some security updates
This commit is contained in:
parent
cd74c7b0d4
commit
1722c0cf66
9 changed files with 144 additions and 11 deletions
8
hosts/thinkpad/auditd.nix
Normal file
8
hosts/thinkpad/auditd.nix
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
{ ... }:
|
||||
{
|
||||
security.auditd.enable = true;
|
||||
security.audit.enable = true;
|
||||
security.audit.rules = [
|
||||
"-a exit,always -F arch=b64 -S execve"
|
||||
];
|
||||
}
|
||||
|
|
@ -5,9 +5,13 @@
|
|||
[ (import ./hardware-configuration.nix) ] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
|
||||
(import ../../modules/desktop/virtualisation/default.nix) ++
|
||||
(import ../../modules/hardware/default.nix) ++
|
||||
# (import ./auditd.nix) ++
|
||||
[ (import ./sysctl.nix) ] ++
|
||||
[ (import ./kernel.nix) ] ++
|
||||
[ (import ./auditd.nix) ] ++
|
||||
[ (import ./openssh.nix) ] ++
|
||||
[ (import ../../modules/desktop/hyprland/default.nix) ]; # Window Manager
|
||||
|
||||
|
||||
hardware.sane = {
|
||||
# Used for scanning with Xsane
|
||||
enable = true;
|
||||
|
|
@ -34,6 +38,8 @@
|
|||
tailscale.enable = true;
|
||||
};
|
||||
|
||||
networking.firewall.trustedInterfaces = [ "tailscale0" ];
|
||||
|
||||
#temporary bluetooth fix
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/bluetooth 700 root root - -"
|
||||
|
|
|
|||
24
hosts/thinkpad/kernel.nix
Normal file
24
hosts/thinkpad/kernel.nix
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
{ config, pkgs, stdenv, ... }:
|
||||
|
||||
{
|
||||
boot.kernelPackages = pkgs.linuxPackages_hardened;
|
||||
boot.kernelParams = [
|
||||
# Disable slab merging to prevent heap exploitation
|
||||
"slab_nomerge"
|
||||
# Enable zeroing memory during allocation and free time
|
||||
"init_on_alloc=1"
|
||||
"init_on_free=1"
|
||||
# Randomize page allocator freelists
|
||||
"page_alloc.shuffle=1"
|
||||
# Mitigations
|
||||
"pti=on"
|
||||
|
||||
"vsyscall=none"
|
||||
"debugfs=off"
|
||||
"oops=panic"
|
||||
|
||||
# Enable lockdown LSM
|
||||
"lockdown=confidentiality"
|
||||
];
|
||||
|
||||
}
|
||||
11
hosts/thinkpad/openssh.nix
Normal file
11
hosts/thinkpad/openssh.nix
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
challengeResponseAuthentication = false;
|
||||
PermitRootLogin = "no";
|
||||
};
|
||||
};
|
||||
}
|
||||
60
hosts/thinkpad/sysctl.nix
Normal file
60
hosts/thinkpad/sysctl.nix
Normal file
|
|
@ -0,0 +1,60 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.kernel.sysctl = {
|
||||
# Restrict kernel pointers
|
||||
"kernel.kptr_restrict" = 2;
|
||||
|
||||
"kernel.dmesg_restrict" = 1;
|
||||
|
||||
# Restrict eBPF
|
||||
"kernel.unprivileged_bpf_disabled" = 1;
|
||||
|
||||
# Harden JIT
|
||||
"net.core.bpf_jit_harden" = 2;
|
||||
|
||||
"dev.tty.ldisc_autoload" = 0;
|
||||
"vm.unprivileged_userfaultfd" = 0;
|
||||
|
||||
# Disable loading other kernels at runtime
|
||||
"kernel.kexec_load_disabled" = 1;
|
||||
|
||||
# Disable SysRq key for non-users (can be used in remote exploits)
|
||||
"kernel.sysrq" = 4;
|
||||
|
||||
"kernel.perf_event_paranoid" = 3;
|
||||
"kernel.unprivileged_userns_clone" = 1;
|
||||
|
||||
## NETWORK
|
||||
|
||||
# SYN flood attack prevention
|
||||
"net.ipv4.tcp_syncookies" = 1;
|
||||
|
||||
# Prevent IP spoofing
|
||||
"net.ipv4.conf.all.rp_filter" = 1;
|
||||
"net.ipv4.conf.default.rp_filter" = 1;
|
||||
|
||||
# MITM attack prevention (disable redirect acceptance)
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
"net.ipv4.conf.default.send_redirects" = 0;
|
||||
|
||||
# Clock fingerprinting prevention (disabled ICMP requests)
|
||||
"net.ipv4.icmp_echo_ignore_all" = 1;
|
||||
|
||||
# Restrict ptrace usage
|
||||
"kernel.yama.ptrace_scope" = 2;
|
||||
|
||||
# ASLR exploit mitigation
|
||||
"vm.mmap_rnd_bits" = 32;
|
||||
"vm.mmap_rnd_compat_bits" = 16;
|
||||
|
||||
"fs.protected_fifos" = 2;
|
||||
"fs.protected_regular" = 2;
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue