mrf
/
recursorwf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

More info about hardening

master
Julien Marquet 3 years ago
parent
46d51dbdaf
commit
30615ddb5f
5 changed files with 50 additions and 13 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      .envrc
  2. 21
      src/ServicesTable.elm
  3. 24
      src/services-info.md
  4. 5
      src/templates/services-info.html
  5. 12
      ssg/src/Main.hs

1
.envrc
Unescape View File

@ -0,0 +1 @@
use nix

21
src/ServicesTable.elm
Unescape View File

@ -2,6 +2,7 @@
module ServicesTable exposing (main)
import List
import String exposing (fromInt)
import Browser
import Html exposing (Html, div, span, text, table, thead, tbody, tr, th, td)
import Html.Attributes exposing (class)
@ -38,7 +39,10 @@ init _ =
( Loading
, Http.get
{ url = "https://share.recursor.wf/systemd-services-tests.json"
, expect = Http.expectJson GotInfo dataDecoder } )
, expect = Http.expectJson GotInfo (map sorted dataDecoder) } )
sorted : Info -> Info
sorted info = List.sortBy (\{name, fields, tests, mod} -> (List.length fields, name)) info
dataDecoder : Decoder Info
dataDecoder = map (List.map (\(name, (fields, tests, mod)) -> { name = name, fields = fields, tests = tests, mod = mod }))
@ -81,19 +85,22 @@ view model = case model of
Loading -> text "Loading..."
Success info -> renderTable info
rotated : String -> Html Msg
rotated txt = th [ class "rotate-45" ] [ div [] [ span [] [ text txt ] ] ]
headers : Html Msg
headers = tr []
<| [ th [] [ text "source" ], th [] [ text "module" ] ]
++ List.map (\name -> th [ class "rotate-45" ] [ div [] [ span [] [ text name ] ] ]) watchedFields
<| [ th [] [ text "source" ], th [] [ text "#" ], th [] [ text "module" ] ]
++ List.map rotated watchedFields
renderTable : Info -> Html Msg
renderTable info = table [ class "services-table", class "table-header-rotated" ]
[ thead [ class "info-thead" ] [ headers ]
, tbody [] (List.map renderLine info) ]
, tbody [] (List.indexedMap renderLine info) ]
renderLine : { name : String, fields : List String, tests : List String, mod : String } -> Html Msg
renderLine {name, fields, tests, mod} = tr []
<| [ th [] [ text mod ], th [] [ text name ] ]
renderLine : Int -> { name : String, fields : List String, tests : List String, mod : String } -> Html Msg
renderLine i {name, fields, tests, mod} = tr []
<| [ th [] [ text mod ], th [] [ text <| fromInt i ], th [] [ text name ] ]
++ (List.map (\b -> td [class (if b then "cell-good" else "cell-bad")] [text (if b then "" else "")])
<| List.map (\field -> not <| List.member field fields) watchedFields)

24
src/services-info.md
Unescape View File

@ -0,0 +1,24 @@
---
title: sandboxing audit -- NixOS services
---
This table shows, for each systemd service in nixos, the hardening options that are configured.
The items are sorted by decreasing count of configured options, then by name.
This is the current result of [a work-in-progress project](https://github.com/thejohncrafter/nixos-harden-systemd)
with the support of the [nlnet foundation](https://nlnet.nl/).
The goal of the project is to audit the security of every systemd service in
[NixOS](https://nixos.org/). For the moment (*modulo* the power of my static analysis tool, that
may miss some parts of nixpkgs), I built a list of all the systemd services that are defined in NixOS
and I automatically read the configuration of these services with respect to systemd hardening.
The entries in this table are green if the servie configures the option, and red otherwise.
### Caveats
- For now, I only target a restricted list of options (boolean options that are "well-behaved").</p>
- This shows the options that are *configured*, but not necessarily *secured*: for instance,
`transmission` configures `PrivateNetwork` and this options appears in green,
yet it is configured by default to `false`. This means there may be false positives.
There may also be some false negatives: for instance, nginx does not configure `PrivateNetwork`,
but this is expected because nginx has no reason to shut itself from the Internet.

5
src/services-info.html → src/templates/services-info.html
Unescape View File

@ -2,9 +2,12 @@
<html>
<head>
<meta charset="utf-8">
<title>Packages info</title>
<title>$title$</title>
</head>
<body>
<div>
$body$
</div>
<div id="app"></div>
</body>
<style>

12
ssg/src/Main.hs
Unescape View File

@ -13,15 +13,17 @@ main = do
match "templates/*" $
compile templateBodyCompiler
match "*.md" $ do
match "services-info.md" $ do
route $ setExtension "html"
compile $
pandocCompiler
>>= loadAndApplyTemplate "templates/default.html" defaultContext
>>= loadAndApplyTemplate "templates/services-info.html" defaultContext
match "services-info.html" $ do
route idRoute
compile copyFileCompiler
match ("*.md" .&&. complement "services-info.md") $ do
route $ setExtension "html"
compile $
pandocCompiler
>>= loadAndApplyTemplate "templates/default.html" defaultContext
match "*.elm" $ do
route $ setExtension "js"

Write Preview
Loading…
Cancel
Save