NixOS Hardening: Difference between revisions

Line 2:

[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied.<syntaxhighlight lang="nix">

boot.kernelPackages = pkgs.linuxKernel.packages.linux_hardened;

</syntaxhighlight>To get the latest updates and security patches as soon as possible, you might want to build the kernel right after new [https://github.com/anthraxx/linux-hardened/releases release].<syntaxhighlight lang="nix">

boot.kernelPackages = let

linux_hardened_pkg = { fetchFromGitHub, buildLinux, linux_6_12_hardened, ... } @ args:

buildLinux (args // rec {

version = "6.12.77-hardened1";

modDirVersion = version;

extraMeta.branch = "6.12";

src = fetchFromGitHub {

owner = "anthraxx";

repo = "linux-hardened";

tag = "v${version}";

hash = "sha256-txcatuTkp0gmJ4vHp//Ju4/j9d2RiVU8UuE7zUXnixw=";

};

# Patches are already applied in the source tarball

kernelPatches = [];

structuredExtraConfig = linux_6_12_hardened.structuredExtraConfig;

# If using different kernel version than the one used in nixpkgs, you might have to remove some unsupported parameters.

structuredExtraConfig = lib.removeAttrs linux_6_12_hardened.structuredExtraConfig [ "GCC_PLUGIN_STACKLEAK" ];

} // (args.argsOverride or {}));

linux_hardened = pkgs.callPackage linux_hardened_pkg{};

in

lib.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);

</syntaxhighlight>

Line 7:

Line 32:

This option locks kernel modules after the system is initialized. For example it prevents malicious USB devices from exploiting vulnerable kernel modules.<syntaxhighlight lang="nix">

security.lockKernelModules = true;

</syntaxhighlight>All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>.

</syntaxhighlight>All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>. One way of knowing what modules must be enabled is to disable this option and then list all enabled modules with <code>lsmod</code>.<syntaxhighlight lang="nix">

boot.kernelModules = [

# USB

"usb_storage" "uinput" "usbhid" "usbserial"

# DVD

"udf" "iso9660"

# GPU

"amdgpu" "i915"

# Networking

"nft_chain_nat" "xt_conntrack" "xt_CHECKSUM" "xt_MASQUERADE" "ipt_REJECT" "ip6t_REJECT" "nf_reject_ipv4" "nf_reject_ipv6" "xt_mark" "xt_comment" "xt_multiport" "xt_addrtype" "xt_connmark" "nf_conntrack_netlink"

];

</syntaxhighlight>

=== Module blacklist ===

@@ Line 2: / Line 2: @@
 [https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied.<syntaxhighlight lang="nix">
 boot.kernelPackages = pkgs.linuxKernel.packages.linux_hardened;
+</syntaxhighlight>To get the latest updates and security patches as soon as possible, you might want to build the kernel right after new [https://github.com/anthraxx/linux-hardened/releases release].<syntaxhighlight lang="nix">
+boot.kernelPackages = let
+    linux_hardened_pkg = { fetchFromGitHub, buildLinux, linux_6_12_hardened, ... } @ args:
+        buildLinux (args // rec {
+          version = "6.12.77-hardened1";
+          modDirVersion = version;
+          extraMeta.branch = "6.12";
+          src = fetchFromGitHub {
+            owner = "anthraxx";
+            repo = "linux-hardened";
+            tag = "v${version}";
+            hash = "sha256-txcatuTkp0gmJ4vHp//Ju4/j9d2RiVU8UuE7zUXnixw=";
+          };
+          # Patches are already applied in the source tarball
+          kernelPatches = [];
+          structuredExtraConfig = linux_6_12_hardened.structuredExtraConfig;
+          # If using different kernel version than the one used in nixpkgs, you might have to remove some unsupported parameters.
+          structuredExtraConfig = lib.removeAttrs linux_6_12_hardened.structuredExtraConfig [ "GCC_PLUGIN_STACKLEAK" ];
+        } // (args.argsOverride or {}));
+      linux_hardened = pkgs.callPackage linux_hardened_pkg{};
+    in
+      lib.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);
 </syntaxhighlight>
@@ Line 7: / Line 32: @@
 This option locks kernel modules after the system is initialized. For example it prevents malicious USB devices from exploiting vulnerable kernel modules.<syntaxhighlight lang="nix">
 security.lockKernelModules = true;
-</syntaxhighlight>All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>.
+</syntaxhighlight>All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>. One way of knowing what modules must be enabled is to disable this option and then list all enabled modules with <code>lsmod</code>.<syntaxhighlight lang="nix">
+boot.kernelModules = [
+  # USB
+  "usb_storage" "uinput" "usbhid" "usbserial"
+  # DVD
+  "udf" "iso9660"
+  # GPU
+  "amdgpu" "i915"
+  # Networking
+  "nft_chain_nat" "xt_conntrack" "xt_CHECKSUM" "xt_MASQUERADE" "ipt_REJECT" "ip6t_REJECT" "nf_reject_ipv4" "nf_reject_ipv6" "xt_mark" "xt_comment" "xt_multiport" "xt_addrtype" "xt_connmark" "nf_conntrack_netlink"
+];
+</syntaxhighlight>
 === Module blacklist ===
 <syntaxhighlight lang="nix">