summaryrefslogtreecommitdiff
path: root/modules/security
diff options
context:
space:
mode:
Diffstat (limited to 'modules/security')
-rw-r--r--modules/security/apparmor.nix22
-rw-r--r--modules/security/audit.nix10
-rw-r--r--modules/security/default.nix12
-rw-r--r--modules/security/kernel.nix160
-rw-r--r--modules/security/pam.nix50
-rw-r--r--modules/security/polkit.nix3
-rw-r--r--modules/security/sudo.nix76
-rw-r--r--modules/security/tpm.nix16
8 files changed, 319 insertions, 30 deletions
diff --git a/modules/security/apparmor.nix b/modules/security/apparmor.nix
new file mode 100644
index 0000000..a469add
--- /dev/null
+++ b/modules/security/apparmor.nix
@@ -0,0 +1,22 @@
+{ pkgs, config, ... }:
+{
+ environment.systemPackages = with pkgs; [
+ apparmor-pam
+ apparmor-utils
+ apparmor-parser
+ apparmor-profiles
+ apparmor-bin-utils
+ apparmor-kernel-patches
+ libapparmor
+ ];
+
+ services.dbus.apparmor = "enabled";
+
+ security.apparmor = {
+ enable = true;
+ enableCache = true;
+ killUnconfinedConfinables = true;
+ packages = [ pkgs.apparmor-profiles ];
+ policies.dummy.profile = "/dummy { }";
+ };
+}
diff --git a/modules/security/audit.nix b/modules/security/audit.nix
index 67dce9d..e5d820a 100644
--- a/modules/security/audit.nix
+++ b/modules/security/audit.nix
@@ -1,6 +1,10 @@
{
- security.audit = {
- enable = true;
- rules = [ "-a exit,always -F arch=b64 -S execve" ];
+ security = {
+ auditd.enable = true;
+
+ audit = {
+ enable = true;
+ rules = [ "-a exit,always -F arch=b64 -S execve" ];
+ };
};
}
diff --git a/modules/security/default.nix b/modules/security/default.nix
index 06302ea..48cc702 100644
--- a/modules/security/default.nix
+++ b/modules/security/default.nix
@@ -3,22 +3,22 @@
lib,
...
}:
-let
- inherit (lib.modules) mkForce;
-in
{
imports = [
+ ./apparmor.nix
./audit.nix
./doas.nix
+ ./kernel.nix
+ ./pam.nix
./pki.nix
./polkit.nix
./sudo.nix
- ./tpm.nix
];
security = {
- auditd.enable = true;
- rtkit.enable = mkForce config.services.pipewire.enable;
+ rtkit.enable = lib.modules.mkForce config.services.pipewire.enable;
virtualisation.flushL1DataCache = "always";
};
+
+ programs.firejail.enable = true;
}
diff --git a/modules/security/kernel.nix b/modules/security/kernel.nix
new file mode 100644
index 0000000..62b2f28
--- /dev/null
+++ b/modules/security/kernel.nix
@@ -0,0 +1,160 @@
+{ lib, ... }:
+{
+ boot = {
+ # https://docs.kernel.org/admin-guide/sysctl/vm.html
+ kernel.sysctl = {
+ # The Magic SysRq key is a key combo that allows users connected to the
+ # system console of a Linux kernel to perform some low-level commands.
+ # Disable it, since we don't need it, and is a potential security concern.
+ "kernel.sysrq" = lib.mkForce 0;
+
+ # Restrict ptrace() usage to processes with a pre-defined relationship
+ # (e.g., parent/child)
+ # FIXME: this breaks game launchers, find a way to launch them with privileges (steam)
+ # gamescope wrapped with the capabilities *might* solve the issue
+ # spoiler: it didn't
+ # "kernel.yama.ptrace_scope" = 2;
+
+ # Hide kptrs even for processes with CAP_SYSLOG
+ # also prevents printing kernel pointers
+ "kernel.kptr_restrict" = 2;
+
+ # Disable bpf() JIT (to eliminate spray attacks)
+ "net.core.bpf_jit_enable" = false;
+
+ # Disable ftrace debugging
+ "kernel.ftrace_enabled" = false;
+
+ # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).
