add hardened-extended preset
This commit is contained in:
parent
4a2bc280e0
commit
3b938a909f
@ -10,6 +10,11 @@
|
|||||||
# decreases performance by ~50%.
|
# decreases performance by ~50%.
|
||||||
# Turn it off when not needed.
|
# Turn it off when not needed.
|
||||||
<nix-bitcoin/modules/presets/hardened.nix>
|
<nix-bitcoin/modules/presets/hardened.nix>
|
||||||
|
#
|
||||||
|
# You can enable the hardened-extended preset instead to further improve security
|
||||||
|
# at the cost of functionality and performance.
|
||||||
|
# See the comments at the top of `hardened-extended.nix` for further details.
|
||||||
|
# <nix-bitcoin/modules/presets/hardened-extended.nix>
|
||||||
|
|
||||||
# FIXME: Uncomment next line to import your hardware configuration. If so,
|
# FIXME: Uncomment next line to import your hardware configuration. If so,
|
||||||
# add the hardware configuration file to the same directory as this file.
|
# add the hardware configuration file to the same directory as this file.
|
||||||
|
141
modules/presets/hardened-extended.nix
Normal file
141
modules/presets/hardened-extended.nix
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
# This preset adds additional hardening settings on top of the
|
||||||
|
# default ./hardened.nix preset.
|
||||||
|
# These settings trade even more functionality and performance for increased security.
|
||||||
|
|
||||||
|
# This preset enables usbguard. Use `services.usbguard.rules` to whitelist
|
||||||
|
# select devices.
|
||||||
|
#
|
||||||
|
# See madaidan's Linux Hardening Guide for detailed explanations:
|
||||||
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
# Build on standard hardened preset
|
||||||
|
./hardened.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
# Prevent boot console kernel log information leaks
|
||||||
|
"kernel.printk" = "3 3 3 3";
|
||||||
|
|
||||||
|
# Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to
|
||||||
|
# prevent unprivileged attackers from loading vulnerable line disciplines with
|
||||||
|
# the TIOCSETD ioctl
|
||||||
|
"dev.tty.ldisc_autoload" = "0";
|
||||||
|
|
||||||
|
# The SysRq key exposes a lot of potentially dangerous debugging functionality
|
||||||
|
# to unprivileged users
|
||||||
|
"kernel.sysrq" = "4";
|
||||||
|
|
||||||
|
# Protect against time-wait assassination by dropping RST packets for sockets
|
||||||
|
# in the time-wait state
|
||||||
|
"net.ipv4.tcp_rfc1337" = "1";
|
||||||
|
|
||||||
|
# Disable accepting IPv6 router advertisements
|
||||||
|
"net.ipv6.conf.all.accept_ra" = "0";
|
||||||
|
"net.ipv6.default.accept_ra" = "0";
|
||||||
|
|
||||||
|
# Disable TCP SACK. SACK is commonly exploited and unnecessary for many
|
||||||
|
# circumstances so it should be disabled if you don't require it
|
||||||
|
"net.ipv4.tcp_sack" = "0";
|
||||||
|
"net.ipv4.tcp_dsack" = "0";
|
||||||
|
|
||||||
|
# Restrict usage of ptrace to only processes with the CAP_SYS_PTRACE
|
||||||
|
# capability
|
||||||
|
"kernel.yama.ptrace_scope" = "2";
|
||||||
|
|
||||||
|
# Prevent creating files in potentially attacker-controlled environments such
|
||||||
|
# as world-writable directories to make data spoofing attacks more difficult
|
||||||
|
"fs.protected_fifos" = "2";
|
||||||
|
"fs.protected_regular" = "2";
|
||||||
|
|
||||||
|
# Avoid leaking system time with TCP timestamps
|
||||||
|
"net.ipv4.tcp_timestamps" = "0";
|
||||||
|
|
||||||
|
# Disable core dumps
|
||||||
|
"syskernel.core_pattern" = "|/bin/false";
|
||||||
|
"fs.suid_dumpable" = "0";
|
||||||
|
|
||||||
|
# Only swap when absolutely necessary
|
||||||
|
"vm.swappiness" = "1";
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.kernelParams = [
|
||||||
|
# Disable slab merging which significantly increases the difficulty of heap
|
||||||
|
# exploitation by preventing overwriting objects from merged caches and by
|
||||||
|
# making it harder to influence slab cache layout
|
||||||
|
"slab_nomerge"
