NixOS Hardening: Difference between revisions
Initial page |
Link to Security#AppArmor |
||
| (4 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
=== linux-hardened === | === linux-hardened === | ||
[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied.<syntaxhighlight lang="nix"> | [https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied. You can check for latest releases [https://github.com/anthraxx/linux-hardened/releases here].<syntaxhighlight lang="nix"> | ||
boot.kernelPackages = pkgs. | boot.kernelPackages = let | ||
linux_hardened_pkg = { fetchFromGitHub, buildLinux, lib, ... } @ args: | |||
buildLinux (args // rec { | |||
version = "6.12.79-hardened1"; | |||
hash = "sha256-TKrLHk4aB47vqehEdp5ks4WtMCq/XCDr9ro3eQOoPvE="; | |||
extraMeta.branch = "6.12"; | |||
modDirVersion = version; | |||
src = fetchFromGitHub { | |||
inherit hash; | |||
owner = "anthraxx"; | |||
repo = "linux-hardened"; | |||
tag = "v${version}"; | |||
}; | |||
kernelPatches = []; | |||
structuredExtraConfig = with lib.kernel; { | |||
# Perform additional validation of commonly targeted structures. | |||
DEBUG_NOTIFIERS = yes; | |||
DEBUG_PLIST = yes; | |||
DEBUG_SG = yes; | |||
DEBUG_VIRTUAL = yes; | |||
SCHED_STACK_END_CHECK = yes; | |||
# tell EFI to wipe memory during reset | |||
# https://lwn.net/Articles/730006/ | |||
RESET_ATTACK_MITIGATION = yes; | |||
# restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE | |||
CONFIG_LDISC_AUTOLOAD = option no; | |||
# Enable init_on_free by default | |||
INIT_ON_FREE_DEFAULT_ON = yes; | |||
# Initialize all stack variables on function entry | |||
INIT_STACK_ALL_ZERO = yes; | |||
# Wipe all caller-used registers on exit from a function | |||
ZERO_CALL_USED_REGS = yes; | |||
# Enable the SafeSetId LSM | |||
SECURITY_SAFESETID = yes; | |||
# Reboot devices immediately if kernel experiences an Oops. | |||
PANIC_TIMEOUT = freeform "-1"; | |||
# Enable gcc plugin options | |||
GCC_PLUGINS = yes; | |||
#A port of the PaX stackleak plugin | |||
GCC_PLUGIN_STACKLEAK = yes; | |||
# Runtime undefined behaviour checks | |||
# https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html | |||
# https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan | |||
UBSAN = yes; | |||
UBSAN_TRAP = yes; | |||
UBSAN_BOUNDS = yes; | |||
UBSAN_LOCAL_BOUNDS = option yes; # clang only | |||
CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 | |||
# Disable various dangerous settings | |||
PROC_KCORE = no; # Exposes kernel text image layout | |||
INET_DIAG = no; # Has been used for heap based attacks in the past | |||
# INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix, | |||
# make them optional | |||
INET_DIAG_DESTROY = option no; | |||
INET_RAW_DIAG = option no; | |||
INET_TCP_DIAG = option no; | |||
INET_UDP_DIAG = option no; | |||
INET_MPTCP_DIAG = option no; | |||
# CONFIG_DEVMEM=n causes these to not exist anymore. | |||
STRICT_DEVMEM = option no; | |||
IO_STRICT_DEVMEM = option no; | |||
# stricter IOMMU TLB invalidation | |||
IOMMU_DEFAULT_DMA_STRICT = option yes; | |||
IOMMU_DEFAULT_DMA_LAZY = option no; | |||
# not needed for less than a decade old glibc versions | |||
LEGACY_VSYSCALL_NONE = yes; | |||
}; | |||
} // (args.argsOverride or {})); | |||
linux_hardened = pkgs.callPackage linux_hardened_pkg{}; | |||
in | |||
lib.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened); | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 7: | Line 95: | ||
This option locks kernel modules after the system is initialized. For example it prevents malicious USB devices from exploiting vulnerable kernel modules.<syntaxhighlight lang="nix"> | This option locks kernel modules after the system is initialized. For example it prevents malicious USB devices from exploiting vulnerable kernel modules.<syntaxhighlight lang="nix"> | ||
security.lockKernelModules = true; | security.lockKernelModules = true; | ||
</syntaxhighlight>All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>. | </syntaxhighlight>All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>. One way of knowing what modules must be enabled is to disable this option and then list all enabled modules with <code>lsmod</code>.<syntaxhighlight lang="nix"> | ||
boot.kernelModules = [ | |||
# USB | |||
"usb_storage" "uinput" "usbhid" "usbserial" | |||
# DVD | |||
"udf" "iso9660" | |||
# GPU | |||
"amdgpu" "i915" | |||
# Networking | |||
"nft_chain_nat" "xt_conntrack" "xt_CHECKSUM" "xt_MASQUERADE" "ipt_REJECT" "ip6t_REJECT" "nf_reject_ipv4" "nf_reject_ipv6" "xt_mark" "xt_comment" "xt_multiport" "xt_addrtype" "xt_connmark" "nf_conntrack_netlink" | |||
]; | |||
</syntaxhighlight> | |||
=== Module blacklist === | === Module blacklist === | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
| Line 129: | Line 227: | ||
=== AppArmor === | === AppArmor === | ||
See [[Security#AppArmor]] for more details. | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
security.apparmor.enable = true; | security.apparmor.enable = true; | ||
security.apparmor.killUnconfinedConfinables = true; | security.apparmor.killUnconfinedConfinables = true; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Secure Boot === | |||
See [[Secure Boot]]. [[Limine]] bootloader supports coreboot's Secure Boot. | |||
[[Category:Guide]] | |||
[[Category:NixOS]] | |||
[[Category:Security]] | |||