From: luhux <luhux@outlook.com>
To: jbranso@dismail.de
Cc: help-guix@gnu.org
Subject: Re: What are you using to harden your Guix System?
Date: Tue, 20 Oct 2020 12:18:43 +0000 [thread overview]
Message-ID: <PSXP216MB02148222D962AA66FFA3E026A01F0@PSXP216MB0214.KORP216.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <6004ce9acbf415572566cdc4c3f6d916@dismail.de>
On Tue, Oct 20, 2020 at 09:43:33AM +0000, jbranso@dismail.de wrote:
> I'm using sway instead of X. Does that count?
>
> Though I'm still using X for Emacs....
>
> It would be great to add a cookbook page about how to harden guix!
>
> Thanks,
>
> Joshua
Thank you for your suggestion, I will try to find a suitable alternative under wayland.
Switching from X to wayland is a bit difficult for me, because I did not find an alternative to'cwm' under wayland
Harden cookbook is a good idea, if you find a cookbook or create it, please let me know
Before creating the cookbook, everyone can use this mail as a place to discuss harden. Let me share:
* Except the partition where grub or efi is stored, let other partitions be encrypted with luks (thanks to grub, it can mount the partition encrypted by lusk, and then load the kernel to boot)
* Use `guix environment --container` to containerize some programs to make the system more secure.
* For programs that are not very trusted or run by root, or programs for testing, use `guix system container` to build it and start it
* Use iptables or nftables to build firewall rules
* When using docker, disable the iptables rules automatically built by docker, and then decide docker's network access by yourself (using iptables or nftables):
===============================================
(service docker-service-type
(docker-configuration
(enable-iptables? #f)))
===============================================
* On the public network server, I closed icmp, closed the ssh port, and then used wireguard to access it.
* In ~/.ssh/rc I wrote a script to automatically send emails after sign in suceesfully in the background (although pam_exec can be used to do it, and it can do better, but I don’t know pam too much)
* Use some code that is not a lot, but reliable programs such as (suckless st, cwm, password-store, libressl)
thank
luhux
next prev parent reply other threads:[~2020-10-20 12:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-19 23:16 What are you using to harden your Guix System? luhux
2020-10-20 9:43 ` jbranso
2020-10-20 12:18 ` luhux [this message]
2020-10-20 18:32 ` Joshua Branson
2020-10-21 18:10 ` Joshua Branson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PSXP216MB02148222D962AA66FFA3E026A01F0@PSXP216MB0214.KORP216.PROD.OUTLOOK.COM \
--to=luhux@outlook.com \
--cc=help-guix@gnu.org \
--cc=jbranso@dismail.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).