Whether to enable the nix-mineral module.

Extra options that are not part of the main configuration.

Modify entropy settings for improved security

Gather more entropy on boot.

Extra settings to harden the linux kernel.

Intel ME related kernel modules.

Disable this to avoid putting trust in the highly privilege ME system, but there are potentially other consequences.

Allow loading of kernel modules not only at boot via kernel commandline.

Be extra paranoid of potential kernel exploitation by inducing kernel panics on kernel warns and above.

Extra misc settings.

Most of those are relatively opinionated additional software.

Use an opinionated AppArmor configuration.

Creates a wrapper for doas to simulate sudo, with nano to utilize rnano as editor for editing as root.

Replace sudo with doas.

doas has a lower attack surface, but is less audited.

Use an opinionated SSH hardening config. Complies with ssh-audit.

Read what everything does first, or else you might get locked out.

This, for example, prevents root login AND password based login.

Enable USBGuard, a tool to restrict USB devices.

disable to avoid hassle with handling USB devices at all.

Enable USBGuard dbus daemon and add polkit rules to integrate USBGuard with GNOME Shell.

If you use GNOME, this means that USBGuard automatically allows all newly connected devices while unlocked, and blacklists all newly connected devices while locked. This is obviously very convenient, and is similar behavior to handling USB as ChromeOS and GrapheneOS.

Automatically allow all connected devices at boot in USBGuard.

If false, USB devices will be blocked until USBGuard is configured.

Extra settings for the network.

Enable bluetooth related kernel modules.

Disable TCP window scaling.

Extra settings for the system.

Use hardened-malloc as default memory allocator for all processes.

Lock the root account.

Reduce swappiness to bare minimum.

May reduce risk of writing sensitive information to disk, but hampers zram performance. Also useless if you do not even use a swap file/partition, i.e zram only setup.

Replace systemd-timesyncd with chrony for NTP, and configure chrony for NTS and to use the seccomp filter for security.

Enable or disable unprivileged user namespaces.

It has been the cause of many privilege escalation vulnerabilities, but can cause breakage. If false, this may break some applications that rely on user namespaces.

Enable zram so that memory is more likely to be compressed instead of written to disk, which may include sensitive information.

Improves storage lifespan and overall performance when swapping as a side effect.

Use systemd-tmpfiles to restrict file permissions in various folders.

Set to true to recursively make all files in /etc/nixos owned and readable only by root.

/etc/nixos is not owned by root by default, which can be hazardous as files that are included in the rebuild may be editable by unprivileged users.

Set to true to recursively restrict permissions of /home/$USER so that only the owner of the directory can access it (the user).

Utility for hardening filesystems and special filesystems.

Enable the filesystem hardening utility from nix-mineral.

Filesystem hardening.

Sets the device option as <name>, and the options: "bind", "nosuid", "noexec", "nodev" by default.

Location of the device.

Whether to enable the filesystem mount.

Options used to mount the file system.

If the value is false, the option is disabled.

If the value is an integer or a string, it is passed as "name=value".

Special Filesystem hardening.

Sets the option "noexec" by default.

Location of the device.

Whether to enable the filesystem mount.

Options used to mount the file system.

If the value is false, the option is disabled.

If the value is an integer or a string, it is passed as "name=value".

The preset (or presets) to use for the nix-mineral module. (all presets are applied on top of the default preset)

To select multiple presets, provide a list of preset names. The order of presets matters, the top ones will have more priority.

• default: only default settings.
• compatibility: disables or enables settings to aim at compatibility.
• maximum: enables every optional security setting to have maximum protection.
• performance: disables or enables settings to aim at performance.

nix-mineral settings.

Limit various debugging information to reduce info available to potential attackers.

Enable core dumps everywhere.

Core dumps contain a programs memory, usually after a crash, which could include sensitive information including encryption keys being written to the disk without any protection.

If false, this disables core dumps using a combination of sysctl, PAM, and systemd. These are grouped together, because the disablement of any individual one of these might otherwise make available a bypass.

Enable/disable the Linux debugfs, which exposes a lot of possibly sensitive information.

Only allow users with root privileges or CAP_SYSLOG to use dmesg.

If set to false, Disable both the EFI persistent storage feature and Error Record Serialization Table (ERST) support as a form of defense-in-depth.

This prevents the kernel from writing crash logs and other persistent data to the storage backend.

Display all kernel pointers as 0s regardless of user privileges when printed.

This may interfere with specific diagnostic and performance profiling tools.

Force the system to automatically reboot upon kernel panic instead of freezing.

This helps to mitigate denial of service attacks by automatically recovering and preventing the capture of information presented by a kernel panic screen.

