API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 13th, 2024
1,945
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.10 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. { config, pkgs, ... }:
  2. {
  3. systemd.services.systemd-rfkill = {
  4. serviceConfig = {
  5. ProtectSystem = "strict";
  6. ProtectHome = true;
  7. ProtectKernelTunables = true;
  8. ProtectKernelModules = true;
  9. ProtectControlGroups = true;
  10. ProtectClock = true;
  11. ProtectProc = "invisible";
  12. ProcSubset = "pid";
  13. PrivateTmp = true;
  14. MemoryDenyWriteExecute = true; #
  15. NoNewPrivileges = true;
  16. LockPersonality = true; #
  17. RestrictRealtime = true; #
  18. SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ];
  19. SystemCallArchitectures = "native";
  20. UMask = "0077";
  21. IPAddressDeny = "any";
  22. };
  23. };
  24. systemd.services.syslog = {
  25. serviceConfig = {
  26. PrivateNetwork= true;
  27. CapabilityBoundingSet= ["CAP_DAC_READ_SEARCH" "CAP_SYSLOG" "CAP_NET_BIND_SERVICE"];
  28. NoNewPrivileges= true;
  29. PrivateDevices= true;
  30. ProtectClock= true;
  31. ProtectKernelLogs= true;
  32. ProtectKernelModules= true;
  33. PrivateMounts= true;
  34. SystemCallArchitectures= "native";
  35. MemoryDenyWriteExecute= true;
  36. LockPersonality= true;
  37. ProtectKernelTunables= true;
  38. RestrictRealtime= true;
  39. PrivateUsers= true;
  40. PrivateTmp= true;
  41. UMask= "0077";
  42. RestrictNamespace = true;
  43. ProtectProc= "invisible";
  44. ProtectHome= true;
  45. DeviceAllow= false;
  46. ProtectSystem = "full";
  47. };
  48. };
  49.  
  50.  
  51. systemd.services.systemd-journald = {
  52. serviceConfig = {
  53. UMask = 0077;
  54. PrivateNetwork= true;
  55. ProtectHostname= true;
  56. ProtectKernelModules= true;
  57. };
  58. };
  59. systemd.services.auto-cpufreq = {
  60. serviceConfig = {
  61. CapabilityBoundingSet = "";
  62. ProtectSystem = "full";
  63. ProtectHome = true;
  64. PrivateNetwork = true;
  65. IPAddressDeny = "any";
  66. NoNewPrivileges = true;
  67. ProtectKernelTunables = true;
  68. ProtectKernelModules = true;
  69. ProtectControlGroups = true;
  70. ProtectHostname = false;
  71. MemoryDenyWriteExecute = true;
  72. ProtectClock = true;
  73. RestrictNamespaces = true ;
  74. PrivateTmp = true;
  75. PrivateUsers = true;
  76. ProtectProc= true;
  77. ReadOnlyPaths = [ "/" ];
  78. InaccessiblePaths = [ "/home" "/root" "/proc" ];
  79. SystemCallFilter = [ "@system-service" ];
  80. SystemCallArchitectures = "native";
  81. UMask = "0077";
  82. };
  83. };
  84. systemd.services.NetworkManager-dispatcher = {
  85. serviceConfig = {
  86. ProtectHome = true;
  87. ProtectKernelTunables = true;
  88. ProtectKernelModules = true;
  89. ProtectControlGroups = true;
  90. ProtectKernelLogs = true;
  91. ProtectHostname = true;
  92. ProtectClock = true;
  93. ProtectProc = "invisible";
  94. ProcSubset = "pid";
  95. PrivateUsers = true;
  96. PrivateDevices = true;
  97. MemoryDenyWriteExecute = true;
  98. NoNewPrivileges = true;
  99. LockPersonality = true;
  100. RestrictRealtime = true;
  101. RestrictSUIDSGID = true;
  102. RestrictAddressFamilies = "AF_INET";
  103. RestrictNamespaces = true;
  104. SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ];
