Merge #307: Madaidan hardening

1ff5f8f01b hardening: use generic hostname by default (nixbitcoin)
d56a363d3d services: improve default hardening (nixbitcoin)
3b938a909f add hardened-extended preset (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 1ff5f8f01b

Tree-SHA512: 4355dc4b1dab33c363e8133fe7dd909db74e4ab5c58a3d0f2d9628f2877acdaf1ac63164bcc5d68cf682ba81e5cf36c3fdbaffa74310a9454637647c5531ce3e
This commit is contained in:
Jonas Nick 2021-04-02 12:55:28 +00:00
commit 8a531f5cf7
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
4 changed files with 153 additions and 2 deletions

View File

@ -10,6 +10,11 @@
# decreases performance by ~50%. # decreases performance by ~50%.
# Turn it off when not needed. # Turn it off when not needed.
<nix-bitcoin/modules/presets/hardened.nix> <nix-bitcoin/modules/presets/hardened.nix>
#
# You can enable the hardened-extended preset instead to further improve security
# at the cost of functionality and performance.
# See the comments at the top of `hardened-extended.nix` for further details.
# <nix-bitcoin/modules/presets/hardened-extended.nix>
# FIXME: Uncomment next line to import your hardware configuration. If so, # FIXME: Uncomment next line to import your hardware configuration. If so,
# add the hardware configuration file to the same directory as this file. # add the hardware configuration file to the same directory as this file.
@ -205,7 +210,7 @@
# services.joinmarket-ob-watcher.enable = true; # services.joinmarket-ob-watcher.enable = true;
# FIXME: Define your hostname. # FIXME: Define your hostname.
networking.hostName = "nix-bitcoin"; networking.hostName = "host";
time.timeZone = "UTC"; time.timeZone = "UTC";
# FIXME: Add your SSH pubkey # FIXME: Add your SSH pubkey

View File

@ -0,0 +1,141 @@
# This preset adds additional hardening settings on top of the
# default ./hardened.nix preset.
# These settings trade even more functionality and performance for increased security.
# This preset enables usbguard. Use `services.usbguard.rules` to whitelist
# select devices.
#
# See madaidan's Linux Hardening Guide for detailed explanations:
# https://madaidans-insecurities.github.io/guides/linux-hardening.html
{
imports = [
# Build on standard hardened preset
./hardened.nix
];
boot.kernel.sysctl = {
# Prevent boot console kernel log information leaks
"kernel.printk" = "3 3 3 3";
# Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to
# prevent unprivileged attackers from loading vulnerable line disciplines with
# the TIOCSETD ioctl
"dev.tty.ldisc_autoload" = "0";
# The SysRq key exposes a lot of potentially dangerous debugging functionality
# to unprivileged users
"kernel.sysrq" = "4";
# Protect against time-wait assassination by dropping RST packets for sockets
# in the time-wait state
"net.ipv4.tcp_rfc1337" = "1";
# Disable accepting IPv6 router advertisements
"net.ipv6.conf.all.accept_ra" = "0";
"net.ipv6.default.accept_ra" = "0";
# Disable TCP SACK. SACK is commonly exploited and unnecessary for many
# circumstances so it should be disabled if you don't require it
"net.ipv4.tcp_sack" = "0";
"net.ipv4.tcp_dsack" = "0";
# Restrict usage of ptrace to only processes with the CAP_SYS_PTRACE
# capability
"kernel.yama.ptrace_scope" = "2";
# Prevent creating files in potentially attacker-controlled environments such
# as world-writable directories to make data spoofing attacks more difficult
"fs.protected_fifos" = "2";
"fs.protected_regular" = "2";
# Avoid leaking system time with TCP timestamps
"net.ipv4.tcp_timestamps" = "0";
# Disable core dumps
"syskernel.core_pattern" = "|/bin/false";
"fs.suid_dumpable" = "0";
# Only swap when absolutely necessary
"vm.swappiness" = "1";
};
boot.kernelParams = [
# Disable slab merging which significantly increases the difficulty of heap
# exploitation by preventing overwriting objects from merged caches and by
# making it harder to influence slab cache layout
"slab_nomerge"
# Disable vsyscalls as they are obsolete and have been replaced with vDSO.
# vsyscalls are also at fixed addresses in memory, making them a potential
# target for ROP attacks
"vsyscall=none"
# Disable debugfs which exposes a lot of sensitive information about the
# kernel
"debugfs=off"
# Sometimes certain kernel exploits will cause what is known as an "oops".
# This parameter will cause the kernel to panic on such oopses, thereby
# preventing those exploits
"oops=panic"
# Only allow kernel modules that have been signed with a valid key to be
# loaded, which increases security by making it much harder to load a
# malicious kernel module
"module.sig_enforce=1"
# The kernel lockdown LSM can eliminate many methods that user space code
# could abuse to escalate to kernel privileges and extract sensitive
# information. This LSM is necessary to implement a clear security boundary
# between user space and the kernel
"lockdown=confidentiality"
# These parameters prevent information leaks during boot and must be used
# in combination with the kernel.printk
"quiet loglevel=0"
];
boot.blacklistedKernelModules = [
# Obscure networking protocols
"dccp"
"sctp"
"rds"
"tipc"
"n-hdlc"
"x25"
"decnet"
"econet"
"af_802154"
"ipx"
"appletalk"
"psnap"
"p8023"
"p8022"
"can"
"atm"
# Various rare filesystems
"jffs2"
"hfsplus"
"squashfs"
"udf"
"cifs"
"nfs"
"nfsv3"
"nfsv4"
"gfs2"
# vivid driver is only useful for testing purposes and has been the cause
# of privilege escalation vulnerabilities
"vivid"
# Disable Bluetooth
"bluetooth"
"btusb"
# Disable webcam
"uvcvideo"
# Disable Thunderbolt and FireWire to prevent DMA attacks
"thunderbolt"
"firewire-core"
];
services.usbguard.enable = true;
}

View File

@ -15,6 +15,11 @@ let self = {
MemoryDenyWriteExecute = "true"; MemoryDenyWriteExecute = "true";
ProtectKernelTunables = "true"; ProtectKernelTunables = "true";
ProtectKernelModules = "true"; ProtectKernelModules = "true";
ProtectKernelLogs = "true";
ProtectClock = "true";
# Test and enable these when systemd v247 is available
# ProtectProc = "invisible";
# ProcSubset = "pid";
ProtectControlGroups = "true"; ProtectControlGroups = "true";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "true"; RestrictNamespaces = "true";

View File

@ -188,7 +188,7 @@ let
hardened = { hardened = {
imports = [ imports = [
scenarios.secureNode scenarios.secureNode
../modules/presets/hardened.nix ../modules/presets/hardened-extended.nix
]; ];
}; };