+ "kernel.dmesg_restrict" = 1;
+
+ # Prevent creating files in potentially attacker-controlled environments such
+ # as world-writable directories to make data spoofing attacks more difficult
+ "fs.protected_fifos" = 2;
+
+ # Prevent unintended writes to already-created files
+ "fs.protected_regular" = 2;
+
+ # Disable SUID binary dump
+ "fs.suid_dumpable" = 0;
+
+ # Prevent unprivileged users from creating hard or symbolic links to files
+ "fs.protected_symlinks" = 1;
+ "fs.protected_hardlinks" = 1;
+
+ # Disable late module loading
+ # "kernel.modules_disabled" = 1;
+
+ # Disallow profiling at all levels without CAP_SYS_ADMIN
+ "kernel.perf_event_paranoid" = 3;
+
+ # Require CAP_BPF to use bpf
+ "kernel.unprivileged_bpf_disabled" = true;
+
+ # Prevent boot console kernel log information leaks
+ "kernel.printk" = "3 3 3 3";
+
+ # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to
+ # prevent unprivileged attackers from loading vulnerable line disciplines with
+ # the TIOCSETD ioctl
+ "dev.tty.ldisc_autoload" = 0;
+
+ # Kexec allows replacing the current running kernel. There may be an edge case where
+ # you wish to boot into a different kernel, but I do not require kexec. Disabling it
+ # patches a potential security hole in our system.
+ "kernel.kexec_load_disabled" = true;
+
+ # Borrowed by NixOS/nixpkgs. Since the security module does not explain what those
+ # options do, it is up you to educate yourself dear reader.
+ # See:
+ # - <https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-rnd-bits>
+ # - <https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-min-addr>
+ "vm.mmap_rnd_bits" = 32;
+ "vm.mmap_min_addr" = 65536;
+ };
+
+ # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+ kernelParams = [
+ # I'm sure we break hibernation in at least 5 other sections of this config, so
+ # let's disable hibernation explicitly. Allowing hibernation makes it possible
+ # to replace the booted kernel with a malicious one, akin to kexec. This helps
+ # us prevent an attack called "Evil Maid" where an attacker with physical access
+ # to the device. P.S. I chose to mention "Evil Maid" specifically because it sounds
+ # funny. Do not think that is the only attack you are vulnerable to.
+ # See: <https://en.wikipedia.org/wiki/Evil_maid_attack>
+ "nohibernate"
+
+ # make stack-based attacks on the kernel harder
+ "randomize_kstack_offset=on"
+
+ # Disable vsyscalls as they are obsolete and have been replaced with vDSO.
+ # vsyscalls are also at fixed addresses in memory, making them a potential
+ # target for ROP attacks
+ # this breaks really old binaries for security
+ "vsyscall=none"
+
+ # reduce most of the exposure of a heap attack to a single cache
+ # Disable slab merging which significantly increases the difficulty of heap
+ # exploitation by preventing overwriting objects from merged caches and by
+ # making it harder to influence slab cache layout
+ "slab_nomerge"
+
+ # Disable debugfs which exposes a lot of sensitive information about the
+ # kernel. Some programs, such as powertop, use this interface to gather
+ # information about the system, but it is not necessary for the system to
+ # actually publish those. I can live without it.
+ "debugfs=off"
+
+ # Sometimes certain kernel exploits will cause what is known as an "oops".
+ # This parameter will cause the kernel to panic on such oopses, thereby
+ # preventing those exploits
+ "oops=panic"
+
+ # Only allow kernel modules that have been signed with a valid key to be
+ # loaded, which increases security by making it much harder to load a
+ # malicious kernel module
+ "module.sig_enforce=1"
+
+ # The kernel lockdown LSM can eliminate many methods that user space code
+ # could abuse to escalate to kernel privileges and extract sensitive
+ # information. This LSM is necessary to implement a clear security boundary
+ # between user space and the kernel
+ # integrity: kernel features that allow userland to modify the running kernel
+ # are disabled
+ # confidentiality: kernel features that allow userland to extract confidential
+ # information from the kernel are also disabled
+ # ArchWiki recommends opting in for "integrity", however since we avoid modifying
+ # running kernel (by the virtue of using NixOS and locking module hot-loading) the
+ # confidentiality mode is a better solution.
+ "lockdown=confidentiality"
+
+ # enable buddy allocator free poisoning
+ # on: memory will befilled with a specific byte pattern
+ # that is unlikely to occur in normal operation.
