NixOS Hardening: Difference between revisions
Add categories |
→Sysctl parameters: Add kernel.io_uring_disabled=2 |
||
| (One intermediate revision by one other user not shown) | |||
| Line 161: | Line 161: | ||
# Disable ftrace debugging | # Disable ftrace debugging | ||
boot.kernel.sysctl."kernel.ftrace_enabled" = false; | boot.kernel.sysctl."kernel.ftrace_enabled" = false; | ||
# Disable io_uring, a large source of security vulnerabilities | |||
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html | |||
boot.kernel.sysctl."kernel.io_uring_disabled" = 2; | |||
# Enable strict reverse path filtering (that is, do not attempt to route | # Enable strict reverse path filtering (that is, do not attempt to route | ||
| Line 227: | Line 231: | ||
=== AppArmor === | === AppArmor === | ||
See [[Security#AppArmor]] for more details. | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
security.apparmor.enable = true; | security.apparmor.enable = true; | ||