  105. SystemCallArchitectures = "native";
  106. UMask = "0077";
  107. IPAddressDeny = "any";
  108. };
  109. };
  110. systemd.services.display-manager = {
  111. serviceConfig = {
  112. ProtectKernelTunables = true;
  113. ProtectKernelModules = true;
  114. ProtectKernelLogs = true; # so we won't need all of this
  115. };
  116. };
  117. systemd.services.emergency = {
  118. serviceConfig = {
  119. ProtectSystem = "strict";
  120. ProtectHome = true;
  121. ProtectKernelTunables = true;
  122. ProtectKernelModules = true;
  123. ProtectControlGroups = true;
  124. ProtectKernelLogs = true;
  125. ProtectClock = true;
  126. ProtectProc = "invisible";
  127. ProcSubset = "pid";
  128. PrivateTmp = true;
  129. PrivateUsers = true;
  130. PrivateDevices = true; # Might need adjustment for emergency access
  131. PrivateIPC = true;
  132. MemoryDenyWriteExecute = true;
  133. NoNewPrivileges = true;
  134. LockPersonality = true;
  135. RestrictRealtime = true;
  136. RestrictSUIDSGID = true;
  137. RestrictAddressFamilies = "AF_INET";
  138. RestrictNamespaces = true;
  139. SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ];
  140. UMask = "0077";
  141. IPAddressDeny = "any";
  142. };
  143. };
  144. systemd.services."getty@tty1" = {
  145. serviceConfig = {
  146. ProtectSystem = "strict";
  147. ProtectHome = true;
  148. ProtectKernelTunables = true;
  149. ProtectKernelModules = true;
  150. ProtectControlGroups = true;
  151. ProtectKernelLogs = true;
  152. ProtectClock = true;
  153. ProtectProc = "invisible";
  154. ProcSubset = "pid";
  155. PrivateTmp = true;
  156. PrivateUsers = true;
  157. PrivateDevices = true;
  158. PrivateIPC = true;
  159. MemoryDenyWriteExecute = true;
  160. NoNewPrivileges = true;
  161. LockPersonality = true;
  162. RestrictRealtime = true;
  163. RestrictSUIDSGID = true;
  164. RestrictAddressFamilies = "AF_INET";
  165. RestrictNamespaces = true;
  166. SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ];
  167. SystemCallArchitectures = "native";
  168. UMask = "0077";
  169. IPAddressDeny = "any";
  170. };
  171. };
  172. systemd.services."getty@tty7" = {
  173. serviceConfig = {
  174. ProtectSystem = "strict";
  175. ProtectHome = true;
  176. ProtectKernelTunables = true;
  177. ProtectKernelModules = true;
  178. ProtectControlGroups = true;
  179. ProtectKernelLogs = true;
  180. ProtectClock = true;
  181. ProtectProc = "invisible";
  182. ProcSubset = "pid";
  183. PrivateTmp = true;
  184. PrivateUsers = true;
  185. PrivateDevices = true;
  186. PrivateIPC = true;
  187. MemoryDenyWriteExecute = true;
  188. NoNewPrivileges = true;
  189. LockPersonality = true;
  190. RestrictRealtime = true;
  191. RestrictSUIDSGID = true;
  192. RestrictAddressFamilies = "AF_INET";
  193. RestrictNamespaces = true;
  194. SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ];
  195. SystemCallArchitectures = "native";
  196. UMask = "0077";
  197. IPAddressDeny = "any";
  198. };
  199. };
  200. systemd.services.NetworkManager = {
  201. serviceConfig = {
  202. NoNewPrivileges = true;
  203. ProtectClock = true;
  204. ProtectKernelLogs = true;
  205. ProtectControlGroups = true;
  206. ProtectKernelModules = true;
  207. SystemCallArchitectures = "native";
  208. MemoryDenyWriteExecute= true;
  209. ProtectProc = "invisible";
  210. ProcSubset = "pid";
  211. RestrictNamespaces = true;
  212. ProtectKernelTunables= true;
  213. ProtectHome = true;
  214. PrivateTmp = true;
  215. UMask = "0077";
  216. };
  217. };
  218. systemd.services."nixos-rebuild-switch-to-configuration" = {
  219. serviceConfig = {
  220. ProtectHome = true;
  221. NoNewPrivileges = true; # Prevent gaining new privileges
  222. };
  223. };
  224. systemd.services."dbus" = {
  225. serviceConfig = {
  226. PrivateTmp = true;
  227. PrivateNetwork = true;
  228. ProtectSystem = "full";
  229. ProtectHome = true;
  230. SystemCallFilter = "~@clock @cpu-emulation @module @mount @obsolete @raw-io @reboot @swap";
  231. ProtectKernelTunables = true;
  232. NoNewPrivileges = true;
  233. CapabilityBoundingSet=["~CAP_SYS_TIME" "~CAP_SYS_PACCT" "~CAP_KILL" "~CAP_WAKE_ALARM" "~CAP_SYS_BOOT" "~CAP_SYS_CHROOT" "~CAP_LEASE" "~CAP_MKNOD" "~CAP_NET_ADMIN" "~CAP_SYS_ADMIN" "~CAP_SYSLOG" "~CAP_NET_BIND_SERVICE" "~CAP_NET_BROADCAST" "~CAP_AUDIT_WRITE" "~CAP_AUDIT_CONTROL" "~CAP_SYS_RAWIO" "~CAP_SYS_NICE" "~CAP_SYS_RESOURCE" "~CAP_SYS_TTY_CONFIG" "~CAP_SYS_MODULE" "~CAP_IPC_LOCK" "~CAP_LINUX_IMMUTABLE" "~CAP_BLOCK_SUSPEND" "~CAP_MAC_*" "~CAP_DAC_*" "~CAP_FOWNER" "~CAP_IPC_OWNER" "~CAP_SYS_PTRACE" "~CAP_SETUID" "~CAP_SETGID" "~CAP_SETPCAP" "~CAP_FSETID" "~CAP_SETFCAP" "~CAP_CHOWN"];
  234. ProtectKernelModules= true;
  235. ProtectKernelLogs= true;
  236. ProtectClock= true;
  237. ProtectControlGroups= true;
  238. RestrictNamespaces= true;
  239. MemoryDenyWriteExecute= true;
  240. RestrictAddressFamilies= ["~AF_PACKET" "~AF_NETLINK"];
  241. ProtectHostname= true;
  242. LockPersonality= true;
  243. RestrictRealtime= true;
  244. PrivateUsers= true;
  245. };
  246. };
  247. systemd.services.nix-daemon = {
  248. serviceConfig = {
  249. ProtectHome = true;
  250. PrivateUsers = false;
  251. };
  252. };
  253. systemd.services.reload-systemd-vconsole-setup = {
  254. serviceConfig = {
  255. ProtectSystem = "strict";
  256. ProtectHome = true;
  257. ProtectKernelTunables = true;
  258. ProtectKernelModules = true;
  259. ProtectControlGroups = true;
  260. ProtectKernelLogs = true;
  261. ProtectClock = true;
  262. PrivateUsers = true;
  263. PrivateDevices = true;
  264. MemoryDenyWriteExecute = true;
  265. NoNewPrivileges = true;
  266. LockPersonality = true;
  267. RestrictRealtime = true;
  268. RestrictNamespaces = true;
  269. UMask = "0077";
  270. IPAddressDeny = "any";
  271. };
  272. };
  273. systemd.services.rescue = {
  274. serviceConfig = {
  275. ProtectSystem = "strict";
  276. ProtectHome = true;
  277. ProtectKernelTunables = true;
  278. ProtectKernelModules = true;
  279. ProtectControlGroups = true;
  280. ProtectKernelLogs = true;
  281. ProtectClock = true;
  282. ProtectProc = "invisible";
  283. ProcSubset = "pid";
  284. PrivateTmp = true;
  285. PrivateUsers = true;
  286. PrivateDevices = true; # Might need adjustment for rescue operations
  287. PrivateIPC = true;
  288. MemoryDenyWriteExecute = true;
  289. NoNewPrivileges = true;
  290. LockPersonality = true;
  291. RestrictRealtime = true;
  292. RestrictSUIDSGID = true;
  293. RestrictAddressFamilies = "AF_INET AF_INET6"; # Networking might be necessary in rescue mode
  294. RestrictNamespaces = true;
