[Nix-dev] New NixOS module: grsecurity

Raahul Kumar raahul.kumar at gmail.com
Mon Apr 14 07:40:10 CEST 2014


Hey Austin,

Do we still need SElinux with Grsecurity? If we want to harden Nixos, what
is our best bet right now?

Aloha,
RK.


On Sun, Apr 13, 2014 at 3:20 AM, Austin Seipp <aseipp at pobox.com> wrote:

> Hello all,
>
> (Sending to nix-dev as I imagine several users might be interested).
>
> As of nixpkgs commit 172dc1336f108ee8, there is a new NixOS module
> which greatly enhances support for the grsecurity project*. This is a
> significant upgrade of the existing support (which was mostly just
> kernel packages), and makes usage far easier and less error prone to
> configure.
>
> You can enable it by just specifying which kernel you want (stable,
> stable+vserver patches, or testing), and the system configuration
> (desktop or server):
>
>         security.grsecurity.enable          = true;
>         security.grsecurity.testing         = true;      # testing 3.13
> kernel
>         security.grsecurity.config.system   = "desktop"; # or "server"
>
> This defaults to high-security enhancements, and auto-selects all the
> appropriate configuration options and enabled protections. This
> implies no virtualisation support, which is needed for all your
> expected software functionality to work properly. For example, to
> enable KVM support:
>
>         security.grsecurity.enable = true;
>         security.grsecurity.stable = true; # enable stable 3.2 kernel
>         security.grsecurity.config = {
>           system   = "server";
>           priority = "security";
>           virtualisationConfig   = "host";
>           virtualisationSoftware = "kvm";
>           hardwareVirtualisation = true;
>         }
>
> You can also use the 'custom' grsecurity configuration, in combination
> with custom kernel options. See the options 'security.grsecurity.mode'
> and 'security.grsecurity.config.kernelExtraConfig' for more
> information.
>
> At the moment, Hydra will not build packages for your grsec kernel. If
> you enable it, you'll have to build it yourself. In the future, I hope
> to alleviate this (perhaps by providing binary packages for
> 'pre-canned' automatic configurations).
>
> At the moment, gradm's learning mode is broken, so be careful playing
> with it. I hope to fix this soon.
>
> I've been using this module with NixOps and deploying to multiple
> Hetzner servers successfully for a month or two. (I suspect EC2 should
> work fine as well).
>
> Please do try it out - and be sure to keep a backup system
> configuration for now, just in case something goes wrong.
>
> Thanks to Ricardo Correia for review and feedback.
>
> ---------------------------------
>
> * For those who aren't familiar - quoting https://grsecurity.net
>
> "Grsecurity is an extensive security enhancement to the Linux kernel,
> touching nearly 2000 files and composed of over 60,000 lines of
> changes. It has been actively developed and maintained for the past 13
> years. Grsecurity defends against a wide range of security threats
> through intelligent access control, memory corruption-based exploit
> prevention, and a host of other system hardening that generally
> require no configuration."
>
> --
> Regards,
> Austin - PGP: 4096R/0x91384671
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140414/fcab7766/attachment.html 


More information about the nix-dev mailing list