|
||||||
|
|
||||||
|
# Disable vsyscalls as they are obsolete and have been replaced with vDSO.
|
||||||
|
# vsyscalls are also at fixed addresses in memory, making them a potential
|
||||||
|
# target for ROP attacks
|
||||||
|
"vsyscall=none"
|
||||||
|
|
||||||
|
# Disable debugfs which exposes a lot of sensitive information about the
|
||||||
|
# kernel
|
||||||
|
"debugfs=off"
|
||||||
|
|
||||||
|
# Sometimes certain kernel exploits will cause what is known as an "oops".
|
||||||
|
# This parameter will cause the kernel to panic on such oopses, thereby
|
||||||
|
# preventing those exploits
|
||||||
|
"oops=panic"
|
||||||
|
|
||||||
|
# Only allow kernel modules that have been signed with a valid key to be
|
||||||
|
# loaded, which increases security by making it much harder to load a
|
||||||
|
# malicious kernel module
|
||||||
|
"module.sig_enforce=1"
|
||||||
|
|
||||||
|
# The kernel lockdown LSM can eliminate many methods that user space code
|
||||||
|
# could abuse to escalate to kernel privileges and extract sensitive
|
||||||
|
# information. This LSM is necessary to implement a clear security boundary
|
||||||
|
# between user space and the kernel
|
||||||
|
"lockdown=confidentiality"
|
||||||
|
|
||||||
|
# These parameters prevent information leaks during boot and must be used
|
||||||
|
# in combination with the kernel.printk
|
||||||
|
"quiet loglevel=0"
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.blacklistedKernelModules = [
|
||||||
|
# Obscure networking protocols
|
||||||
|
"dccp"
|
||||||
|
"sctp"
|
||||||
|
"rds"
|
||||||
|
"tipc"
|
||||||
|
"n-hdlc"
|
||||||
|
"x25"
|
||||||
|
"decnet"
|
||||||
|
"econet"
|
||||||
|
"af_802154"
|
||||||
|
"ipx"
|
||||||
|
"appletalk"
|
||||||
|
"psnap"
|
||||||
|
"p8023"
|
||||||
|
"p8022"
|
||||||
|
"can"
|
||||||
|
"atm"
|
||||||
|
# Various rare filesystems
|
||||||
|
"jffs2"
|
||||||
|
"hfsplus"
|
||||||
|
"squashfs"
|
||||||
|
"udf"
|
||||||
|
"cifs"
|
||||||
|
"nfs"
|
||||||
|
"nfsv3"
|
||||||
|
"nfsv4"
|
||||||
|
"gfs2"
|
||||||
|
# vivid driver is only useful for testing purposes and has been the cause
|
||||||
|
# of privilege escalation vulnerabilities
|
||||||
|
"vivid"
|
||||||
|
# Disable Bluetooth
|
||||||
|
"bluetooth"
|
||||||
|
"btusb"
|
||||||
|
# Disable webcam
|
||||||
|
"uvcvideo"
|
||||||
|
# Disable Thunderbolt and FireWire to prevent DMA attacks
|
||||||
|
"thunderbolt"
|
||||||
|
"firewire-core"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.usbguard.enable = true;
|
||||||
|
}
|
@ -188,7 +188,7 @@ let
|
|||||||
hardened = {
|
hardened = {
|
||||||
imports = [
|
imports = [
|
||||||
scenarios.secureNode
|
scenarios.secureNode
|
||||||
../modules/presets/hardened.nix
|
../modules/presets/hardened-extended.nix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user