Hey Austin, Do we still need SElinux with Grsecurity? If we want to harden Nixos, what is our best bet right now?
Aloha, RK. On Sun, Apr 13, 2014 at 3:20 AM, Austin Seipp <[email protected]> wrote: > Hello all, > > (Sending to nix-dev as I imagine several users might be interested). > > As of nixpkgs commit 172dc1336f108ee8, there is a new NixOS module > which greatly enhances support for the grsecurity project*. This is a > significant upgrade of the existing support (which was mostly just > kernel packages), and makes usage far easier and less error prone to > configure. > > You can enable it by just specifying which kernel you want (stable, > stable+vserver patches, or testing), and the system configuration > (desktop or server): > > security.grsecurity.enable = true; > security.grsecurity.testing = true; # testing 3.13 > kernel > security.grsecurity.config.system = "desktop"; # or "server" > > This defaults to high-security enhancements, and auto-selects all the > appropriate configuration options and enabled protections. This > implies no virtualisation support, which is needed for all your > expected software functionality to work properly. For example, to > enable KVM support: > > security.grsecurity.enable = true; > security.grsecurity.stable = true; # enable stable 3.2 kernel > security.grsecurity.config = { > system = "server"; > priority = "security"; > virtualisationConfig = "host"; > virtualisationSoftware = "kvm"; > hardwareVirtualisation = true; > } > > You can also use the 'custom' grsecurity configuration, in combination > with custom kernel options. See the options 'security.grsecurity.mode' > and 'security.grsecurity.config.kernelExtraConfig' for more > information. > > At the moment, Hydra will not build packages for your grsec kernel. If > you enable it, you'll have to build it yourself. In the future, I hope > to alleviate this (perhaps by providing binary packages for > 'pre-canned' automatic configurations). > > At the moment, gradm's learning mode is broken, so be careful playing > with it. I hope to fix this soon. > > I've been using this module with NixOps and deploying to multiple > Hetzner servers successfully for a month or two. (I suspect EC2 should > work fine as well). > > Please do try it out - and be sure to keep a backup system > configuration for now, just in case something goes wrong. > > Thanks to Ricardo Correia for review and feedback. > > --------------------------------- > > * For those who aren't familiar - quoting https://grsecurity.net > > "Grsecurity is an extensive security enhancement to the Linux kernel, > touching nearly 2000 files and composed of over 60,000 lines of > changes. It has been actively developed and maintained for the past 13 > years. Grsecurity defends against a wide range of security threats > through intelligent access control, memory corruption-based exploit > prevention, and a host of other system hardening that generally > require no configuration." > > -- > Regards, > Austin - PGP: 4096R/0x91384671 > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev >
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
