Harden systemd services #15
Comments
|
We could start by taking from here: https://www.reddit.com/r/NixOS/comments/1aqck9l/systemd_hardening_some_preconfigured_options_d/ |
wow, nice find! - and good idea |
|
An additional idea is applying a blanket light profile to all services, that is very unlikely to break. Or making other profiles that are exposed for the user to use in their own services. |
|
By the way, stuff like this (proposed additional security options) might be better organized(?) if they used githubs "discussions" feature, since they aren't an "issue" with the project, per-say, and is something you need to discuss - Although that is obviously at your digression since it would add a little more complexity to the repository. |
Sounds good, but I'm not 100% sure about how to start with that, or if that'd even be fundamentally possible before turning it into whitelist whack-a-mole. I'd have to do more research on systemd hardening first.
I don't personally care. People have, and will continue to put suggestions in issues, and developers will continue to just make an issue tag for |
I actually didn't know that, but it makes sense and is good for simplicity :) |
The nixos default security configuration for systemd services are very lax.
(
systemd-analyze security= 😨😨😨😨😨😨😨😨😨😨😨😨😨)If you look at: https://xeiaso.net/blog/paranoid-nixos-2021-07-18/ - Lock Down Services Within Systemd
it advises to increase the security settings of systemd services.
I believe developing higher security serviceConfigs for the most commonly used services would be a good use of resources (and they might get upstreamed to nixpkgs later :D)
The text was updated successfully, but these errors were encountered: