Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos: add a "hardened" profile #24680

Closed
wants to merge 1 commit into from
Closed

nixos: add a "hardened" profile #24680

wants to merge 1 commit into from

Conversation

joachifm
Copy link
Contributor

@joachifm joachifm commented Apr 6, 2017

Motivation for this change

Something like this has been brought up in relation to yama; since nobody else has proposed anything concrete (i.e., with implementation), I thought I might as well do so.

The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process).

@joachifm
nixos: add a "hardened" profile
8f16111 
The idea is to provide a convenient way to enable most vanilla hardening
features in one go.  The hardened profile, then, will serve as a place for
features that enhance security but cannot be enabled for all deployments
because they interfere with legitimate use cases (e.g., using ptrace to
debug problems in an already running process).
@copumpkin
Copy link
Member

Any reason you're not including the grsecurity kernel in here?

Mic92
Mic92 reviewed Apr 6, 2017
View reviewed changes
nixos/modules/profiles/hardened.nix
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
Copy link
Member

@Mic92 Mic92 Apr 6, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am curious what is the reasoning behind this setting? Loading new kernel modules is still allowed, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea is to ensure the integrity of the kernel run-time; I had originally implemented module loading prevention here, too, but thought it more prudent to do that in a separate PR because it requires some more logic to really work. If/when the kernel loading stuff has been accepted, it'll be enabled here as well.

@joachifm
Copy link
Contributor Author

joachifm commented Apr 6, 2017

@copumpkin for strategic reasons, I've kept this as lightweight as possible. Also, most of these are superceded by grsec (one possible extension is to make it at least grsec aware; possibly enable grsec by default, with the current stuff as fallback).

@joachifm joachifm closed this in 063ac40 Apr 23, 2017
@copumpkin
Copy link
Member

@joachifm curious how you'd make it grsec-aware. I'm tempted to enable both this and grsecurity in some scenarios, but am unsure if things will get weird.

@joachifm joachifm deleted the hardened-nixos branch April 26, 2017 05:40
@joachifm
Copy link
Contributor Author

@copumpkin what I had in mind was to simply condition on config.security.grsecurity.enable as necessary :)

@copumpkin
Copy link
Member

Fair enough!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

Assignees
No one assigned
Labels
6.topic: nixos 9.needs: community feedback
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@joachifm @copumpkin @Mic92