summary refs log tree commit diff
path: root/profiles/security.nix
diff options
context:
space:
mode:
authortzlil <tzlils@protonmail.com>2022-12-13 02:15:50 +0200
committertzlil <tzlils@protonmail.com>2022-12-13 02:15:50 +0200
commit24637dfdfdd6dc8d116542f16a07d808c9e43c36 (patch)
tree369b5fb04e408604d481984b35aa02523217dbfd /profiles/security.nix
first commit
Diffstat (limited to 'profiles/security.nix')
-rw-r--r--profiles/security.nix67
1 files changed, 67 insertions, 0 deletions
diff --git a/profiles/security.nix b/profiles/security.nix
new file mode 100644
index 0000000..e28431b
--- /dev/null
+++ b/profiles/security.nix
@@ -0,0 +1,67 @@
+{ pkgs, lib, config, inputs, ... }:
+
+{
+  imports = [];
+  config = {
+    security.auditd.enable = true;
+    security.audit.enable = true;
+    security.audit.rules = [
+      "-a exit,always -F arch=b64 -S execve"
+    ];
+
+    environment.memoryAllocator.provider = "scudo";
+    environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
+
+    security.lockKernelModules = true;
+    security.protectKernelImage = true;
+    security.allowSimultaneousMultithreading = false;
+    security.forcePageTableIsolation = true;
+
+    security.virtualisation.flushL1DataCache = "always";
+
+    security.apparmor.enable = true;
+    security.apparmor.killUnconfinedConfinables = true;
+
+    # Restrict ptrace() usage to processes with a pre-defined relationship
+    # (e.g., parent/child)
+    boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
+
+    # Hide kptrs even for processes with CAP_SYSLOG
+    boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
+
+    # Disable bpf() JIT (to eliminate spray attacks)
+    boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
+
+    # Disable ftrace debugging
+    boot.kernel.sysctl."kernel.ftrace_enabled" = false;
+
+    # Enable strict reverse path filtering (that is, do not attempt to route
+    # packets that "obviously" do not belong to the iface's network; dropped
+    # packets are logged as martians).
+    boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
+    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
+    boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
+    boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
+
+    # Ignore broadcast ICMP (mitigate SMURF)
+    boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+    # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+    # setting is applied to interfaces added after the sysctls are set)
+    boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
+    boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
+    boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
+
+    # Ignore outgoing ICMP redirects (this is ipv4 only)
+    boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+
+    security.chromiumSuidSandbox.enable = true;
+    
+    security.sudo.execWheelOnly = true;
+    security.sudo.extraConfig = "Defaults        lecture = never";
+  };
+}
\ No newline at end of file