isabelroses.com
my over complex system configurations
dotfiles.isabelroses.com/
nixos
nix
flake
dotfiles
linux
1# you can find out whats recommended for you, by following these steps
2# > sudo sysctl -a > sysctl.txt
3# > kernel-hardening-checker -l /proc/cmdline -c /proc/config.gz -s ./sysctl.txt
4#
5# better read up
6# https://docs.kernel.org/admin-guide/sysctl/vm.html
7#
8# a good place to quickly find what each setting does
9# https://sysctl-explorer.net/
10#
11# we disable sysctl tweaks on wsl since they don't work
12{
13 lib,
14 config,
15 options,
16 ...
17}:
18{
19 boot.kernel.sysctl = lib.mkIf (!(options ? "wsl")) {
20 # The Magic SysRq key is a key combo that allows users connected to the
21 # system console of a Linux kernel to perform some low-level commands.
22 # Disable it, since we don't need it, and is a potential security concern.
23 "kernel.sysrq" = 0;
24
25 # Restrict ptrace() usage to processes with a pre-defined relationship
26 # (e.g., parent/child)
27 "kernel.yama.ptrace_scope" = 3;
28
29 # Hide kptrs even for processes with CAP_SYSLOG
30 "kernel.kptr_restrict" = 2;
31
32 # Disable bpf() JIT (to eliminate spray attacks)
33 # if we decide to use the scx scheduler, we cannot disable bpf_jit
34 # <https://github.com/isabelroses/dotfiles/issues/591>
35 "net.core.bpf_jit_enable" = config.services.scx.enable;
36
37 # Disable ftrace debugging
38 "kernel.ftrace_enabled" = false;
39
40 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).
41 "kernel.dmesg_restrict" = 1;
42
43 # Disable SUID binary dump
44 "fs.suid_dumpable" = 0;
45
46 # Disable late module loading
47 # "kernel.modules_disabled" = 1;
48 # Disallow profiling at all levels without CAP_SYS_ADMIN
49 "kernel.perf_event_paranoid" = 3;
50
51 # Require CAP_BPF to use bpf
52 "kernel.unprivileged_bpf_disabled" = true;
53
54 # Prevent boot console log leaking information
55 "kernel.printk" = "3 3 3 3";
56
57 # Restrict loading TTY line disaciplines to the CAP_SYS_MODULE capablitiy to
58 # prevent unprvileged attackers from loading vulnrable line disaciplines
59 "dev.tty.ldisc_autoload" = 0;
60
61 # Kexec allows replacing the current running kernel. There may be an edge case where
62 # you wish to boot into a different kernel, but I do not require kexec. Disabling it
63 # patches a potential security hole in our system.
64 "kernel.kexec_load_disabled" = true;
65
66 # Disable TIOCSTI ioctl, which allows a user to insert characters into the input queue of a terminal
67 # this has been known for a long time to be used in privilege escalation attacks
68 "dev.tty.legacy_tiocsti" = 0;
69
70 # Disable the ability to load kernel modules, we already load the ones that we need
71 # FIXME: this breaks boot, so we should track down what modules we need to boot if
72 # we are going to commit to enabling this
73 # "kernel.modules_disabled" = 1;
74
75 # This enables hardening for the BPF JIT compiler, however it costs at a performance cost
76 # "net.core.bpf_jit_harden" = 2;
77
78 # awesome stuff from
79 # https://github.com/NixOS/nixpkgs/pull/391473/
80 #
81 # Mitigate some TOCTOU vulnerabilites
82 # cf. https://www.kernel.org/doc/Documentation/admin-guide/sysctl/fs.rst
83 #
84 # Don’t allow O_CREAT open on FIFOs not owned by the user in world‐ or
85 # group‐writable sticky directories (e.g. /tmp), unless owned by the
86 # directory owner
87 "fs.protected_fifos" = 2;
88
89 # Don’t allow users to create hardlinks unless they own the source
90 # file or have read/write access to it
91 "fs.protected_hardlinks" = 1;
92
93 # Don’t allow O_CREAT open on regular files not owned by user in world‐
94 # or group‐writable sticky directories (e.g. /tmp), unless owned by the
95 # directory owner
96 "fs.protected_regular" = 2;
97
98 # Don’t follow symlinks in sticky world‐writable directories (e.g. /tmp),
99 # unless the user ID of the follower matches the symlink, or the
100 # directory owner matches the symlink
101 "fs.protected_symlinks" = 1;
102 };
103}