This may inhibit debugging kernel panics, since the immediate reboot prevents immediate analysis of error messages which may be displayed.

If set to true, minimize information displayed during boot to reduce information available to an attacker.

Supress kernel messages via printk to only display log level 3 (error) messages or higher, e.g, more severe warnings.

This limits access to debugging information which can be used by an attacker.

Settings for entropy sources.

Turn on protection and randomize stack, vdso page and mmap + randomize brk base address.

Use the maximum number of bits of entropy to address space layout randomization, a widely used mitigation against memory exploits.

Disable trusting both the CPU's hardware random number generator and any entropy seed passed to the bootloader. We assume the hardware random number generation could be flawed.

Enable jitterentropy with both the daemon and the kernel module to provide additional entropy and compensate for disabled hardware entropy sources.

Modify files in /etc to limit attack surface.

Set machine-id to the Kicksecure machine-id, for privacy reasons.

Borrow Kicksecure bluetooth configuration for better bluetooth privacy and security.

Disables bluetooth automatically when not connected to any device.

Borrow Kicksecure gitconfig, disabling git symlinks and enabling fsck by default for better git security.

Borrow Kicksecure banner/issue.

Provides NO exploit resistance whatsoever, only serves as a deterrent to unauthorized access and to comply with Lynis.

There are no assurances that anything stated here is legally valid.

Borrow Kicksecure module blacklist.

"install "foobar" /bin/false" prevents the module from being loaded at all. "blacklist "foobar"" prevents the module from being loaded automatically at boot, but it can still be loaded afterwards.

Because the "install /bin/false" method does not register as a regular blacklist, this might cause issues with kernel module auditing e.g using Lynis. If so, you'll need to generate a whitelist.

Use an empty /etc/securetty to prevent root login on tty.

Settings meant to harden the linux kernel.

Set amd_iommu=force_isolation kernel parameter.

If you're not using an AMD CPU, this does nothing and can be safely ignored.

If set to false, prevent runaway privileged processes from writing to block devices to protect against runaway privileged processes causing filesystem corruption and kernel crashes.

Enable binfmt_misc.

Enable busmaster bit at boot, which may prevent some DMA attacks.

Including PID in core dumps if those are reenabled, otherwise, this does nothing.

If hideproc is enabled, this prevents some substitution attacks designed obtain sensitive information by predicting PIDs and inducing core dumps.

Otherwise, this is still nice to have for forensic purposes/log analysis, so that sources of core dumps are more obvious.

Apply relevant CPU exploit mitigations, May harm performance.

• smt-off: Enable CPU mitigations and disables symmetric multithreading.
• smt-on: Enable symmetric multithreading and just use default CPU mitigations, to potentially improve performance.
• off: Disables all CPU mitigations. May improve performance further, but is even more dangerous!

Harden eBPF against JIT spraying attacks, to reduce the risk of abuse because eBPF allows executing potentially dangerous code in the kernel.

Explicitly enable intel IOMMU to reduce risk of DMA attacks and other memory abuse.

Enable io_uring, is the cause of many vulnerabilities, and is disabled on Android + ChromeOS.

This may be desired for specific environments concerning Proxmox.

Enable or disable bypassing the IOMMU for direct memory access.

Could increase I/O performance on ARM64 systems, with risk.

If false, forces DMA to go through IOMMU to mitigate some DMA attacks.

If set to true, switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation as kCFI mandates hash validation at the source making it more difficult to bypass.

This is in contrast to FineIBT which was made the default in kernel 6.2 due to its performance benefits as it only performs hash checks at the destinations.

Prevent replacing the running kernel with kexec for security reasons.

On other distributions, kexec is most notably used for updating the Linux kernel without rebooting, however, NixOS does not support this.

A comprehensive list of usecases is not feasible, but consider consulting the following references as well as upstream documentation where necessary:

• https://docs.kernel.org/admin-guide/mm/kho.html
• https://github.com/NixOS/nixpkgs/issues/10726
• https://docs.kernel.org/admin-guide/kdump/kdump.html

If set to true, enable the kernel "Electric-Fence" sampling-based memory safety error to detect heap out-of-bounds access, use-after-free, and invalid-free errors.

Enable linux kernel lockdown, this blocks loading of unsigned kernel modules and breaks hibernation.

Requires all kernel modules to be signed. This prevents out-of-tree kernel modules from working unless signed.

Intentionally induce kernel panics on "oops" errors and above, to limit the extent of certain exploits which trigger kernel oopses.

Make page allocations less predicatable by randomizing freelists.

Restrict perf subsystem access to reduce attack surface.

