Run NixOS tests to improve security configuration

[thejohncrafter]

First and Last Name

Julien Marquet-Wagner

Email

j@recursor.wf

Company/Organization

Independent Contributor, with support from the nlnet foundation

Job Title

Software Engineer

Project Title (i.e., a summary of what do you want to do, not what is the name of the open source project you're working with)

Improve the security of nixos services by automatically discovering the best possible sandboxing configuration. The idea is, for each systemd service defined in nixos, to find the "most secure" configuration that keeps each test passing (assuming the tests pass means the service is working) by exploring the possible configurations and running every test at each step of the exploration.

Briefly describe the project (i.e., what is the detail of what you're planning to do with these servers?)

I need a bare metal server to run the tests, because nixos tests spawn (possibly many) vms.

Is the code that you’re going to run 100% open source? If so, what is the URL or URLs where it is located? What is your association with that project?

Project: https://github.com/thejohncrafter/nixos-harden-systemd/ Current state of nixos services with respect to hardening configuration (based on the work I've done so far): https://recursor.wf/services-info.html

What kind of machines and how many do you expect to use (see: https://metal.equinix.com/product/servers/)?

1x m3.small.x86 should suffice (I only have a minor worry about disk space, but it should not be a problem if I optimize my tests).

What operating system and networking are you planning to use?

NixOS

Any other relevant details we should know about?

None

[thejohncrafter]

Hi @caniszczyk @idvoretskyi, what can I do to bring this request further ? :)

[vielmetti]

This issue is old, and the work (while interesting) is out of the CNCF scope. I recommend that we close it as "not done".

[idvoretskyi]

I believe we may close it.