diff options
| author | Austin Seipp <aseipp@pobox.com> | 2014-04-06 14:18:12 -0500 |
|---|---|---|
| committer | Austin Seipp <aseipp@pobox.com> | 2014-04-11 22:43:51 -0500 |
| commit | 172dc1336f108ee81b0f5f8b9be3d27706b1c032 (patch) | |
| tree | b9d98f3710365ea9fdc6e57ae00f9ef1cdac2a95 /nixos/modules/config/users-groups.nix | |
| parent | cf24cf1184ad6fc62292b9668c836e5a1435902c (diff) | |
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos/modules/config/users-groups.nix')
| -rw-r--r-- | nixos/modules/config/users-groups.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 061f51ccda7b..c27a94a22d58 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -392,6 +392,7 @@ in { home = "/root"; shell = cfg.defaultUserShell; group = "root"; + extraGroups = [ "grsecurity" ]; hashedPassword = mkDefault config.security.initialRootPassword; }; nobody = { @@ -420,6 +421,7 @@ in { nixbld.gid = ids.gids.nixbld; utmp.gid = ids.gids.utmp; adm.gid = ids.gids.adm; + grsecurity.gid = ids.gids.grsecurity; }; system.activationScripts.users = |