such - # as world-writable directories to make data spoofing attacks more difficult - "fs.protected_fifos" = "2"; - "fs.protected_regular" = "2"; - # Avoid leaking system time with TCP timestamps - "net.ipv4.tcp_timestamps" = false; - # Disable core dumps - "syskernel.core_pattern" = "|/bin/false"; - "fs.suid_dumpable" = false; - }; - - boot.kernelParams = [ - # Disable slab merging which significantly increases the difficulty of heap - # exploitation by preventing overwriting objects from merged caches and by - # making it harder to influence slab cache layout - "slab_nomerge" - # Disable vsyscalls as they are obsolete and have been replaced with vDSO. - # vsyscalls are also at fixed addresses in memory, making them a potential - # target for ROP attacks - "vsyscall=none" - # Disable debugfs which exposes a lot of sensitive information about the - # kernel - "debugfs=off" - # Sometimes certain kernel exploits will cause what is known as an "oops". - # This parameter will cause the kernel to panic on such oopses, thereby - # preventing those exploits - "oops=panic" - # Only allow kernel modules that have been signed with a valid key to be - # loaded, which increases security by making it much harder to load a - # malicious kernel module - "module.sig_enforce=1" - # The kernel lockdown LSM can eliminate many methods that user space code - # could abuse to escalate to kernel privileges and extract sensitive - # information. This LSM is necessary to implement a clear security boundary - # between user space and the kernel - "lockdown=confidentiality" - # These parameters prevent information leaks during boot and must be used - # in combination with the kernel.printk - "quiet" "loglevel=0" - ]; - - boot.blacklistedKernelModules = [ - # Obscure networking protocols - "dccp" - "sctp" - "rds" - "tipc" - "n-hdlc" - "x25" - "decnet" - "econet" - "af_802154" - "ipx" - "appletalk" - "psnap" - "p8023" - "p8022" - "can" - "atm" - # Various rare filesystems - "jffs2" - "hfsplus" - "squashfs" - "udf" - "cifs" - "nfs" - "nfsv3" - # "nfsv4" - "gfs2" - # vivid driver is only useful for testing purposes and has been the cause - # of privilege escalation vulnerabilities - "vivid" - # Disable Bluetooth - "bluetooth" - "btusb" - # Disable webcam - "uvcvideo" - # Disable Thunderbolt and FireWire to prevent DMA attacks - "thunderbolt" - "firewire-core" - ]; - - # services.usbguard.enable = true; -} diff --git a/machines/Home-Hypervisor/hardened.nix b/machines/Home-Hypervisor/hardened.nix deleted file mode 100644 index 5fac43f..0000000 --- a/machines/Home-Hypervisor/hardened.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ modulesPath, config, pkgs, lib, ... }: { - imports = [ - "${toString modulesPath}/profiles/hardened.nix" - ]; - - boot.kernel.sysctl = { - # "kernel.sysrq" = false; - "net.core.default_qdisc" = "sch_fq_codel"; - "net.ipv4.conf.all.accept_source_route" = false; - "net.ipv4.icmp_ignore_bogus_error_responses" = true; - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_rfc1337" = true; - "net.ipv4.tcp_syncookies" = true; - "net.ipv6.conf.all.accept_source_route" = false; - # disable ipv6 - "net.ipv6.conf.all.disable_ipv6" = true; - "net.ipv6.conf.default.disable_ipv6" = true; - }; - - # security.lockKernelModules = false; - security.allowSimultaneousMultithreading = true; - security.virtualisation.flushL1DataCache = "cond"; - # security.forcePageTableIsolation = false; - - # scudo memalloc is unstable - # environment.memoryAllocator.provider = lib.mkForce "libc"; - environment.memoryAllocator.provider = lib.mkForce "graphene-hardened"; - - boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = false; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "0"; - boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = false; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "0"; -} \ No newline at end of file diff --git a/profiles/hardened.nix b/profiles/hardened.nix new file mode 100644 index 0000000..0342cc8 --- /dev/null +++ b/profiles/hardened.nix @@ -0,0 +1,91 @@ +{ modulesPath, config, pkgs, lib, ... }: { + imports = [ + (modulesPath + "/profiles/hardened.nix") + ]; + + boot.kernel.sysctl = { + "dev.tty.ldisc_autoload" = lib.mkDefault false; + "fs.protected_fifos" = lib.mkDefault "2"; + "fs.protected_regular" = lib.mkDefault "2"; + "fs.suid_dumpable" = lib.mkDefault false; + "kernel.printk" = lib.mkForce "3 3 3 3"; + "kernel.sysrq" = lib.mkDefault false; + "kernel.yama.ptrace_scope" = "2"; + "net.ipv4.tcp_timestamps" = lib.mkDefault false; + "syskernel.core_pattern" = lib.mkDefault "|/bin/false"; + + "net.ipv4.tcp_congestion_control" = lib.mkDefault "bbr"; + "net.core.default_qdisc" = lib.mkDefault "cake"; + "net.ipv4.conf.all.accept_source_route" = lib.mkDefault false; + "net.ipv4.conf.all.log_martians" = false; + "net.ipv4.conf.all.rp_filter" = "0"; + "net.ipv4.conf.default.log_martians" = false; + "net.ipv4.conf.default.rp_filter" = "0"; + "net.ipv4.icmp_ignore_bogus_error_responses" = lib.mkDefault true; + "net.ipv4.tcp_dsack" = lib.mkDefault false; + "net.ipv4.tcp_fastopen" = lib.mkDefault 3; + "net.ipv4.tcp_rfc1337" = lib.mkDefault true; + "net.ipv4.tcp_sack" = lib.mkDefault false; + "net.ipv4.tcp_syncookies" = lib.mkDefault true; + "net.ipv6.conf.all.accept_ra" = lib.mkDefault false; + "net.ipv6.conf.all.accept_source_route" = lib.mkDefault false; + "net.ipv6.default.accept_ra" = lib.mkDefault false; + }; + + boot.kernelParams = [ + "debugfs=off" + "lockdown=confidentiality" + "module.sig_enforce=1" + "oops=panic" + "quiet" "loglevel=0" + "slab_nomerge" + "vsyscall=none" + ]; + + boot.blacklistedKernelModules = [ + # Obscure networking protocols + "dccp" + "sctp" + "rds" + "tipc" + "n-hdlc" + "x25" + "decnet" + "econet" + "af_802154" + "ipx" + "appletalk" + "psnap" + "p8023" + "p8022" + "can" + "atm" + # Various rare filesystems + "jffs2" + "hfsplus" + "squashfs" + "udf" + "cifs" + "nfs" + "nfsv3" + "gfs2" + "vivid" + # Disable Bluetooth + "bluetooth" + "btusb" + # Disable webcam + "uvcvideo" + # Disable Thunderbolt and FireWire to prevent DMA attacks + "thunderbolt" + "firewire-core" + ]; + + # security.lockKernelModules = false; + security.allowSimultaneousMultithreading = true; + security.virtualisation.flushL1DataCache = "cond"; + # security.forcePageTableIsolation = false; + + # scudo memalloc is unstable + environment.memoryAllocator.provider = lib.mkDefault "scudo"; + # environment.memoryAllocator.provider = lib.mkDefault "graphene-hardened"; +} \ No newline at end of file