NixOS Hardening: Difference between revisions
linux-hardened was removed from nixpkgs |
→Sysctl parameters: Add kernel.io_uring_disabled=2 |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 161: | Line 161: | ||
# Disable ftrace debugging | # Disable ftrace debugging | ||
boot.kernel.sysctl."kernel.ftrace_enabled" = false; | boot.kernel.sysctl."kernel.ftrace_enabled" = false; | ||
# Disable io_uring, a large source of security vulnerabilities | |||
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html | |||
boot.kernel.sysctl."kernel.io_uring_disabled" = 2; | |||
# Enable strict reverse path filtering (that is, do not attempt to route | # Enable strict reverse path filtering (that is, do not attempt to route | ||
| Line 227: | Line 231: | ||
=== AppArmor === | === AppArmor === | ||
See [[Security#AppArmor]] for more details. | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
security.apparmor.enable = true; | security.apparmor.enable = true; | ||
| Line 234: | Line 240: | ||
=== Secure Boot === | === Secure Boot === | ||
See [[Secure Boot]]. [[Limine]] bootloader supports coreboot's Secure Boot. | See [[Secure Boot]]. [[Limine]] bootloader supports coreboot's Secure Boot. | ||
[[Category:Guide]] | |||
[[Category:NixOS]] | |||
[[Category:Security]] | |||