From 3b938a909f2e493f2920f1720d35f812bba0bd56 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Sat, 30 Jan 2021 23:08:35 +0100 Subject: [PATCH] add hardened-extended preset --- examples/configuration.nix | 5 + modules/presets/hardened-extended.nix | 141 ++++++++++++++++++++++++++ test/tests.nix | 2 +- 3 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 modules/presets/hardened-extended.nix diff --git a/examples/configuration.nix b/examples/configuration.nix index 0b61906..8e8b7cb 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -10,6 +10,11 @@ # decreases performance by ~50%. # Turn it off when not needed. + # + # You can enable the hardened-extended preset instead to further improve security + # at the cost of functionality and performance. + # See the comments at the top of `hardened-extended.nix` for further details. + # # FIXME: Uncomment next line to import your hardware configuration. If so, # add the hardware configuration file to the same directory as this file. diff --git a/modules/presets/hardened-extended.nix b/modules/presets/hardened-extended.nix new file mode 100644 index 0000000..c091222 --- /dev/null +++ b/modules/presets/hardened-extended.nix @@ -0,0 +1,141 @@ +# This preset adds additional hardening settings on top of the +# default ./hardened.nix preset. +# These settings trade even more functionality and performance for increased security. + +# This preset enables usbguard. Use `services.usbguard.rules` to whitelist +# select devices. +# +# See madaidan's Linux Hardening Guide for detailed explanations: +# https://madaidans-insecurities.github.io/guides/linux-hardening.html + +{ + imports = [ + # Build on standard hardened preset + ./hardened.nix + ]; + + boot.kernel.sysctl = { + # Prevent boot console kernel log information leaks + "kernel.printk" = "3 3 3 3"; + + # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to + # prevent unprivileged attackers from loading vulnerable line disciplines with + # the TIOCSETD ioctl + "dev.tty.ldisc_autoload" = "0"; + + # The SysRq key exposes a lot of potentially dangerous debugging functionality + # to unprivileged users + "kernel.sysrq" = "4"; + + # Protect against time-wait assassination by dropping RST packets for sockets + # in the time-wait state + "net.ipv4.tcp_rfc1337" = "1"; + + # Disable accepting IPv6 router advertisements + "net.ipv6.conf.all.accept_ra" = "0"; + "net.ipv6.default.accept_ra" = "0"; + + # Disable TCP SACK. SACK is commonly exploited and unnecessary for many + # circumstances so it should be disabled if you don't require it + "net.ipv4.tcp_sack" = "0"; + "net.ipv4.tcp_dsack" = "0"; + + # Restrict usage of ptrace to only processes with the CAP_SYS_PTRACE + # capability + "kernel.yama.ptrace_scope" = "2"; + + # Prevent creating files in potentially attacker-controlled environments such + # as world-writable directories to make data spoofing attacks more difficult + "fs.protected_fifos" = "2"; + "fs.protected_regular" = "2"; + + # Avoid leaking system time with TCP timestamps + "net.ipv4.tcp_timestamps" = "0"; + + # Disable core dumps + "syskernel.core_pattern" = "|/bin/false"; + "fs.suid_dumpable" = "0"; + + # Only swap when absolutely necessary + "vm.swappiness" = "1"; + }; + + boot.kernelParams = [ + # Disable slab merging which significantly increases the difficulty of heap + # exploitation by preventing overwriting objects from merged caches and by + # making it harder to influence slab cache layout + "slab_nomerge" + + # Disable vsyscalls as they are obsolete and have been replaced with vDSO. + # vsyscalls are also at fixed addresses in memory, making them a potential + # target for ROP attacks + "vsyscall=none" + + # Disable debugfs which exposes a lot of sensitive information about the + # kernel + "debugfs=off" + + # Sometimes certain kernel exploits will cause what is known as an "oops". + # This parameter will cause the kernel to panic on such oopses, thereby + # preventing those exploits + "oops=panic" + + # Only allow kernel modules that have been signed with a valid key to be + # loaded, which increases security by making it much harder to load a + # malicious kernel module + "module.sig_enforce=1" + + # The kernel lockdown LSM can eliminate many methods that user space code + # could abuse to escalate to kernel privileges and extract sensitive + # information. This LSM is necessary to implement a clear security boundary + # between user space and the kernel + "lockdown=confidentiality" + + # These parameters prevent information leaks during boot and must be used + # in combination with the kernel.printk + "quiet loglevel=0" + ]; + + boot.blacklistedKernelModules = [ + # Obscure networking protocols + "dccp" + "sctp" + "rds" + "tipc" + "n-hdlc" + "x25" + "decnet" + "econet" + "af_802154" + "ipx" + "appletalk" + "psnap" + "p8023" + "p8022" + "can" + "atm" + # Various rare filesystems + "jffs2" + "hfsplus" + "squashfs" + "udf" + "cifs" + "nfs" + "nfsv3" + "nfsv4" + "gfs2" + # vivid driver is only useful for testing purposes and has been the cause + # of privilege escalation vulnerabilities + "vivid" + # Disable Bluetooth + "bluetooth" + "btusb" + # Disable webcam + "uvcvideo" + # Disable Thunderbolt and FireWire to prevent DMA attacks + "thunderbolt" + "firewire-core" + ]; + + services.usbguard.enable = true; +} diff --git a/test/tests.nix b/test/tests.nix index 14d2877..fa1386a 100644 --- a/test/tests.nix +++ b/test/tests.nix @@ -188,7 +188,7 @@ let hardened = { imports = [ scenarios.secureNode - ../modules/presets/hardened.nix + ../modules/presets/hardened-extended.nix ]; };