Adding a section about security in the guix manual

Adding a section about security in the guix manual

[Joshua Branson]

Hello, I would like to store many of the ideas from this arch wiki page
about security into the guix manual.

https://wiki.archlinux.org/index.php/Security

Perhaps I would put it right after GNU Distribution > System
Configuration.  Perhaps I would call that section "Hardening
Recommendations".   Some of the things that I want to include are strong
passwords, encrypted drives, MAC, kernel hardening (which we currently
don't have a linux-libre-hardened do we?), sandboxing applications,
firewalls, and physical security.  I may not be able to complete this
project swiftly, but I do intend to put it on my TODO list.

Is there something else I should add or that I am missing?

Thanks,

Joshua

--
Joshua Branson
Sent from Emacs and Gnus

Re: Adding a section about security in the guix manual

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 1895 bytes --]

Hi Joshua,

Thank you for taking the initiative!  Basically, if you think you can
improve the docs, give it a try, submit a patch to guix-patches@gnu.org,
and we can go from there.

Joshua Branson <jbranso@dismail.de> writes:

> Hello, I would like to store many of the ideas from this arch wiki page
> about security into the guix manual.
>
> https://wiki.archlinux.org/index.php/Security

I can only speak for myself - we don't have a section dedicated to
security like this today, so I think it would be nice to add.  I think
introductions to relevant security concepts, explanations and examples
of how to practice good security using Guix/GuixSD, and useful links to
other parts of our documentation would be great.

> Perhaps I would put it right after GNU Distribution > System
> Configuration.  Perhaps I would call that section "Hardening
> Recommendations".

Any name is fine for now; we can change it later if we want.

> Some of the things that I want to include are strong passwords,
> encrypted drives, MAC, kernel hardening (which we currently don't have
> a linux-libre-hardened do we?), sandboxing applications, firewalls,
> and physical security.  I may not be able to complete this project
> swiftly, but I do intend to put it on my TODO list.
>
> Is there something else I should add or that I am missing?

We already have a few sections that discuss some aspects of security.
Check the manual's index for the word "security".  In an Info reader,
you can do this by pressing "i", or you can just go here in a web
browser:

https://www.gnu.org/software/guix/manual/en/html_node/Concept-Index.html#Concept-Index

It might be nice to link to those sections and/or reorganize as needed.

Once you have something to review, I'd be happy to take a peek.  I'm
sure others would, also.  Submitting a patch is the first step.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Adding a section about security in the guix manual

[Joshua Branson]

Chris Marusich <cmmarusich@gmail.com> writes:

> Hi Joshua,
>
> Thank you for taking the initiative!  Basically, if you think you can
> improve the docs, give it a try, submit a patch to guix-patches@gnu.org,
> and we can go from there.

Sounds good.  I will do that.

>
> Joshua Branson <jbranso@dismail.de> writes:
>
>> Hello, I would like to store many of the ideas from this arch wiki page
>> about security into the guix manual.
>>
>> https://wiki.archlinux.org/index.php/Security
>
> I can only speak for myself - we don't have a section dedicated to
> security like this today, so I think it would be nice to add.  I think
> introductions to relevant security concepts, explanations and examples
> of how to practice good security using Guix/GuixSD, and useful links to
> other parts of our documentation would be great.
>
>> Perhaps I would put it right after GNU Distribution > System
>> Configuration.  Perhaps I would call that section "Hardening
>> Recommendations".
>
> Any name is fine for now; we can change it later if we want.
>
>> Some of the things that I want to include are strong passwords,
>> encrypted drives, MAC, kernel hardening (which we currently don't have
>> a linux-libre-hardened do we?), sandboxing applications, firewalls,
>> and physical security.  I may not be able to complete this project
>> swiftly, but I do intend to put it on my TODO list.
>>
>> Is there something else I should add or that I am missing?
>
> We already have a few sections that discuss some aspects of security.
> Check the manual's index for the word "security".  In an Info reader,
> you can do this by pressing "i", or you can just go here in a web
> browser:
>
> https://www.gnu.org/software/guix/manual/en/html_node/Concept-Index.html#Concept-Index
>
> It might be nice to link to those sections and/or reorganize as needed.
>
> Once you have something to review, I'd be happy to take a peek.  I'm
> sure others would, also.  Submitting a patch is the first step.

-- 
Joshua Branson
Sent from Emacs and Gnus

Re: Adding a section about security in the guix manual

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 913 bytes --]

On Wed, Jan 09, 2019 at 09:52:53AM -0500, Joshua Branson wrote:
> Perhaps I would put it right after GNU Distribution > System
> Configuration.  Perhaps I would call that section "Hardening
> Recommendations".   Some of the things that I want to include are strong
> passwords, encrypted drives, MAC, kernel hardening (which we currently
> don't have a linux-libre-hardened do we?), sandboxing applications,
> firewalls, and physical security.  I may not be able to complete this
> project swiftly, but I do intend to put it on my TODO list.

I think the manual should include things that are specific to Guix, or
that explain how to do generic things (like encrypted storage) in a
Guix-y way. There are a lot of ways the manual (and GuixSD itself) could
be improved in this regard.

I'm less enthusiastic about including things that are basically
universal concerns, like password strength or physical security.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Adding a section about security in the guix manual

[Ricardo Wurmus]

Leo Famulari <leo@famulari.name> writes:

> On Wed, Jan 09, 2019 at 09:52:53AM -0500, Joshua Branson wrote:
>> Perhaps I would put it right after GNU Distribution > System
>> Configuration.  Perhaps I would call that section "Hardening
>> Recommendations".   Some of the things that I want to include are strong
>> passwords, encrypted drives, MAC, kernel hardening (which we currently
>> don't have a linux-libre-hardened do we?), sandboxing applications,
>> firewalls, and physical security.  I may not be able to complete this
>> project swiftly, but I do intend to put it on my TODO list.
>
> I think the manual should include things that are specific to Guix, or
> that explain how to do generic things (like encrypted storage) in a
> Guix-y way. There are a lot of ways the manual (and GuixSD itself) could
> be improved in this regard.
>
> I'm less enthusiastic about including things that are basically
> universal concerns, like password strength or physical security.

I agree.

I’d also like to add that a section on MAC via SELinux would be
challenging to write because one would probably first need to develop
a few system services to better support SELinux.

The same goes for hardening, which would need probably require build
system support.

Sandboxing, on the other hand, could get a section already, as this is
made simpler with “guix environment --container” or “guix container”.

Let’s aim for something slightly less ambitious and add sections on
features that already exist.

--
Ricardo