NixOS Hardening: Difference between revisions

← Older edit Newer edit →

VisualWikitext

@@ Line 1: / Line 1: @@
 == Kernel ==
 === linux-hardened ===
-[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied. You can check for latest releases [https://github.com/anthraxx/linux-hardened/releases here].<syntaxhighlight lang="nix">
+[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied. You can check for latest releases [https://github.com/anthraxx/linux-hardened/releases here].
+<syntaxhighlight lang="nix">
 boot.kernelPackages = let
    linux_hardened_pkg = { fetchFromGitHub, buildLinux, lib, ... } @ args:
@@ Line 94: / Line 96: @@
 === Lock kernel modules ===
-This option locks kernel modules after the system is initialized. For example it prevents malicious USB devices from exploiting vulnerable kernel modules.<syntaxhighlight lang="nix">
+This option locks kernel modules after the system is initialized. For example it prevents malicious USB devices from exploiting vulnerable kernel modules.
+<syntaxhighlight lang="nix">
 security.lockKernelModules = true;
-</syntaxhighlight>All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>. One way of knowing what modules must be enabled is to disable this option and then list all enabled modules with <code>lsmod</code>.<syntaxhighlight lang="nix">
+</syntaxhighlight>
+All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>. One way of knowing what modules must be enabled is to disable this option and then list all enabled modules with <code>lsmod</code>.
+<syntaxhighlight lang="nix">
 boot.kernelModules = [
    # USB
@@ Line 108: / Line 116: @@
 ];
 </syntaxhighlight>
 === Module blacklist ===
 <syntaxhighlight lang="nix">
 boot.blacklistedKernelModules = [
@@ Line 132: / Line 142: @@
 === Kernel image protection ===
-Prevents replacing the running kernel image.<syntaxhighlight lang="nix">
+Prevents replacing the running kernel image.
+<syntaxhighlight lang="nix">
 security.protectKernelImage = true;
 </syntaxhighlight>
 === Kernel parameters ===
 <syntaxhighlight lang="nix">
 boot.kernelParams = [
@@ Line 154: / Line 167: @@
 === Sysctl parameters ===
-<syntaxhighlight lang="nix"># Hide kptrs even for processes with CAP_SYSLOG
+<syntaxhighlight lang="nix">
+# Hide kptrs even for processes with CAP_SYSLOG
 boot.kernel.sysctl."kernel.kptr_restrict" = "2";
@@ Line 189: / Line 204: @@
 # Ignore outgoing ICMP redirects (this is ipv4 only)
 boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
-boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;</syntaxhighlight>
+boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+</syntaxhighlight>
 === Disable Simultaneous Multithreading (SMT) ===
-Might cause significant performance cost.<syntaxhighlight lang="nix">
+Might cause significant performance cost.
+<syntaxhighlight lang="nix">
 security.allowSimultaneousMultithreading = false;
 </syntaxhighlight>
 === Force Page Table Isolation ===
 <syntaxhighlight lang="nix">
 security.forcePageTableIsolation = true;
@@ Line 202: / Line 222: @@
+== Nix settings ==
+=== Nix allowed users ===
+This option allows only <code>users</code> group to connect to the Nix daemon.
+<syntaxhighlight lang="nix">
+nix.settings.allowed-users = [ "@users" ];
+</syntaxhighlight>
+== Other settings ==
 === Memory allocator ===
-You can use security-focused memory allocator like [https://llvm.org/docs/ScudoHardenedAllocator.html scudo] or [https://github.com/GrapheneOS/hardened_malloc GrapheneOS hardened_malloc].<syntaxhighlight lang="nix">
+You can use security-focused memory allocator like [https://llvm.org/docs/ScudoHardenedAllocator.html scudo] or [https://github.com/GrapheneOS/hardened_malloc GrapheneOS hardened_malloc].
+<syntaxhighlight lang="nix">
 # scudo
 environment.memoryAllocator.provider = "scudo";
 environment.variables.SCUDO_OPTIONS = "zero_contents=true";
 # hardened_malloc
 environment.memoryAllocator.provider = "graphene-hardened";
-</syntaxhighlight>Some programs may not work with these memory allocators. You can force them to use the default libc allocator by blacklisting <code>/etc/ld-nix.so.preload</code> with a firejail wrap.<syntaxhighlight lang="nix">programs.firejail = {
+</syntaxhighlight>
+Some programs may not work with these memory allocators. You can force them to use the default libc allocator by blacklisting <code>/etc/ld-nix.so.preload</code> with a firejail wrap.
+<syntaxhighlight lang="nix">
+programs.firejail = {
    enable = true;
    wrappedBinaries = {
@@ Line 221: / Line 261: @@
      };
    };
-};</syntaxhighlight>
+};
+</syntaxhighlight>
-== Nix settings ==
+=== Flush L1 data cache ===
-=== Nix allowed users ===
+Might cause significant performance cost.
-This option allows only <code>users</code> group to connect to the Nix daemon.<syntaxhighlight lang="nix">
-nix.settings.allowed-users = [ "@users" ];
-</syntaxhighlight>
-== Other settings ==
+<syntaxhighlight lang="nix">
-=== Flush L1 data cache ===
-Might cause significant performance cost.<syntaxhighlight lang="nix">
 security.virtualisation.flushL1DataCache = "always";
 </syntaxhighlight>
@@ Line 248: / Line 283: @@
 === Secure Boot ===
 See [[Secure Boot]]. [[Limine]] bootloader supports coreboot's Secure Boot.
 [[Category:Guide]]
 [[Category:NixOS]]
 [[Category:Security]]