alexoundos
/
articles
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

some rearrangements

nixos-config-re
Alexander Tomokhov 2023-06-21 03:22:09 +04:00
parent 338565a1fa
commit b9f083342d
1 changed files with 6 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
article.md
View File

@ -4,7 +4,9 @@
When it comes to security, we care about limiting access of each entity of a system to as few other entities as possible. Network input, executables and users must be able to reach only those resources, which are necessary to perform the defined server tasks.
Generally, it's better to implement as many layers of security as possible. Although, there is no way to make server 100% bullet proof - it's a huge endless topic, this article will cover some feasible essential things that give us a layer of protection.
Generally, it's better to implement as many layers of security as possible. Although, there is no way to make a server 100% bullet proof - it's a huge endless topic, this article covers some feasible essential `systemd` tunables that give us a layer of protection.
#While there are many areas of server protection, like keeping the running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched), we will focus on `systemd` means (and a bit more, where `systemd` is not sophisticated enough).
Systemd is the standard software suite for organizing and running services/daemons in a modern GNU/Linux distribution, including NixOS.
@ -19,18 +21,13 @@ What NixOS does - it generates systemd configuration files in accordance to NixO
4. monitor and respond
Have a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset.
Business continuity plan.
While there are many areas of server protection, like keeping the running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched), we will focus on `systemd` means (and a bit more, where `systemd` is not sophisticated enough).
## final notes
#Protection against outside threats: potential vulnerabilities and unauthorized access.
Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks for a server. Ideally, vulnerabilities scanning, penetration testing, unauthorized access prevention and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents. Keep running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched).
Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks.
Ideally, vulnerability scanning, penetration testing and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents.
Have a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset.
Business continuity plan.
In order for the actions (measures?) taken not to be ad-hoc, but rather systematic.