New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardening: Lynis recommendations #63768
Comments
I'd disable ICMP redirects in the hardened profile, though arguably it makes sense to do so by default & only enable if actually needed ... for the others, I suppose you can open a PR to change defaults but there may be concerns over broken features. Perhaps there could be a "workstation/non-developer" profile of some sort, where breaking developer features is okay yet stopping short of outright wrecking performance and features like the hardened profile does. |
|
I've had 2 different security scanners complain about |
@aanderse is openvas/GVM one of them? It's the only thing it complains about on NixOS targets. (I work for the company that develops it) It's not a very high security risk. The worst thing that can happen is that someone knows the uptime of your system. Other popular linux distros have it also enabled. |
@davidak Yes one of the scanners is Entirely unrelated to this issue: I'm very glad to know who you work for! If you're able to lend any assistance I would greatly appreciate it: https://discourse.nixos.org/t/need-help-packaging-gsa/3345 |
See e.g., #63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any.
Thank you for your contributions. This has been automatically marked as stale because it has had no activity for 180 days. If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity. Here are suggestions that might help resolve this more quickly:
|
still important in my opinion |
I marked this as stale due to inactivity. → More info |
Issue description
I scanned my NixOS desktop with lynis.
We might want to implement the recommendations, by default or special profile. (maybe the hardening profile already has them? https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix)
cc @joachifm
Steps to reproduce
nix run -f channel:nixos-unstable nixpkgs.lynis -c lynis audit system -Q
Technical details
"x86_64-linux"
Linux 4.19.49, NixOS, 19.03.172866.4649b6ef4b5 (Koi)
no
yes
nix-env (Nix) 2.2.2
"nixos-19.03.172979.8634c3b6199, nixos-hardware, nixos-unstable-19.09pre183392.83ba5afcc96"
/nix/var/nix/profiles/per-user/root/channels/nixos
The text was updated successfully, but these errors were encountered: