nixpkgs/nixos/modules/profiles/hardened.nix

# A profile with most (vanilla) hardening options enabled by default,
# potentially at the cost of features and performance.

{ config, lib, pkgs, ... }:

with lib;

{
  boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;

  security.hideProcessInformation = mkDefault true;

  security.lockKernelModules = mkDefault true;

  security.apparmor.enable = mkDefault true;

  boot.kernelParams = [
    # Overwrite free'd memory
    "page_poison=1"

    # Disable legacy virtual syscalls
    "vsyscall=none"

    # Disable hibernation (allows replacing the running kernel)
    "nohibernate"
  ];

  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "ax25"
    "netrom"
    "rose"
  ];

  # Restrict ptrace() usage to processes with a pre-defined relationship
  # (e.g., parent/child)
  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

  # Prevent replacing the running kernel image w/o reboot
  boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;

  # Restrict access to kernel ring buffer (information leaks)
  boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;

  # Hide kptrs even for processes with CAP_SYSLOG
  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;

  # Unprivileged access to bpf() has been used for privilege escalation in
  # the past
  boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;

  # Disable bpf() JIT (to eliminate spray attacks)
  boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;

  # ... or at least apply some hardening to it
  boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;

  # A recurring problem with user namespaces is that there are
  # still code paths where the kernel's permission checking logic
  # fails to account for namespacing, instead permitting a
  # namespaced process to act outside the namespace with the
  # same privileges as it would have inside it.  This is particularly
  # bad in the common case of running as root within the namespace.
  #
  # Setting the number of allowed user namespaces to 0 effectively disables
  # the feature at runtime.  Attempting to create a user namespace
  # with unshare will then fail with "no space left on device".
  boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;

  # Raise ASLR entropy for 64bit & 32bit, respectively.
  #
  # Note: mmap_rnd_compat_bits may not exist on 64bit.
  boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
  boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;

  # Allowing users to mmap() memory starting at virtual address 0 can turn a
  # NULL dereference bug in the kernel into code execution with elevated
  # privilege.  Mitigate by enforcing a minimum base addr beyond the NULL memory
  # space.  This breaks applications that require mapping the 0 page, such as
  # dosemu or running 16bit applications under wine.  It also breaks older
  # versions of qemu.
  #
  # The value is taken from the KSPP recommendations (Debian uses 4096).
  boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
}
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 14:54:45 +02:00			`# A profile with most (vanilla) hardening options enabled by default,`
			`# potentially at the cost of features and performance.`

			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`{`
nixos/hardened profile: use the linux_hardened kernel 2017-04-30 01:22:32 +02:00			`boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;`

nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 14:54:45 +02:00			`security.hideProcessInformation = mkDefault true;`

nixos/hardened profile: lock kernel modules 2017-04-29 22:46:20 +02:00			`security.lockKernelModules = mkDefault true;`

nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 14:54:45 +02:00			`security.apparmor.enable = mkDefault true;`

nixos/hardened profile: disable legacy virtual syscalls This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289 2017-04-29 17:27:08 +02:00			`boot.kernelParams = [`
nixos/hardened profile: use the linux_hardened kernel 2017-04-30 01:22:32 +02:00			`# Overwrite free'd memory`
			`"page_poison=1"`

nixos/hardened profile: disable legacy virtual syscalls This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289 2017-04-29 17:27:08 +02:00			`# Disable legacy virtual syscalls`
			`"vsyscall=none"`
nixos/hardened profile: disable hibernation Recommended by KSPP 2017-04-30 11:57:12 +02:00
			`# Disable hibernation (allows replacing the running kernel)`
			`"nohibernate"`
nixos/hardened profile: disable legacy virtual syscalls This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289 2017-04-29 17:27:08 +02:00			`];`

nixos/hardened: blacklist a few obscure net protocols 2017-09-03 01:49:01 +02:00			`boot.blacklistedKernelModules = [`
			`# Obscure network protocols`
			`"ax25"`
			`"netrom"`
			`"rose"`
			`];`

nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 14:54:45 +02:00			`# Restrict ptrace() usage to processes with a pre-defined relationship`
			`# (e.g., parent/child)`
			`boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;`

			`# Prevent replacing the running kernel image w/o reboot`
			`boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;`

			`# Restrict access to kernel ring buffer (information leaks)`
			`boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;`

			`# Hide kptrs even for processes with CAP_SYSLOG`
			`boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;`

			`# Unprivileged access to bpf() has been used for privilege escalation in`
			`# the past`
			`boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;`

			`# Disable bpf() JIT (to eliminate spray attacks)`
			`boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;`

			`# ... or at least apply some hardening to it`
			`boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;`
nixos/hardened profile: disable user namespaces at runtime 2017-04-30 14:41:56 +02:00
			`# A recurring problem with user namespaces is that there are`
			`# still code paths where the kernel's permission checking logic`
			`# fails to account for namespacing, instead permitting a`
			`# namespaced process to act outside the namespace with the`
			`# same privileges as it would have inside it. This is particularly`
			`# bad in the common case of running as root within the namespace.`
			`#`
nixos: replaced "userns" with "user namespaces" for clarity "userns" wasn't introduces as an abbreviation elsewhere as far as I can see, and I wasn't sure what was meant at first. 2017-06-22 22:04:34 +02:00			`# Setting the number of allowed user namespaces to 0 effectively disables`
nixos/hardened profile: disable user namespaces at runtime 2017-04-30 14:41:56 +02:00			`# the feature at runtime. Attempting to create a user namespace`
			`# with unshare will then fail with "no space left on device".`
			`boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;`
nixos/hardened profile: increase ASLR entropy 2017-08-13 00:17:43 +02:00
			`# Raise ASLR entropy for 64bit & 32bit, respectively.`
			`#`
			`# Note: mmap_rnd_compat_bits may not exist on 64bit.`
			`boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;`
			`boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;`
nixos/hardened: set mmap_min_addr This is set in the hardened linux config as well but sysctl is more flexible & works with any boot.kernelPackages 2017-09-03 01:48:46 +02:00
			`# Allowing users to mmap() memory starting at virtual address 0 can turn a`
			`# NULL dereference bug in the kernel into code execution with elevated`
			`# privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory`
			`# space. This breaks applications that require mapping the 0 page, such as`
			`# dosemu or running 16bit applications under wine. It also breaks older`
			`# versions of qemu.`
			`#`
			`# The value is taken from the KSPP recommendations (Debian uses 4096).`
			`boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;`
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 14:54:45 +02:00			`}`