+ # off (default): page poisoning will be disabled
+ "page_poison=on"
+
+ # performance improvement for direct-mapped memory-side-cache utilization
+ # reduces the predictability of page allocations
+ "page_alloc.shuffle=1"
+
+ # for debugging kernel-level slab issues
+ "slub_debug=FZP"
+
+ # ignore access time (atime) updates on files
+ # except when they coincide with updates to the ctime or mtime
+ "rootflags=noatime"
+
+ # linux security modules
+ "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
+
+ # prevent the kernel from blanking plymouth out of the fb
+ "fbcon=nodefer"
+
+ # the format that will be used for integrity audit logs
+ # 0 (default): basic integrity auditing messages
+ # 1: additional integrity auditing messages
+ "integrity_audit=1"
+ ];
+ };
+}
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
new file mode 100644
index 0000000..b7eb426
--- /dev/null
+++ b/modules/security/pam.nix
@@ -0,0 +1,50 @@
+{
+ security = {
+ pam = {
+ loginLimits = [
+ {
+ domain = "@wheel";
+ item = "nofile";
+ type = "soft";
+ value = "524288";
+ }
+ {
+ domain = "@wheel";
+ item = "nofile";
+ type = "hard";
+ value = "1048576";
+ }
+ ];
+
+ services =
+ let
+ ttyAudit = {
+ enable = true;
+ enablePattern = "*";
+ };
+ in
+ {
+ swaylock.text = "auth include login";
+ gtklock.text = "auth include login";
+
+ login = {
+ inherit ttyAudit;
+
+ setLoginUid = true;
+ };
+
+ sshd = {
+ inherit ttyAudit;
+
+ setLoginUid = true;
+ };
+
+ sudo = {
+ inherit ttyAudit;
+
+ setLoginUid = true;
+ };
+ };
+ };
+ };
+}
diff --git a/modules/security/polkit.nix b/modules/security/polkit.nix
index 400ea87..786d1a0 100644
--- a/modules/security/polkit.nix
+++ b/modules/security/polkit.nix
@@ -1,6 +1,7 @@
+{ lib, ... }:
{
security.polkit = {
enable = true;
- debug = true;
+ debug = lib.modules.mkDefault true;
};
}
diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix
index 5c79eaf..6623b71 100644
--- a/modules/security/sudo.nix
+++ b/modules/security/sudo.nix
@@ -1,7 +1,75 @@
+{ pkgs, lib, ... }:
+let
+ inherit (lib.modules) mkForce;
+in
{
- security.sudo = {
- enable = true;
- execWheelOnly = true;
- wheelNeedsPassword = false;
+ security = {
+ sudo-rs.enable = mkForce false;
+
+ sudo = {
+ enable = true;
+ execWheelOnly = mkForce true;
+ wheelNeedsPassword = lib.modules.mkDefault false;
+
+ extraConfig = ''
+ Defaults lecture = never
+ Defaults pwfeedback
+ Defaults env_keep += "EDITOR PATH DISPLAY"
+ Defaults timestamp_timeout = 300
+ '';
+
+ extraRules = [
+ {
+ groups = [ "wheel" ];
+ commands =
+ map
+ (rule: {
+ command = lib.meta.getExe' rule.package rule.command;
+ options = [ "NOPASSWD" ];
+ })
+ (
+ with pkgs;
+ [
+ {
+ package = coreutils;
+ command = "sync";
+ }
+ {
+ package = hdparm;
+ command = "hdparm";
+ }
+ {
+ package = nixos-rebuild;
+ command = "nixos-rebuild";
+ }
+ {
+ package = nvme-cli;
+ command = "nvme";
+ }
+ {
+ package = systemd;
+ command = "poweroff";
+ }
+ {
+ package = systemd;
+ command = "reboot";
+ }
+ {
+ package = systemd;
+ command = "shutdown";
+ }
+ {
+ package = systemd;
+ command = "systemctl";
+ }
+ {
+ package = util-linux;
+ command = "dmesg";
+ }
+ ]
+ );
+ }
+ ];
+ };
};
}
diff --git a/modules/security/tpm.nix b/modules/security/tpm.nix
deleted file mode 100644
index 3277d9f..0000000
--- a/modules/security/tpm.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ pkgs, ... }:
-{
- security.tpm2 = {
- enable = true;
- applyUdevRules = true;
- abrmd.enable = true;
- tctiEnvironment.enable = true;
- pkcs11.enable = true;
- };
-
- environment.systemPackages = with pkgs; [
- tpm2-tools
- tpm2-tss
- tpm2-abrmd
- ];
-}
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-11 09:50:47 +0000