nixpkgs/nixos/modules/profiles/hardened.nix

# A profile with most (vanilla) hardening options enabled by default,
# potentially at the cost of features and performance.

{ lib, pkgs, ... }:

with lib;

{
  meta = {
    maintainers = [ maintainers.joachifm ];
  };

  boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;

  nix.allowedUsers = mkDefault [ "@users" ];

  security.hideProcessInformation = mkDefault true;

  security.lockKernelModules = mkDefault true;

  security.allowUserNamespaces = mkDefault false;

  security.protectKernelImage = mkDefault true;

  security.allowSimultaneousMultithreading = mkDefault false;

  security.forcePageTableIsolation = mkDefault true;

  security.virtualisation.flushL1DataCache = mkDefault "always";

  security.apparmor.enable = mkDefault true;

  boot.kernelParams = [
    # Slab/slub sanity checks, redzoning, and poisoning
    "slub_debug=FZP"

    # Disable slab merging to make certain heap overflow attacks harder
    "slab_nomerge"

    # Overwrite free'd memory
    "page_poison=1"

    # Disable legacy virtual syscalls
    "vsyscall=none"

    # Enable page allocator randomization
    "page_alloc.shuffle=1"
  ];

  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "ax25"
    "netrom"
    "rose"
  ];

  # Restrict ptrace() usage to processes with a pre-defined relationship
  # (e.g., parent/child)
  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

  # Restrict access to kernel ring buffer (information leaks)
  boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;

  # Hide kptrs even for processes with CAP_SYSLOG
  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;

  # Unprivileged access to bpf() has been used for privilege escalation in
  # the past
  boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;

  # Disable bpf() JIT (to eliminate spray attacks)
  boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;

  # ... or at least apply some hardening to it
  boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;

  # Raise ASLR entropy for 64bit & 32bit, respectively.
  #
  # Note: mmap_rnd_compat_bits may not exist on 64bit.
  boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
  boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;

  # Allowing users to mmap() memory starting at virtual address 0 can turn a
  # NULL dereference bug in the kernel into code execution with elevated
  # privilege.  Mitigate by enforcing a minimum base addr beyond the NULL memory
  # space.  This breaks applications that require mapping the 0 page, such as
  # dosemu or running 16bit applications under wine.  It also breaks older
  # versions of qemu.
  #
  # The value is taken from the KSPP recommendations (Debian uses 4096).
  boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;

  # Disable ftrace debugging
  boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;

  # Enable strict reverse path filtering (that is, do not attempt to route
  # packets that "obviously" do not belong to the iface's network; dropped
  # packets are logged as martians).
  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";

  # Ignore broadcast ICMP (mitigate SMURF)
  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;

  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
  # setting is applied to interfaces added after the sysctls are set)
  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;

  # Ignore outgoing ICMP redirects (this is ipv4 only)
  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;

  # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability
  boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false;
}
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00			`# A profile with most (vanilla) hardening options enabled by default,`
			`# potentially at the cost of features and performance.`

[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ lib, pkgs, ... }:`
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00
			`with lib;`

			`{`
nixos/hardened: add myself to maintainers 2018-10-14 22:18:33 +00:00			`meta = {`
			`maintainers = [ maintainers.joachifm ];`
			`};`

nixos/hardened profile: use the linux_hardened kernel 2017-04-29 23:22:32 +00:00			`boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;`

nixos/hardened: restrict access to nix daemon 2018-11-24 14:13:03 +00:00			`nix.allowedUsers = mkDefault [ "@users" ];`

nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00			`security.hideProcessInformation = mkDefault true;`

nixos/hardened profile: lock kernel modules 2017-04-29 20:46:20 +00:00			`security.lockKernelModules = mkDefault true;`

nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module. 2018-10-14 22:39:26 +00:00			`security.allowUserNamespaces = mkDefault false;`

nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work. 2018-12-16 09:37:36 +00:00			`security.protectKernelImage = mkDefault true;`

nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no proven method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control 2018-12-26 21:24:04 +00:00			`security.allowSimultaneousMultithreading = mkDefault false;`

nixos/hardened: make pti=on overridable Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on. 2019-07-30 00:24:56 +00:00			`security.forcePageTableIsolation = mkDefault true;`

Renaming security.virtualization.flushL1DataCache to virtualisation Fixes #65044 2019-07-19 13:49:37 +00:00			`security.virtualisation.flushL1DataCache = mkDefault "always";`
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). 2018-12-26 21:22:55 +00:00
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00			`security.apparmor.enable = mkDefault true;`

nixos/hardened profile: disable legacy virtual syscalls This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289 2017-04-29 15:27:08 +00:00			`boot.kernelParams = [`
nixos/hardened profile: slab/slub hardening slab_nomerge may reduce surface somewhat slub_debug is used to enable additional sanity checks and "red zones" around allocations to detect read/writes beyond the allocated area, as well as poisoning to overwrite free'd data. The cost is yet more memory fragmentation ... 2019-01-05 12:47:25 +00:00			`# Slab/slub sanity checks, redzoning, and poisoning`
			`"slub_debug=FZP"`

