diff options
| author | Alyssa Ross <hi@alyssa.is> | 2019-08-31 11:57:05 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2019-09-16 22:04:28 +0000 |
| commit | a0842e8b20cbe1ed717b72775428d1f8fc047fa4 (patch) | |
| tree | b86d0614a477f7e092d626d59b888d085aaca400 /nixpkgs/nixos/modules/profiles | |
| parent | c36b32d476b520ed0d2a37cd0973f98583d6dc7c (diff) | |
| parent | 8d1510abfb592339e13ce8f6db6f29c1f8b72924 (diff) | |
| download | nixlib-a0842e8b20cbe1ed717b72775428d1f8fc047fa4.tar nixlib-a0842e8b20cbe1ed717b72775428d1f8fc047fa4.tar.gz nixlib-a0842e8b20cbe1ed717b72775428d1f8fc047fa4.tar.bz2 nixlib-a0842e8b20cbe1ed717b72775428d1f8fc047fa4.tar.lz nixlib-a0842e8b20cbe1ed717b72775428d1f8fc047fa4.tar.xz nixlib-a0842e8b20cbe1ed717b72775428d1f8fc047fa4.tar.zst nixlib-a0842e8b20cbe1ed717b72775428d1f8fc047fa4.zip | |
Merge commit '8d1510abfb592339e13ce8f6db6f29c1f8b72924'
Diffstat (limited to 'nixpkgs/nixos/modules/profiles')
| -rw-r--r-- | nixpkgs/nixos/modules/profiles/hardened.nix | 18 |
1 files changed, 5 insertions, 13 deletions
diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix index 3ff9a2b4fde0..626d8b1d2bde 100644 --- a/nixpkgs/nixos/modules/profiles/hardened.nix +++ b/nixpkgs/nixos/modules/profiles/hardened.nix @@ -14,8 +14,6 @@ with lib; nix.allowedUsers = mkDefault [ "@users" ]; - environment.memoryAllocator.provider = mkDefault "graphene-hardened"; - security.hideProcessInformation = mkDefault true; security.lockKernelModules = mkDefault true; @@ -95,23 +93,17 @@ with lib; # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; - # Enable reverse path filtering (that is, do not attempt to route packets - # that "obviously" do not belong to the iface's network; dropped packets are - # logged as martians). + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; # Ignore broadcast ICMP (mitigate SMURF) boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; - # Ignore route information from sender - boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false; - # Ignore incoming ICMP redirects (note: default is needed to ensure that the # setting is applied to interfaces added after the sysctls are set) boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; |