On Tue, Oct 20, 2020 at 09:43:33AM +, jbra...@dismail.de wrote:
> I'm using sway instead of X. Does that count?
>
> Though I'm still using X for Emacs
>
> It would be great to add a cookbook page about how to harden guix!
>
> Thanks,
>
> Joshua
Thank you for your suggestion, I will try to find a suitable alternative under
wayland.
Switching from X to wayland is a bit difficult for me, because I did not find
an alternative to'cwm' under wayland
Harden cookbook is a good idea, if you find a cookbook or create it, please let
me know
Before creating the cookbook, everyone can use this mail as a place to discuss
harden. Let me share:
* Except the partition where grub or efi is stored, let other partitions be
encrypted with luks (thanks to grub, it can mount the partition encrypted by
lusk, and then load the kernel to boot)
* Use `guix environment --container` to containerize some programs to make the
system more secure.
* For programs that are not very trusted or run by root, or programs for
testing, use `guix system container` to build it and start it
* Use iptables or nftables to build firewall rules
* When using docker, disable the iptables rules automatically built by docker,
and then decide docker's network access by yourself (using iptables or
nftables):
===
(service docker-service-type
(docker-configuration
(enable-iptables? #f)))
===
* On the public network server, I closed icmp, closed the ssh port, and then
used wireguard to access it.
* In ~/.ssh/rc I wrote a script to automatically send emails after sign in
suceesfully in the background (although pam_exec can be used to do it, and it
can do better, but I don’t know pam too much)
* Use some code that is not a lot, but reliable programs such as (suckless st,
cwm, password-store, libressl)
thank
luhux
