What are you using to harden your Guix System?

What are you using to harden your Guix System?

[luhux]

Hello everyone!

I’m making my Guix System more secure recently,
Do you have any suggestions?

* What do I need if I use selinux in Guix System?

* Or how should I use Apparmor in Guix System?

If there are other harden suggestions please let me know, thank you very much.


luhux

Re: What are you using to harden your Guix System?

[jbranso]

I'm using sway instead of X.  Does that count?

Though I'm still using X for Emacs....

It would be great to add a cookbook page about how to harden guix!

Thanks,

Joshua

Re: What are you using to harden your Guix System?

[luhux]

On Tue, Oct 20, 2020 at 09:43:33AM +0000, jbranso@dismail.de wrote:
> I'm using sway instead of X.  Does that count?
> 
> Though I'm still using X for Emacs....
> 
> It would be great to add a cookbook page about how to harden guix!
> 
> Thanks,
> 
> Joshua
Thank you for your suggestion, I will try to find a suitable alternative under wayland.

Switching from X to wayland is a bit difficult for me, because I did not find an alternative to'cwm' under wayland

Harden cookbook is a good idea, if you find a cookbook or create it, please let me know

Before creating the cookbook, everyone can use this mail as a place to discuss harden. Let me share:





* Except the partition where grub or efi is stored, let other partitions be encrypted with luks (thanks to grub, it can mount the partition encrypted by lusk, and then load the kernel to boot)

* Use `guix environment --container` to containerize some programs to make the system more secure.

* For programs that are not very trusted or run by root, or programs for testing, use `guix system container` to build it and start it

* Use iptables or nftables to build firewall rules

* When using docker, disable the iptables rules automatically built by docker, and then decide docker's network access by yourself (using iptables or nftables):

===============================================

(service docker-service-type
       (docker-configuration
		    (enable-iptables? #f)))

===============================================

* On the public network server, I closed icmp, closed the ssh port, and then used wireguard to access it.


* In ~/.ssh/rc I wrote a script to automatically send emails after sign in suceesfully in the background (although pam_exec can be used to do it, and it can do better, but I don’t know pam too much)


* Use some code that is not a lot, but reliable programs such as (suckless st, cwm, password-store, libressl)


thank

luhux

Re: What are you using to harden your Guix System?

[Joshua Branson]

This Archlinux guide may be of use when discussing hardening GNU/Linux
systems:

https://wiki.archlinux.org/index.php/Security

-- 
Joshua Branson
Sent from Emacs and Gnus
https://gnucode.me
https://video.hardlimit.com/accounts/joshua_branson/video-channels
"You can have whatever you want, as long as you help enough other people get what they want." - Zig Ziglar

Re: What are you using to harden your Guix System?

[Joshua Branson]

Oh, I am also using "sway".  That works fairly well.

-- 
Joshua Branson
Sent from Emacs and Gnus
https://gnucode.me
https://video.hardlimit.com/accounts/joshua_branson/video-channels
"You can have whatever you want, as long as you help enough other people get what they want." - Zig Ziglar