From feefcfc89b00d4955dbb3314c20be035f3db206f Mon Sep 17 00:00:00 2001 From: tzlil Date: Sat, 29 Jul 2023 20:53:14 +0300 Subject: disko for laptop, wip rewrite --- profiles/security.nix | 135 ++++++++++++++++++++++++-------------------------- 1 file changed, 66 insertions(+), 69 deletions(-) (limited to 'profiles/security.nix') diff --git a/profiles/security.nix b/profiles/security.nix index 63c5fe4..40d5bf4 100644 --- a/profiles/security.nix +++ b/profiles/security.nix @@ -1,75 +1,72 @@ { - pkgs, lib, config, - inputs, ... }: { - imports = []; - config = { - programs.firejail.enable = true; - security.auditd.enable = true; - security.audit.enable = true; - security.audit.rules = [ - "-a exit,always -F arch=b64 -S execve" - ]; - - # https://source.android.com/docs/security/test/scudo - environment.memoryAllocator.provider = "scudo"; - environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; - - security.lockKernelModules = true; - security.protectKernelImage = true; - security.allowSimultaneousMultithreading = false; - security.forcePageTableIsolation = true; - - security.unprivilegedUsernsClone = config.virtualisation.containers.enable; - - security.virtualisation.flushL1DataCache = "always"; - - security.apparmor.enable = true; - security.apparmor.killUnconfinedConfinables = true; - - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; - - # Hide kptrs even for processes with CAP_SYSLOG - boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; - - # Disable bpf() JIT (to eliminate spray attacks) - boot.kernel.sysctl."net.core.bpf_jit_enable" = false; - - # Disable ftrace debugging - boot.kernel.sysctl."kernel.ftrace_enabled" = false; - - # Enable strict reverse path filtering (that is, do not attempt to route - # packets that "obviously" do not belong to the iface's network; dropped - # packets are logged as martians). - boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; - boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; - - # Ignore broadcast ICMP (mitigate SMURF) - boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; - - # Ignore incoming ICMP redirects (note: default is needed to ensure that the - # setting is applied to interfaces added after the sysctls are set) - boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; - - # Ignore outgoing ICMP redirects (this is ipv4 only) - boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; - - security.chromiumSuidSandbox.enable = true; - - security.sudo.execWheelOnly = true; - security.sudo.extraConfig = "Defaults lecture = never"; - }; + programs.firejail.enable = true; + security.auditd.enable = true; + security.audit.enable = true; + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + + # https://source.android.com/docs/security/test/scudo + environment.memoryAllocator.provider = "scudo"; + environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; + + security.lockKernelModules = true; + security.protectKernelImage = true; + security.allowSimultaneousMultithreading = false; + security.forcePageTableIsolation = true; + + security.unprivilegedUsernsClone = config.virtualisation.containers.enable; + + security.virtualisation.flushL1DataCache = "always"; + + security.apparmor.enable = true; + security.apparmor.killUnconfinedConfinables = true; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; + + # Hide kptrs even for processes with CAP_SYSLOG + boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; + + # Disable bpf() JIT (to eliminate spray attacks) + boot.kernel.sysctl."net.core.bpf_jit_enable" = false; + + # Disable ftrace debugging + boot.kernel.sysctl."kernel.ftrace_enabled" = false; + + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; + + # Ignore broadcast ICMP (mitigate SMURF) + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; + + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; + + # Ignore outgoing ICMP redirects (this is ipv4 only) + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; + + security.chromiumSuidSandbox.enable = true; + + security.sudo.execWheelOnly = true; + security.sudo.extraConfig = "Defaults lecture = never"; + + environment.defaultPackages = lib.mkForce []; } -- cgit 1.4.1