more complete final notes
parent
2b55461d8a
commit
8c455ba126
|
@ -1,4 +1,4 @@
|
|||
# hardening of systemd services in NixOS
|
||||
# systemd services in NixOS and hardening of them
|
||||
|
||||
## introduction
|
||||
|
||||
|
@ -118,13 +118,13 @@ There is [no universal way](https://github.com/NixOS/nixpkgs/pull/87661#issuecom
|
|||
|
||||
## unsolved problems
|
||||
|
||||
`confinement.enable` NixOS option is not compatible with systemd's `ProtectSystem`.
|
||||
`systemd.services.<name>.confinement.enable` NixOS option is not compatible with systemd's `ProtectSystem`.
|
||||
|
||||
## final notes
|
||||
|
||||
Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks for a server. Ideally, vulnerabilities scanning, penetration testing, unauthorized access prevention and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset, etc. Keep running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched). Have a business continuity plan.
|
||||
Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks for a server. Ideally, vulnerabilities scanning, penetration testing, unauthorized access prevention and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset, etc. Keep running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched). Have a business continuity plan. Many measures must not be ad-hoc, but rather systematic to stay vigilant against emerging threats.
|
||||
|
||||
#In order for the actions (measures?) taken not to be ad-hoc, but rather systematic.
|
||||
As for NixOS, it also features `security.apparmor`, `security.audit` and even `programs.firejail` options which might help in building a more secure system.
|
||||
|
||||
## related resources
|
||||
|
||||
|
|
Loading…
Reference in New Issue