  295. SystemCallFilter = [ "write" "read" "openat" "close" "brk" "fstat" "lseek" "mmap" "mprotect" "munmap" "rt_sigaction" "rt_sigprocmask" "ioctl" "nanosleep" "select" "access" "execve" "getuid" "arch_prctl" "set_tid_address" "set_robust_list" "prlimit64" "pread64" "getrandom" ];
  296. SystemCallArchitectures = "native";
  297. UMask = "0077";
  298. IPAddressDeny = "any"; # May need to be relaxed for network troubleshooting in rescue mode
  299. };
  300. };
  301. systemd.services."systemd-ask-password-console" = {
  302. serviceConfig = {
  303. ProtectSystem = "strict";
  304. ProtectHome = true;
  305. ProtectKernelTunables = true;
  306. ProtectKernelModules = true;
  307. ProtectControlGroups = true;
  308. ProtectKernelLogs = true;
  309. ProtectClock = true;
  310. ProtectProc = "invisible";
  311. ProcSubset = "pid";
  312. PrivateTmp = true;
  313. PrivateUsers = true;
  314. PrivateDevices = true; # May need adjustment for console access
  315. PrivateIPC = true;
  316. MemoryDenyWriteExecute = true;
  317. NoNewPrivileges = true;
  318. LockPersonality = true;
  319. RestrictRealtime = true;
  320. RestrictSUIDSGID = true;
  321. RestrictAddressFamilies = "AF_INET AF_INET6";
  322. RestrictNamespaces = true;
  323. SystemCallFilter = [ "@system-service" ]; # A more permissive filter
  324. SystemCallArchitectures = "native";
  325. UMask = "0077";
  326. IPAddressDeny = "any";
  327. };
  328. };
  329. systemd.services."systemd-ask-password-wall" = {
  330. serviceConfig = {
  331. ProtectSystem = "strict";
  332. ProtectHome = true;
  333. ProtectKernelTunables = true;
  334. ProtectKernelModules = true;
  335. ProtectControlGroups = true;
  336. ProtectKernelLogs = true;
  337. ProtectClock = true;
  338. ProtectProc = "invisible";
  339. ProcSubset = "pid";
  340. PrivateTmp = true;
  341. PrivateUsers = true;
  342. PrivateDevices = true;
  343. PrivateIPC = true;
  344. MemoryDenyWriteExecute = true;
  345. NoNewPrivileges = true;
  346. LockPersonality = true;
  347. RestrictRealtime = true;
  348. RestrictSUIDSGID = true;
  349. RestrictAddressFamilies = "AF_INET AF_INET6";
  350. RestrictNamespaces = true;
  351. SystemCallFilter = [ "@system-service" ]; # A more permissive filter
  352. SystemCallArchitectures = "native";
  353. UMask = "0077";
  354. IPAddressDeny = "any";
  355. };
  356. };
  357. systemd.services.thermald = {
  358. serviceConfig = {
  359. ProtectSystem = "strict";
  360. ProtectHome = true;
  361. ProtectKernelTunables = true; # Necessary for adjusting cooling policies
  362. ProtectKernelModules = true; # May need adjustment for module control
  363. ProtectControlGroups = true;
  364. ProtectKernelLogs = true;
  365. ProtectClock = true;
  366. ProtectProc = "invisible";
  367. ProcSubset = "pid";
  368. PrivateTmp = true;
  369. PrivateUsers = true;
  370. PrivateDevices = true; # May require access to specific hardware devices
  371. PrivateIPC = true;
  372. MemoryDenyWriteExecute = true;
  373. NoNewPrivileges = true;
  374. LockPersonality = true;
  375. RestrictRealtime = true;
  376. RestrictSUIDSGID = true;
  377. CapabilityBoundingSet = "";
  378. RestrictNamespaces = true;
  379. SystemCallFilter = [ "@system-service" ];
  380. SystemCallArchitectures = "native";
  381. UMask = "0077";
  382. IPAddressDeny = "any";
