API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 12th, 2019
297
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.83 KB | None | 0 0
raw download clone embed print report
  1. #rpi4.nix
  2. { config, lib, pkgs, ... }:
  3.  
  4. {
  5. imports = [
  6. ../nixpkgs/nixos/modules/profiles/minimal.nix
  7. ./hardened.nix
  8. ../nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix
  9. ];
  10.  
  11. nixpkgs = rec {
  12. crossSystem = (import <nixpkgs> {}).pkgsCross.aarch64-multiplatform.stdenv.targetPlatform;
  13. localSystem = {
  14. system = "x86_64-linux";
  15. };
  16. };
  17.  
  18. nix.useSandbox = false;
  19. }
  20.  
  21. #hardened.nix
  22. { lib, pkgs, ... }:
  23.  
  24. with lib;
  25.  
  26. {
  27. meta = {
  28. maintainers = [ maintainers.joachifm ];
  29. };
  30.  
  31. boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
  32.  
  33. nix.allowedUsers = mkDefault [ "@users" ];
  34.  
  35. security.hideProcessInformation = mkDefault true;
  36.  
  37. security.lockKernelModules = mkDefault true;
  38.  
  39. security.allowUserNamespaces = mkDefault false;
  40.  
  41. security.protectKernelImage = mkDefault true;
  42.  
  43. security.allowSimultaneousMultithreading = mkDefault false;
  44.  
  45. security.forcePageTableIsolation = mkDefault true;
  46.  
  47. security.virtualisation.flushL1DataCache = mkDefault "always";
  48.  
  49. #security.apparmor.enable = mkDefault true;
  50.  
  51. boot.kernelParams = [
  52. # Slab/slub sanity checks, redzoning, and poisoning
  53. "slub_debug=FZP"
  54.  
  55. # Disable slab merging to make certain heap overflow attacks harder
  56. "slab_nomerge"
  57.  
  58. # Overwrite free'd memory
  59. "page_poison=1"
  60.  
  61. # Disable legacy virtual syscalls
  62. "vsyscall=none"
  63.  
  64. # Enable page allocator randomization
  65. "page_alloc.shuffle=1"
  66. ];
  67.  
  68. boot.blacklistedKernelModules = [
  69. # Obscure network protocols
  70. "ax25"
  71. "netrom"
  72. "rose"
  73. ];
  74.  
  75. # Restrict ptrace() usage to processes with a pre-defined relationship
  76. # (e.g., parent/child)
  77. boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
  78.  
  79. # Restrict access to kernel ring buffer (information leaks)
  80. boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
  81.  
  82. # Hide kptrs even for processes with CAP_SYSLOG
  83. boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
  84.  
  85. # Unprivileged access to bpf() has been used for privilege escalation in
  86. # the past
  87. boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
  88.  
  89. # Disable bpf() JIT (to eliminate spray attacks)
  90. boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
  91.  
  92. # ... or at least apply some hardening to it
  93. boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
  94.  
  95. # Raise ASLR entropy for 64bit & 32bit, respectively.
  96. #
  97. # Note: mmap_rnd_compat_bits may not exist on 64bit.
  98. boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
  99. boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
  100.  
  101. # Allowing users to mmap() memory starting at virtual address 0 can turn a
  102. # NULL dereference bug in the kernel into code execution with elevated
  103. # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory
  104. # space. This breaks applications that require mapping the 0 page, such as
  105. # dosemu or running 16bit applications under wine. It also breaks older
  106. # versions of qemu.
  107. #
  108. # The value is taken from the KSPP recommendations (Debian uses 4096).
  109. boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
  110.  
  111. # Disable ftrace debugging
  112. boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
  113.  
  114. # Enable strict reverse path filtering (that is, do not attempt to route
  115. # packets that "obviously" do not belong to the iface's network; dropped
  116. # packets are logged as martians).
  117. boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
  118. boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
  119. boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
  120. boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
  121.  
  122. # Ignore broadcast ICMP (mitigate SMURF)
  123. boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
  124.  
  125. # Ignore incoming ICMP redirects (note: default is needed to ensure that the
  126. # setting is applied to interfaces added after the sysctls are set)
  127. boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
  128. boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
  129. boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
  130. boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
  131. boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
  132. boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
  133.  
  134. # Ignore outgoing ICMP redirects (this is ipv4 only)
  135. boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
  136. boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
  137.  
  138. # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability
  139. boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false;
  140. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!