cynicsketch
commented
1 month ago We could start by taking from here: https://www.reddit.com/r/NixOS/comments/1aqck9l/systemd_hardening_some_preconfigured_options_d/
Open wyyllou opened 1 month ago
cynicsketch
commented
1 month ago We could start by taking from here: https://www.reddit.com/r/NixOS/comments/1aqck9l/systemd_hardening_some_preconfigured_options_d/
wyyllou
commented
1 month ago We could start by taking from here: reddit.com/r/NixOS/comments/1aqck9l/systemd_hardening_some_preconfigured_options_d
wow, nice find! - and good idea
wyyllou
commented
1 month ago An additional idea is applying a blanket light profile to all services, that is very unlikely to break. Or making other profiles that are exposed for the user to use in their own services.
wyyllou
commented
1 month ago By the way, stuff like this (proposed additional security options) might be better organized(?) if they used githubs "discussions" feature, since they aren't an "issue" with the project, per-say, and is something you need to discuss - Although that is obviously at your digression since it would add a little more complexity to the repository.
cynicsketch
commented
1 month ago An additional idea is applying a blanket light profile to all services, that is very unlikely to break. Or making other profiles that are exposed for the user to use in their own services.
Sounds good, but I'm not 100% sure about how to start with that, or if that'd even be fundamentally possible before turning it into whitelist whack-a-mole. I'd have to do more research on systemd hardening first.
By the way, stuff like this (proposed additional security options) might be better organized(?) if they used githubs "discussions" feature, since they aren't an "issue" with the project, per-say, and is something you need to discuss - Although that is obviously at your digression since it would add a little more complexity to the repository.
I don't personally care. People have, and will continue to put suggestions in issues, and developers will continue to just make an issue tag for feature-request or whatever other name they may create, even in big tech projects.
wyyllou
commented
1 month ago ... even in big tech projects.
I actually didn't know that, but it makes sense and is good for simplicity :)
The nixos default security configuration for systemd services are very lax.
(
systemd-analyze security= 😨😨😨😨😨😨😨😨😨😨😨😨😨)If you look at: https://xeiaso.net/blog/paranoid-nixos-2021-07-18/ - Lock Down Services Within Systemd it advises to increase the security settings of systemd services.
I believe developing higher security serviceConfigs for the most commonly used services would be a good use of resources (and they might get upstreamed to nixpkgs later :D)