Meeting 1: Initial Project Design

[JeremiahSecrist]

Date written: 04 December 2023 Authors: JeremiahSecrist, AkechiShiro Meeting duration : 1 hour, 30 minutes

Project Goal

This project aims to implement Compliance as code via NixOS language. Which aim to implement and enforce best practices.

NixOS relevant features :

• Fail a build
  • config = { assertions = []}; warnings= [];
  • https://nlewo.github.io/nixos-manual-sphinx/development/assertions.xml.html
• Warn of a change

Problem on types assertion vs warning

• Work on :
  • An adapter
  • Or work on a PoC for a change upstream (assertion type = warning type)
  • source in Nixpkgs of assertions.nix

Handling evaluation checks vs runtime checks

#override feature
rules.mountpoints."/etc must be seperate" = {
   enforceLevel = 0;
    #0 = disable
    #1 = warn
    #2 = enforce
    evaluationCheck = (true or false);
    # TBD
    runtimeCheck = ;
    meta = { 
    errorMessage = type str "mountpoint isn't seperated from /"; # why the rule failed
    ruleNumber.<UID> = type str or type int; 
    };
};

Def of organizations

organizations = {
    UID = { #TODO find a standardised method of this
        # Define ruleset CIS Independent Linux 2.0
        CIS-0 = {
            org = "CIS";
            revision = "2.0";
            flavour = "Independent Linux";
            url = "https://downloads.cis...";
            maintainers = [];
        };
    };
};

UX

nix.security.profile.CIS-0 = {
    enable = true;
    # TODO: a structure to override rules
    enforceLevel = 1 or 2;
};

Solution for runtime checks

• Activation Scripts runs after the evaluation of the configuration, allows running runtime check.
• Example : checks if freevxfs is loaded lsmod | grep -q freevxfs

stretch feature: report card document

Path outside Nix store or inside Nix store : /etc/nixos/security-report.card

• X check N°1
• V check N°250

Could make an Excel spreadsheet XLSX