From 8c455ba126ede10252d0d1050e770e3dbad8ce39 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Thu, 22 Jun 2023 06:56:59 +0400 Subject: [PATCH] more complete final notes --- article.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/article.md b/article.md index 30a66a6..8568a14 100644 --- a/article.md +++ b/article.md @@ -1,4 +1,4 @@ -# hardening of systemd services in NixOS +# systemd services in NixOS and hardening of them ## introduction @@ -118,13 +118,13 @@ There is [no universal way](https://github.com/NixOS/nixpkgs/pull/87661#issuecom ## unsolved problems -`confinement.enable` NixOS option is not compatible with systemd's `ProtectSystem`. +`systemd.services..confinement.enable` NixOS option is not compatible with systemd's `ProtectSystem`. ## final notes -Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks for a server. Ideally, vulnerabilities scanning, penetration testing, unauthorized access prevention and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset, etc. Keep running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched). Have a business continuity plan. +Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks for a server. Ideally, vulnerabilities scanning, penetration testing, unauthorized access prevention and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset, etc. Keep running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched). Have a business continuity plan. Many measures must not be ad-hoc, but rather systematic to stay vigilant against emerging threats. -#In order for the actions (measures?) taken not to be ad-hoc, but rather systematic. +As for NixOS, it also features `security.apparmor`, `security.audit` and even `programs.firejail` options which might help in building a more secure system. ## related resources