			`# Disable slab merging to make certain heap overflow attacks harder`
			`"slab_nomerge"`

nixos/hardened profile: use the linux_hardened kernel 2017-04-29 23:22:32 +00:00			`# Overwrite free'd memory`
			`"page_poison=1"`

nixos/hardened profile: disable legacy virtual syscalls This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289 2017-04-29 15:27:08 +00:00			`# Disable legacy virtual syscalls`
			`"vsyscall=none"`
nixos-hardened: enable page alloc randomization 2019-08-15 16:24:24 +00:00
			`# Enable page allocator randomization`
			`"page_alloc.shuffle=1"`
nixos/hardened profile: disable legacy virtual syscalls This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289 2017-04-29 15:27:08 +00:00			`];`

nixos/hardened: blacklist a few obscure net protocols 2017-09-02 23:49:01 +00:00			`boot.blacklistedKernelModules = [`
			`# Obscure network protocols`
			`"ax25"`
			`"netrom"`
			`"rose"`
			`];`

nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00			`# Restrict ptrace() usage to processes with a pre-defined relationship`
			`# (e.g., parent/child)`
			`boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;`

			`# Restrict access to kernel ring buffer (information leaks)`
			`boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;`

			`# Hide kptrs even for processes with CAP_SYSLOG`
			`boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;`

			`# Unprivileged access to bpf() has been used for privilege escalation in`
			`# the past`
			`boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;`

			`# Disable bpf() JIT (to eliminate spray attacks)`
			`boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;`

			`# ... or at least apply some hardening to it`
			`boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;`
nixos/hardened profile: disable user namespaces at runtime 2017-04-30 12:41:56 +00:00
nixos/hardened profile: increase ASLR entropy 2017-08-12 22:17:43 +00:00			`# Raise ASLR entropy for 64bit & 32bit, respectively.`
			`#`
			`# Note: mmap_rnd_compat_bits may not exist on 64bit.`
			`boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;`
			`boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;`
nixos/hardened: set mmap_min_addr This is set in the hardened linux config as well but sysctl is more flexible & works with any boot.kernelPackages 2017-09-02 23:48:46 +00:00
			`# Allowing users to mmap() memory starting at virtual address 0 can turn a`
			`# NULL dereference bug in the kernel into code execution with elevated`
			`# privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory`
			`# space. This breaks applications that require mapping the 0 page, such as`
			`# dosemu or running 16bit applications under wine. It also breaks older`
			`# versions of qemu.`
			`#`
			`# The value is taken from the KSPP recommendations (Debian uses 4096).`
			`boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;`
nixos/hardened: disable ftrace by default 2019-07-04 16:50:48 +00:00
			`# Disable ftrace debugging`
			`boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;`
nixos/hardened: harder inet defaults See e.g., https://github.com/NixOS/nixpkgs/issues/63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any. 2019-07-04 16:51:06 +00:00
nixos/systemd: install sysctl snippets systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit. 2019-08-11 11:32:24 +00:00			`# Enable strict reverse path filtering (that is, do not attempt to route`
			`# packets that "obviously" do not belong to the iface's network; dropped`
			`# packets are logged as martians).`
nixos/hardened: harder inet defaults See e.g., https://github.com/NixOS/nixpkgs/issues/63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any. 2019-07-04 16:51:06 +00:00			`boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;`
nixos/systemd: install sysctl snippets systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit. 2019-08-11 11:32:24 +00:00			`boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";`
nixos/hardened: harder inet defaults See e.g., https://github.com/NixOS/nixpkgs/issues/63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any. 2019-07-04 16:51:06 +00:00			`boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;`
nixos/systemd: install sysctl snippets systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit. 2019-08-11 11:32:24 +00:00			`boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";`
nixos/hardened: harder inet defaults See e.g., https://github.com/NixOS/nixpkgs/issues/63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any. 2019-07-04 16:51:06 +00:00
			`# Ignore broadcast ICMP (mitigate SMURF)`
			`boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;`

			`# Ignore incoming ICMP redirects (note: default is needed to ensure that the`
			`# setting is applied to interfaces added after the sysctls are set)`
			`boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;`

			`# Ignore outgoing ICMP redirects (this is ipv4 only)`
			`boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;`
nixos-hardened: disable unprivileged userfaultfd syscalls New in 5.2 [1] [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 2019-07-18 12:00:28 +00:00
			`# Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability`
			`boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false;`
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00			`}`