some rearrangements
parent
338565a1fa
commit
b9f083342d
15
article.md
15
article.md
|
@ -4,7 +4,9 @@
|
|||
|
||||
When it comes to security, we care about limiting access of each entity of a system to as few other entities as possible. Network input, executables and users must be able to reach only those resources, which are necessary to perform the defined server tasks.
|
||||
|
||||
Generally, it's better to implement as many layers of security as possible. Although, there is no way to make server 100% bullet proof - it's a huge endless topic, this article will cover some feasible essential things that give us a layer of protection.
|
||||
Generally, it's better to implement as many layers of security as possible. Although, there is no way to make a server 100% bullet proof - it's a huge endless topic, this article covers some feasible essential `systemd` tunables that give us a layer of protection.
|
||||
|
||||
#While there are many areas of server protection, like keeping the running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched), we will focus on `systemd` means (and a bit more, where `systemd` is not sophisticated enough).
|
||||
|
||||
Systemd is the standard software suite for organizing and running services/daemons in a modern GNU/Linux distribution, including NixOS.
|
||||
|
||||
|
@ -19,18 +21,13 @@ What NixOS does - it generates systemd configuration files in accordance to NixO
|
|||
4. monitor and respond
|
||||
|
||||
|
||||
Have a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset.
|
||||
Business continuity plan.
|
||||
|
||||
While there are many areas of server protection, like keeping the running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched), we will focus on `systemd` means (and a bit more, where `systemd` is not sophisticated enough).
|
||||
|
||||
## final notes
|
||||
|
||||
#Protection against outside threats: potential vulnerabilities and unauthorized access.
|
||||
Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks for a server. Ideally, vulnerabilities scanning, penetration testing, unauthorized access prevention and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents. Keep running software up to date and respond to CVEs ([deploying software with patches is easy in NixOS](https://nixos.wiki/wiki/Overlays#Adding_patches) in case it hasn't been already patched).
|
||||
|
||||
Systemd hardening is just a part of measures to be taken to narrow the potential threat landscape and risks.
|
||||
|
||||
Ideally, vulnerability scanning, penetration testing and security audits should be involved. Take advantage of monitoring tools and respond quickly, according to a rescue plan to mitigate the impact of incidents.
|
||||
Have a rescue plan to mitigate the impact of incidents. This might include restoring system from backups, keys and passwords reset.
|
||||
Business continuity plan.
|
||||
|
||||
|
||||
In order for the actions (measures?) taken not to be ad-hoc, but rather systematic.
|
||||
|
|
Loading…
Reference in New Issue