Restrict perf subsystem usage (activity) to reduce attack surface.

Enable Page Table Isolation (PTI) to mitigate some KASLR bypasses and the Meltdown CPU vulnerability. It may also tax performance.

Randomize the kernel's stack offset on every syscall, to make attacks relying on predicting the location of the kernel's stack more difficult.

Restrict eBPF to CAP_BPF in order to prevent abuse by unprivileged users.

Restrict TTY line discipline loading to CAP_SYS_MODULE to prevent unprivileged users from loading insecure line disciplines.

Set to true to modify the "slab_debug" boot parameter to enable red zoning and sanity checks to detect memory corruption.

Adds significant overhead to memory allocation.

Set to false to disable slab merging to make it harder to influence the slab cache layout and compartmentalize the damage of certain memory attacks by limiting influence to individual caches.

Enable and force the IOMMU to be used to reduce the risk of DMA attacks, and strictly invalidate TLBs to prevent abuse of stale data.

Control the magic SysRq key functionality of the Linux kernel.

It is a 'magical' key combo you can hit which the kernel will respond to regardless of whatever else it is doing, unless it is completely locked up.

• none: Keep the default configuration of your kernel.
• off: Disables sysrq completely.
• sak: Enable SAK (Secure Attention Key).

If false, disable TIOCSTI because it's used to inject arbitrary characters and potentially lead to privilege escalation.

Already disabled by default on modern (>=6.2) Linux kernel versions, but included for future reference.

May break outdated screen readers relying on legacy functionality, but because of the above reasoning, this will never be considered for the compatibility preset.

If set to false, limit access to userfaultfd() syscall to the CAP_SYS_PTRACE capability.

userfaultfd has been used for use-after-free exploits in the past.

If set to false, disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings as these are a legacy compatibility feature for superseded glibc versions.

If set to false, Disable vsyscalls, which are obsolete and create static memory locations that are easy to exploit.

Zero memory during both allocation and free time to help mitigate use-after-free exploits.

Configure miscellaneous settings, usually additional software.

Set to false to disable bootloader editors, to prevent access to the root shell or otherwise weakening security by tampering with boot parameters.

Make DNS connections fail if not using a DNS server supporting DNSSEC.

Limit access to nix commands to users with the "wheel" group ("sudoers").

If false, may be useful for allowing a non-wheel user to, for example, use devshell.

Settings for the network.

Always use the best local address for announcing local IP via ARP.

Seems to be most restrictive option.

Drop Gratuitous ARP frames to prevent ARP poisoning.

This can cause issues when ARP proxies are used in the network.

Enable ARP filtering in the kernel to prevent the Linux kernel from handling the ARP table globally and mitigate some ARP spoofing and ARP cache poisoning attacks.

Ignore/don't reply to specific ARP requests to limit scope of ARP spoofing.

This may break certain VM networking configurations if set to 'link,' which can be fixed by setting to 'local' or 'none.'

However, such a regression has been intentionally excluded from the compatibility preset unless new information or usecases are made apparent, given that this issue appears to be isolated to niche setups which NixOS is not known or advisable to be used for.

• none: Keep the default configuration of your kernel.
• local: Reply only if the target IP address is within the local address range configured on the incoming interface
• link: Reply only if the target IP is on the same link.

Set to false to ignore all ICMPv6 and ICMPv4 echo and timestamp requests sent to broadcast/multicast/anycast.

Makes system slightly harder to enumerate on a network.

::: .{note} Redundant with nix-mineral.settings.network.icmp.ignore-all enabled. :::

Set to true to ignore all ICMPv6 and ICMPv4 echo and timestamp requests.

Makes system slightly harder to enumerate on a network.

You will not be able to ping this computer with ICMP packets if this is enabled.

Ignore bogus ICMP error responses to reduce potential system impact caused by spammed error responses.

Set to false to disable ICMP redirects to prevent some MITM attacks.

::: .{note} See:

• https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked :::

Use secure ICMP redirects by default.

Enable or disable IP forwarding.

::: .{warning} If false, this may cause issues with certain VM networking, and must be true if the system is meant to function as a router. :::

Enable IPv6 Privacy Extensions (RFC3041) and prefer the temporary address.

Inclusive a "kitchen sink" config to enable privacy extensions in relevant daemons. If you do not use these, nothing will happen.

If you use alternative daemons or replacements, considering looking at upstream documentation or filing a PR to add their configurations here.

::: .{note} GrapheneOS devs seem to believe it is relevant to use IPV6 privacy extensions alongside MAC randomization, so consider doing both where applicable. https://grapheneos.org/features#wifi-privacy :::

Log packets with impossible addresses to kernel log.

No active security benefit, just makes it easier to spot a DDOS/DOS by giving extra logs.

This may worsen performance due to the additional logging.

Number of global unicast IPv6 addresses can be assigned to each interface.

Set this to false to disable this option entirely.

Number of IPv6 duplicate address detection neighbor solicitations to send out per address.

See RFC4681 for details.

Set this to false to disable this option entirely.

If set to true, randomize mac addressees to improve privacy.

RFC1337 protects from TIME-WAIT assassination attacks by dropping TCP RST packets when in the TIME-WAIT state.

This protects against some potention DoS attacks which could cause TCP connections to drop given specific circumstances or crafted packets.

IPv6 router advertisements which are accepted.

Malicious router advertisements have the potential to create a MITM attack by modifying the default gateway, cause a DoS/DDoS attack when flooded, or initiate unauthorized IPv6 access.

• off: Disable all IPv6 router advertisements.
• restrict: Restrict the parameters of IPv6 router advertisements which are accepted.
• on: Enable all IPv6 router advertisements (effectively, do nothing).

Router advertisements are never authenticated, and can be sent and received by any device on the local network.

Number of IPv6 Router Solicitations to send until assuming no routers are present.

Setting to 0 limits outgoing traffic on the network, and reduces the frequecy of IPv6 router advertisements received.

See RFC4681 for details.

Set this to false to disable this option entirely.

Validate source IPs of packets received on the machine, protecting from IP spoofing.

Enable sending and receiving of shared media redirects.

This setting overwrites net.ipv4.conf.all.secure_redirects.

Refer to RFC1620

Disable source routing if set to false, since it allows for redirecting network traffic and potentially creating a man in the middle attack.

Use syncookies to help protect against SYN flooding, a type DoS attack.

Set to false to disable TCP SACK, which has been used for DoS attacks and been exploited in the past.

Rarely used, but can reduce networking performance if disabled in certain applications.

Enables TCP timestamps.

Disabling prevents leaking system time, enabling protects against wrapped sequence numbers and improves performance.

Disabling implicitly disables reuse of TIME_WAIT sockets, as they depend on TCP timestamps which may lead to corruption and an inability to detect duplicate packets. It may also result in port exhaustion as ports may not be immediately reused.

There are possible information leaks when timestamps are enabled. Offset randomization used by default prevents uptime prediction, but the rate of incrementing timestamps can be used in some advanced attacks to predict the current clock speed of a running system.

Because nix-mineral has different priorities to Whonix, which influences Kicksecure's development, we choose not to disable timestamps by default since clock speed fingerprinting is not a useful threat to most people; if it is important, it is probably smarter to use another Linux distribution entirely.

Modify pluggable authentication module (PAM) settings.

Add/increase the delay to failed logins into the system.

The default for nix-mineral is 4 seconds, or 4000000 microseconds.

Modify hashing rounds for /etc/shadow; this doesn't automatically rehash your passwords, you'll need to set passwords for your accounts again for this to work.

If you declaratively set passwords with a secret manager, consider using a good number (65536) of hashing rounds or more for resilience to password cracking.

Set this to false to disable this option entirely.

Set to true to require wheel to use su and su-l, to reduce the risk of privilege escalation e.g from service accounts which have been maliciously hijacked and used for a shell.

Settings for the system.

Prevent creation of files in world writable directories under certain circumstances to limit spoofing attacks.

Protect hardlinks and softlinks to prevent TOCTOU attacks.

Prevent users from hardlinking to files they can't read/write to.

Allows symlinks to be followed only outside world writable directories, when the owner and follower match, or when the directory and symlink owner match.

Allow or disallow mmap in lower addresses.

Disallowing mmap in lower addresses reduces the risk that incorrect memory allocations could tamper with the kernel, but may also cause compatibility issues with certain legacy software.

Enable multilib support, allowing 32-bit libraries and applications to run.

Configure whether processes can modify their own memory mappings or not, which could be used for some exploits.

See: https://github.com/Kicksecure/security-misc/pull/332

none - Keep the default configuration of your kernel. ptrace - Only allow modification of memory mappings using ptrace. Affected by the "yama" option. never - Do not allow modifying memory mappings at all.

Yama restricts ptrace, which allows processes to read and modify the memory of other processes. This has obvious security implications.

ptrace may be required for specific debugging or certain video game anti cheats. Usually, the 'relaxed' option avoids most breakage.

• none: Keep the default configuration of your kernel.
• relaxed: Only allow parent processes to ptrace child processes.
• restricted: No processes may be traced with ptrace.