copumpkin has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
__Sander__ has joined #nixos-security
ckauhaus_ is now known as ckauhaus
kgz has joined #nixos-security
copumpkin has joined #nixos-security
__Sander__ has quit [Quit: Konversation terminated!]
<gchristensen>
so how well do y'all think we'd do on a CIS Distribution Independent Linux Benchmark
<fpletz>
never heard of CIS, doesn't look very trustworthy or nonprofit to me either
<fpletz>
is that even relevant? :)
{^_^} has quit [Ping timeout: 240 seconds]
tv has quit [Ping timeout: 240 seconds]
ma27 has quit [Ping timeout: 240 seconds]
sphalerite has quit [Ping timeout: 240 seconds]
andi- has quit [Ping timeout: 240 seconds]
ckauhaus has quit [Ping timeout: 240 seconds]
{^_^} has joined #nixos-security
ckauhaus_ has joined #nixos-security
tv has joined #nixos-security
ma27 has joined #nixos-security
sphalerite has joined #nixos-security
<samueldr>
that's the kind of things a PHB will need to see fulfilled to even consider a distro :/
<gchristensen>
right
<gchristensen>
especially PHBs inside of WRI (well regulated industries)
<samueldr>
a friend of mine had to reduce the security of his server by going through a checklist as mandated in the contract
<gchristensen>
well, let's not do that
<samueldr>
s/his server/his client's server/
<samueldr>
checklist-driven-security is an antipattern :/
andi- has joined #nixos-security
<gchristensen>
the thing about almost all of these checklists is they have a override provision
<samueldr>
at one time PCI-DSS (iirc it's the one) recommended a maximum for passwords, and a limited subset of characters, with combinations that reduced entropy :/
<gchristensen>
so he probably could have written an explainer as to why it was the way it was and move on
<samueldr>
possibly, I'm not an expert (and neither is he actually lol)
<gchristensen>
samueldr: yeah, but no PCI-compliant company has ever been hacked!
<gchristensen>
(this is a joke)
<samueldr>
I know :D
<gchristensen>
(no company is 100% PCI compliant, see: overrides)
<samueldr>
I'm curious if the benchmark tool can even withstand the force that is a non-FHS distro
kgz has quit [Ping timeout: 250 seconds]
<gchristensen>
good question
<gchristensen>
y'all want to see the CIS report I have
<samueldr>
ah, it's a manual thing, I thought it was a tool that spit out a report
<gchristensen>
nah
<gchristensen>
they have to sell thaht part!
<samueldr>
>> ensure mounting of FAT filesystems is disabled
<samueldr>
>> Disabling the cfat module can prevent boot on UEFI systems
<samueldr>
>> Ensure
<samueldr>
separate partition exists for /home
<samueldr>
they wouldn't like my lack of /home :)
<gchristensen>
they might *love* it!
<samueldr>
>> 1.7 Warning Banners
<gchristensen>
Run the following command and verify Uidand Gidare both 0/rootand Accessis 644:
<gchristensen>
hrmmmm
<gchristensen>
uh oh, mine is 0777 ;)
<gchristensen>
(symlink)
kgz has joined #nixos-security
<fpletz>
Ensure IPv6 is disabled
<gchristensen>
it does say only if ipv6 isn't used
<gchristensen>
in which case it does make sense to disable it
<fpletz>
ah, on top
<gchristensen>
there is _some_ good stuff here, they're not totally idiots :P
<gchristensen>
Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
<gchristensen>
we're one of the few distros that knocks that out of the park by default
<fpletz>
yeah, but we don't really support selinux or apparmor :)
<samueldr>
yeah, that list looks pretty much like the other list I was exposed to
<samueldr>
(maybe it is?)
<gchristensen>
it is true
<samueldr>
the MAC thing is something that may help reach more businessy phb type decision making?
<gchristensen>
might be some interesting auto-generation abilities here
<samueldr>
I wonder if NixOS has some features that would make MAC less painful?
<gchristensen>
grant read to anything in the nix closure, write to a few specific paths
<gchristensen>
yeah!!
<gchristensen>
oh man!
<gchristensen>
you could generate an selinux profile for nginx based on the vhost abstractions already existing + the closure
<fpletz>
probably yes but selinux might be a pain because we can't have selinux labels in the nix store, right?
<gchristensen>
ahh maybe so
<fpletz>
that's done via extended attributes iirc (but I don't have much selinux experience)
<gchristensen>
SELinux attaches labels to all files, processes and objects and is therefore very flexible. AppArmor on the other hand works using file paths and its configuration can be easily adapted.
<fpletz>
yup, apparmor might be better suited for our mac needs :)
<gchristensen>
we might stretch apparmor by loading in a profile for a zillion binaries
<gchristensen>
something to play with once I've got my r13y.com generator working again.
<ekleog>
Worst case we can “just” allow read-only access to the whole nix store instead of only to deps
<fpletz>
we could also wrap every binary with systemd-run for isolation :>
<gchristensen>
now we're cooking with gas
<ekleog>
and next step we're doing objcap-linux
<ekleog>
and then nixos-on-seL4
<gchristensen>
we have some hot stuff here, no reason to be afraid
<pie__>
yes please lol<ekleog> and then nixos-on-seL4
<pie__>
a probably reasonable friend told me microkernels for desktop fail because of performance reasons
<pie__>
im not entirely convinced but i now have a google searchsitting there waiting for me to actually look at the results >_>
* pie__
wants all the nice things
<ekleog>
Microkernels for desktop have never actually been attempted
<ekleog>
that I know of*
<ekleog>
if microkernels had the same context-switch performance Linux has, it'd definitely be true, but they're much more optimized for this than Linux is (because they do only this)
sphalerite has quit [Ping timeout: 240 seconds]
<ekleog>
So there probably will be a performance impact of a microkernel compared to a similarly-well-designed monolith, but I'm relatively sure that 1. it's negligible for quite a lot of use cases (as soon as you do computation you're no longer speaking with the kernel anyway) and 2. it forces a clean design, meaning fewer bugs
sphalerite_ has joined #nixos-security
<gchristensen>
you show me software, I'll show you a way to violate #2
<ekleog>
ok right, should have said “encourages”
<pie__>
ekleog, also maybe hardware arches are optimized for monokernels
<ekleog>
you _can_ write a monolith kernel in seL4's boot task (taking here “kernel” as “hardware abstraction layer”, not as “ring0 thing”)
<ekleog>
pie__: I don't know of any benchmark showing this, but I do know of microbenchmarks showing context switch performance between the L4 family and Linux
<ekleog>
the issue is that basically microkernels don't have a rich enough ecosystem yet to be able to compare actually useful things when using them as kernels
<ekleog>
(ISTR there was some phone that ran on top of an hypervisor built using some L4 kernel, at some point, though)
<pie__>
hm.
<pie__>
i mean youd probably want context much more granular than "entire os" + kernel