How to disable dccp, sctp, rds and tipc in NixOS?

winston0410 · October 21, 2021, 9:18pm

Out of curiosity, I scanned my VPS with lynis. These are some of the suggestions:


  * Determine if protocol 'dccp' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'sctp' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'rds' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'tipc' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

And this is my configuration, but seems like adding it doesn’t work.

  environment.etc = {
    "modprobe.d/CIS.conf".text = ''
    install tipc true
    install sctp true
    install dccp true
    install rds  true
    '';
  };

Is it possible to disable these protocols?

nixinator · October 22, 2021, 12:25am

good question.

This stuff usually hang out in https://github.com/NixOS/nixpkgs/blob/d1adf7652500d3ef98cdadb411b6aea20e2d4339/nixos/modules/profiles/hardened.nix

did you reboot? even if you did, this might get written after the system has booted, which is chicken and egg…

`boot.extraModprobeConfig`

might give you what you want.

github.com

NixOS/nixpkgs/blob/d1adf7652500d3ef98cdadb411b6aea20e2d4339/nixos/modules/system/boot/modprobe.nix

{ config, lib, pkgs, ... }:

with lib;

{

  ###### interface

  options = {

    boot.blacklistedKernelModules = mkOption {
      type = types.listOf types.str;
      default = [];
      example = [ "cirrusfb" "i2c_piix4" ];
      description = ''
        List of names of kernel modules that should not be loaded
        automatically by the hardware probing code.
      '';
    };

This file has been truncated. show original

i’ll test it in the morning…

winston0410 · October 22, 2021, 5:30am

Oh thanks! I haven’t heard of this module before. I will have a read and give it a try too

winston0410 · October 22, 2021, 6:19am

Is hardened.nix exposed for import? I am not able to find where it is callPackageed, and importing like this doesn’t work:

            ({ pkgs, config, ... }: {
              import = [ pkgs.profiles.hardened];
            }

ilkecan · October 22, 2021, 10:10am

… expected usage is to add them to the imports list of your /etc/configuration.nix as such:

imports = [
  <nixpkgs/nixos/modules/profiles/profile-name.nix>
];

https://nixos.org/manual/nixos/unstable/#ch-profiles

winston0410 · October 22, 2021, 5:11pm

I see. Is it possible to import this file without using channel? I want to adhere to the structure of a flake and only get my file from inputs.

ilkecan · October 22, 2021, 5:32pm

I don’t think flakes replace channels, instead they just let you use them in a purer way.

You could use the modulesPath argument of the module function like:

"${modulesPath}/profiles/hardened.nix"

or, you could use the flake input, which has outPath that can be coerced to:

"${inputs.nixpkgs}/nixos/modules/profiles/hardened.nix"

winston0410 · October 22, 2021, 6:56pm

True, in a purer way. I think the second one is perfert, thanks!