Out of curiosity, I scanned my VPS with lynis
. These are some of the suggestions:
* Determine if protocol 'dccp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'sctp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'rds' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'tipc' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
And this is my configuration, but seems like adding it doesn’t work.
environment.etc = {
"modprobe.d/CIS.conf".text = ''
install tipc true
install sctp true
install dccp true
install rds true
'';
};
Is it possible to disable these protocols?
2 Likes
good question.
This stuff usually hang out in https://github.com/NixOS/nixpkgs/blob/d1adf7652500d3ef98cdadb411b6aea20e2d4339/nixos/modules/profiles/hardened.nix
did you reboot? even if you did, this might get written after the system has booted, which is chicken and egg…
`boot.extraModprobeConfig`
might give you what you want.
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
boot.blacklistedKernelModules = mkOption {
type = types.listOf types.str;
default = [];
example = [ "cirrusfb" "i2c_piix4" ];
description = ''
List of names of kernel modules that should not be loaded
automatically by the hardware probing code.
'';
};
This file has been truncated. show original
i’ll test it in the morning…
1 Like
Oh thanks! I haven’t heard of this module before. I will have a read and give it a try too
1 Like
Is hardened.nix
exposed for import? I am not able to find where it is callPackage
ed, and importing like this doesn’t work:
({ pkgs, config, ... }: {
import = [ pkgs.profiles.hardened];
}
ilkecan
October 22, 2021, 10:10am
5
… expected usage is to add them to the imports list of your /etc/configuration.nix as such:
imports = [
<nixpkgs/nixos/modules/profiles/profile-name.nix>
];
https://nixos.org/manual/nixos/unstable/#ch-profiles
I see. Is it possible to import this file without using channel? I want to adhere to the structure of a flake and only get my file from inputs
.
I don’t think flakes replace channels, instead they just let you use them in a purer way.
You could use the modulesPath
argument of the module function like:
"${modulesPath}/profiles/hardened.nix"
or, you could use the flake input, which has outPath
that can be coerced to:
"${inputs.nixpkgs}/nixos/modules/profiles/hardened.nix"
1 Like
True, in a purer way. I think the second one is perfert, thanks!