swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-11-05 17:56:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/profiles/hardened.nix

43 lines
1.3 KiB
Nix
Raw Normal View History

nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680
2017-04-06 14:54:45 +02:00
# A profile with most (vanilla) hardening options enabled by default,
# potentially at the cost of features and performance.
{ config, lib, pkgs, ... }:
with lib;
{
security.hideProcessInformation = mkDefault true;
nixos/hardened profile: lock kernel modules
2017-04-29 22:46:20 +02:00
security.lockKernelModules = mkDefault true;
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680
2017-04-06 14:54:45 +02:00
security.apparmor.enable = mkDefault true;
nixos/hardened profile: disable legacy virtual syscalls This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289
2017-04-29 17:27:08 +02:00
boot.kernelParams = [
# Disable legacy virtual syscalls
"vsyscall=none"
];
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680
2017-04-06 14:54:45 +02:00
# Restrict ptrace() usage to processes with a pre-defined relationship
# (e.g., parent/child)
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
# Restrict access to kernel ring buffer (information leaks)
boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
# Hide kptrs even for processes with CAP_SYSLOG
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
# Unprivileged access to bpf() has been used for privilege escalation in
# the past
boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
# Disable bpf() JIT (to eliminate spray attacks)
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
# ... or at least apply some hardening to it
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
}
Reference in a new issue Copy permalink