about summary refs log tree commit diff
path: root/nixpkgs/nixos/modules/profiles/hardened.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/nixos/modules/profiles/hardened.nix')
-rw-r--r--nixpkgs/nixos/modules/profiles/hardened.nix33
1 files changed, 33 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix
index 87bf66333c61..97279a78a57b 100644
--- a/nixpkgs/nixos/modules/profiles/hardened.nix
+++ b/nixpkgs/nixos/modules/profiles/hardened.nix
@@ -89,4 +89,37 @@ with lib;
   #
   # The value is taken from the KSPP recommendations (Debian uses 4096).
   boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
+
+  # Disable ftrace debugging
+  boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
+
+  # Enable reverse path filtering (that is, do not attempt to route packets
+  # that "obviously" do not belong to the iface's network; dropped packets are
+  # logged as martians).
+  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true;
+
+  # Ignore broadcast ICMP (mitigate SMURF)
+  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
+
+  # Ignore route information from sender
+  boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
+  boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
+  boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
+  boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
+
+  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+  # setting is applied to interfaces added after the sysctls are set)
+  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
+
+  # Ignore outgoing ICMP redirects (this is ipv4 only)
+  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-18 13:54:40 +0000