mrf
/
recursorwf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
33 Commits
1 Branch
0 Tags
157 KiB
 
 
 
 
 
Tree: 1e33c6b18b
recursorwf/src/services-info.md

1.4 KiB
Raw Blame History

title
sandboxing audit -- NixOS services

This table shows, for each systemd service in nixos, the hardening options that are configured. The items are sorted by decreasing count of configured options, then by name.

This is the current result of a work-in-progress project with the support of the nlnet foundation.

The goal of the project is to audit the security of every systemd service in NixOS. For the moment (modulo the power of my static analysis tool, that may miss some parts of nixpkgs), I built a list of all the systemd services that are defined in NixOS and I automatically read the configuration of these services with respect to systemd hardening. The entries in this table are green if the service configures the option, and red otherwise.

Caveats

  • For now, I only target a restricted list of options (boolean options that are "well-behaved").

  • This shows the options that are configured, but not necessarily secured: for instance, transmission configures PrivateNetwork and this options appears in green, yet it is configured by default to false. This means there may be false positives.

    There may also be some false negatives: for instance, nginx does not configure PrivateNetwork, but this is expected because nginx has no reason to shut itself from the Internet.