  383. DeviceAllow= [];
  384. RestrictAddressFamilies = [ ];
  385. };
  386. };
  387. systemd.services."user@1000" = {
  388. serviceConfig = {
  389. ProtectSystem = "strict";
  390. ProtectHome = true;
  391. ProtectKernelTunables = true;
  392. ProtectKernelModules = true;
  393. ProtectControlGroups = true;
  394. ProtectKernelLogs = true;
  395. ProtectClock = true;
  396. ProtectProc = "invisible";
  397. ProcSubset = "pid";
  398. PrivateTmp = true;
  399. PrivateUsers = true; # Be cautious, as this may restrict user operations
  400. PrivateDevices = true;
  401. PrivateIPC = true;
  402. MemoryDenyWriteExecute = true;
  403. NoNewPrivileges = true;
  404. LockPersonality = true;
  405. RestrictRealtime = true;
  406. RestrictSUIDSGID = true;
  407. RestrictAddressFamilies = "AF_INET AF_INET6";
  408. RestrictNamespaces = true;
  409. SystemCallFilter = [ "@system-service" ]; # Adjust based on user needs
  410. SystemCallArchitectures = "native";
  411. UMask = "0077";
  412. IPAddressDeny = "any";
  413. };
  414. };
  415. systemd.services.virtlockd = {
  416. serviceConfig = {
  417. ProtectSystem = "strict";
  418. ProtectHome = true;
  419. ProtectKernelTunables = true;
  420. ProtectKernelModules = true;
  421. ProtectControlGroups = true;
  422. ProtectKernelLogs = true;
  423. ProtectClock = true;
  424. ProtectProc = "invisible";
  425. ProcSubset = "pid";
  426. PrivateTmp = true;
  427. PrivateUsers = true;
  428. PrivateDevices = true; # May need adjustment for accessing VM resources
  429. PrivateIPC = true;
  430. MemoryDenyWriteExecute = true;
  431. NoNewPrivileges = true;
  432. LockPersonality = true;
  433. RestrictRealtime = true;
  434. RestrictSUIDSGID = true;
  435. RestrictAddressFamilies = "AF_INET AF_INET6";
  436. RestrictNamespaces = true;
  437. SystemCallFilter = [ "@system-service" ]; # Adjust as necessary
  438. SystemCallArchitectures = "native";
  439. UMask = "0077";
  440. IPAddressDeny = "any"; # May need adjustment for network operations
  441. };
  442. };
  443. systemd.services.virtlogd = {
  444. serviceConfig = {
  445. ProtectSystem = "strict";
  446. ProtectHome = true;
  447. ProtectKernelTunables = true;
  448. ProtectKernelModules = true;
  449. ProtectControlGroups = true;
  450. ProtectKernelLogs = true;
  451. ProtectClock = true;
  452. ProtectProc = "invisible";
  453. ProcSubset = "pid";
  454. PrivateTmp = true;
  455. PrivateUsers = true;
  456. PrivateDevices = true; # May need adjustment for accessing VM logs
  457. PrivateIPC = true;
  458. MemoryDenyWriteExecute = true;
  459. NoNewPrivileges = true;
  460. LockPersonality = true;
  461. RestrictRealtime = true;
  462. RestrictSUIDSGID = true;
  463. RestrictAddressFamilies = "AF_INET AF_INET6";
  464. RestrictNamespaces = true;
  465. SystemCallFilter = [ "@system-service" ]; # Adjust based on log management needs
  466. SystemCallArchitectures = "native";
  467. UMask = "0077";
  468. IPAddressDeny = "any"; # May need to be relaxed for network-based log collection
  469. };
  470. };
  471. systemd.services.virtlxcd = {
  472. serviceConfig = {
  473. ProtectSystem = "strict";
  474. ProtectHome = true;
  475. ProtectKernelTunables = true; # Necessary for container management
  476. ProtectKernelModules = true;
  477. ProtectControlGroups = true;
