alexoundos
/
articles
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

more complete final notes

nixos-config-re
Alexander Tomokhov 2023-06-22 06:56:59 +04:00
parent 2b55461d8a
commit 8c455ba126
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
article.md
View File

@ -1,4 +1,4 @@
# hardening of systemd services in NixOS
# systemd services in NixOS and hardening of them
## introduction
@ -118,13 +118,13 @@ There is [no universal way](https://github.com/NixOS/nixpkgs/pull/87661#issuecom
## unsolved problems
`confinement.enable` NixOS option is not compatible with systemd's `ProtectSystem`.
`systemd.services.<name>.confinement.enable` NixOS option is not compatible with systemd's `ProtectSystem`.
## final notes
Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks for a server. Ideally, vulnerabilities scanning, penetration testing, unauthorized access prevention and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset, etc. Keep running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched). Have a business continuity plan.
Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks for a server. Ideally, vulnerabilities scanning, penetration testing, unauthorized access prevention and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset, etc. Keep running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched). Have a business continuity plan. Many measures must not be ad-hoc, but rather systematic to stay vigilant against emerging threats.
#In order for the actions (measures?) taken not to be ad-hoc, but rather systematic.
As for NixOS, it also features `security.apparmor`, `security.audit` and even `programs.firejail` options which might help in building a more secure system.
## related resources