alexoundos
/
articles
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

some obvious fixes

nixos-config-re
Alexander Tomokhov 2023-07-10 17:44:08 +04:00
parent faec2609c7
commit 7b01e603c2
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
systemd-hardening-in-NixOS/article.md
View File

@ -1,4 +1,4 @@
# systemd services in NixOS and tips for hardening of them
# tips for systemd services management and hardening in NixOS
## introduction
@ -167,7 +167,8 @@ systemd.services.netdata.serviceConfig = {
#### blocking outgoing internet connections (not achievable by systemd options)
The idea here is to keep responding to incoming requests for a service, but forbid any outgoing connections, initiated by itself. When it comes to a more sophisticated firewall, systemd is not capable of such granular control. So, `iptables` configuration will be aimed at a specific user, which runs the service:
The idea here is to keep responding to incoming requests for a service, but forbid any outgoing connections, initiated by itself. When it comes to a more sophisticated firewall, systemd is not capable of such granular control.
`iptables` can match packets generated by specific user, which runs the service:
```nix
networking.firewall = {
@ -194,15 +195,16 @@ _By specifying `1`, we're instructing `iptables` to insert the rule at the begin
- `systemctl status <name>` - unit state, started/stopped timestamps , running processes, etc
- `systemctl cat <name>` - contents of a systemd unit file, generated by NixOS
- `systemctl show <name>` - actual properties of a systemd unit in effect
- `journalctl -e -u <name>` - show logs for a unit, scrolled down to the most recent records
- `journalctl -u <name> -f` - to monitor systemd service output in real time (by analogy with `tail -f`)
- `journalctl -b-1 -u <name>` - in case you want to see logs only for previous boot
- `systemd-analyze security` - show security summary for all running services ("`SAFE`", "`EXPOSED`" and "`UNSAFE`" do not mean the factual situation, rather whether various systemd hardedning features are in use or not)
- `systemd-analyze security <name>` - show more detailed analysis for the specified service
- `systemd-analyze security` - show security summary for all running services ("`SAFE`", "`EXPOSED`" and "`UNSAFE`" do not mean the factual situation, rather whether various systemd hardening features are in use or not)
- `systemd-analyze security <name>` - show more detailed analysis for the specified service, indicating which options might be set
- `htop` using tree view (`F5`) - to inspect the whole tree of processes/threads (`nix-shell -p htop --run htop` if you don't have it installed)
### cgroups
#### cgroups
[`cgroups`](https://en.wikipedia.org/wiki/Cgroups) (control groups) linux feature powers systemd. And it allows to have unified control over a collection of processes within a single service. `systemd-ctop` shows top control groups by their resource usage (output can be sorted by utilization of CPU, memory, IO load, number of tasks). It can be a good alternative to `top`/`htop`, because on a server we often care about service entities as a whole, rather than numerous processes, which stats are hard to sum up in mind.
[`cgroups`](https://en.wikipedia.org/wiki/Cgroups) (control groups) linux feature powers systemd. And it allows to have unified control over a collection of processes within a single service. `systemd-cgtop` shows top control groups by their resource usage (output can be sorted by utilization of CPU, memory, IO load, number of tasks). It can be a good alternative to `top`/`htop`, because on a server we often care about service entities as a whole, rather than numerous processes, whose stats are hard to sum up in mind.
Just in case, note that enabling `netdata` service in NixOS enables `systemd.enableCgroupAccounting`, which in turn [enables these options in `systemd.conf`](https://github.com/NixOS/nixpkgs/blob/c223f49e6d4b4684286b8d2f9b2325930a4f62ff/nixos/modules/system/boot/systemd.nix#L493):
```
@ -221,7 +223,7 @@ $ ls -l /home
total 0
drwx------ 1 alex users 1126 2023-06-21 19:26 alex
sudo systemd-run -p ProtectHome=yes --shell
$ sudo systemd-run -p ProtectHome=yes --shell
Running as unit: run-u2544.service
Press ^] three times within 1s to disconnect TTY.
@ -249,7 +251,7 @@ With the help of [`tmux`](https://github.com/tmux/tmux/wiki/Getting-Started) you
## unsolved problems
As of 2023-07-01 [`systemd.services.<name>.confinement.enable` NixOS option](https://search.nixos.org/options?channel=unstable&show=systemd.services.%3Cname%3E.confinement.enable&from=0&size=50&sort=relevance&type=packages&query=systemd.services.%3Cname%3E.confinement) [is not compatible with systemd's `ProtectSystem`](https://discourse.nixos.org/t/nixos-policy-regarding-systemd-confinement/18976).
As of 2023-07-10 [`systemd.services.<name>.confinement.enable` NixOS option](https://search.nixos.org/options?channel=unstable&show=systemd.services.%3Cname%3E.confinement.enable&from=0&size=50&sort=relevance&type=packages&query=systemd.services.%3Cname%3E.confinement) [is not compatible with systemd's `ProtectSystem`](https://discourse.nixos.org/t/nixos-policy-regarding-systemd-confinement/18976).
## final notes