  478. ProtectKernelLogs = true;
  479. ProtectClock = true;
  480. ProtectProc = "invisible";
  481. ProcSubset = "pid";
  482. PrivateTmp = true;
  483. PrivateUsers = true; # Be cautious, might need adjustment for container user management
  484. PrivateDevices = true; # Containers might require broader device access
  485. PrivateIPC = true;
  486. MemoryDenyWriteExecute = true;
  487. NoNewPrivileges = true;
  488. LockPersonality = true;
  489. RestrictRealtime = true;
  490. RestrictSUIDSGID = true;
  491. RestrictAddressFamilies = "AF_INET AF_INET6"; # Necessary for networked containers
  492. RestrictNamespaces = true;
  493. SystemCallFilter = [ "@system-service" ]; # Adjust based on container operations
  494. SystemCallArchitectures = "native";
  495. UMask = "0077";
  496. IPAddressDeny = "any"; # May need to be relaxed for network functionality
  497. };
  498. };
  499. systemd.services.virtqemud = {
  500. serviceConfig = {
  501. ProtectSystem = "strict";
  502. ProtectHome = true;
  503. ProtectKernelTunables = true; # Necessary for VM management
  504. ProtectKernelModules = true; # May need adjustment for VM hardware emulation
  505. ProtectControlGroups = true;
  506. ProtectKernelLogs = true;
  507. ProtectClock = true;
  508. ProtectProc = "invisible";
  509. ProcSubset = "pid";
  510. PrivateTmp = true;
  511. PrivateUsers = true; # Be cautious, might need adjustment for VM user management
  512. PrivateDevices = true; # VMs might require broader device access
  513. PrivateIPC = true;
  514. MemoryDenyWriteExecute = true;
  515. NoNewPrivileges = true;
  516. LockPersonality = true;
  517. RestrictRealtime = true;
  518. RestrictSUIDSGID = true;
  519. RestrictAddressFamilies = "AF_INET AF_INET6"; # Necessary for networked VMs
  520. RestrictNamespaces = true;
  521. SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
  522. SystemCallArchitectures = "native";
  523. UMask = "0077";
  524. IPAddressDeny = "any"; # May need to be relaxed for network functionality
  525. };
  526. };
  527. systemd.services.virtvboxd = {
  528. serviceConfig = {
  529. ProtectSystem = "strict";
  530. ProtectHome = true;
  531. ProtectKernelTunables = true; # Required for some VM management tasks
  532. ProtectKernelModules = true; # May need adjustment for module handling
  533. ProtectControlGroups = true;
  534. ProtectKernelLogs = true;
  535. ProtectClock = true;
  536. ProtectProc = "invisible";
  537. ProcSubset = "pid";
  538. PrivateTmp = true;
  539. PrivateUsers = true; # Be cautious, might need adjustment for VM user management
  540. PrivateDevices = true; # VMs may require access to certain devices
  541. PrivateIPC = true;
  542. MemoryDenyWriteExecute = true;
  543. NoNewPrivileges = true;
  544. LockPersonality = true;
  545. RestrictRealtime = true;
  546. RestrictSUIDSGID = true;
  547. RestrictAddressFamilies = "AF_INET AF_INET6"; # Necessary for networked VMs
  548. RestrictNamespaces = true;
  549. SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
  550. SystemCallArchitectures = "native";
  551. UMask = "0077";
  552. IPAddressDeny = "any"; # May need to be relaxed for network functionality
  553. };
  554. };
  555. }
Tags: Linux security nixos Hardening linux-security
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!