Re: What are you using to harden your Guix System?

[luhux]

On Tue, Oct 20, 2020 at 09:43:33AM +0000, jbranso@dismail.de wrote:
> I'm using sway instead of X.  Does that count?
> 
> Though I'm still using X for Emacs....
> 
> It would be great to add a cookbook page about how to harden guix!
> 
> Thanks,
> 
> Joshua
Thank you for your suggestion, I will try to find a suitable alternative under 
wayland.

Switching from X to wayland is a bit difficult for me, because I did not find 
an alternative to'cwm' under wayland

Harden cookbook is a good idea, if you find a cookbook or create it, please let 
me know

Before creating the cookbook, everyone can use this mail as a place to discuss 
harden. Let me share:





* Except the partition where grub or efi is stored, let other partitions be 
encrypted with luks (thanks to grub, it can mount the partition encrypted by 
lusk, and then load the kernel to boot)

* Use `guix environment --container` to containerize some programs to make the 
system more secure.

* For programs that are not very trusted or run by root, or programs for 
testing, use `guix system container` to build it and start it

* Use iptables or nftables to build firewall rules

* When using docker, disable the iptables rules automatically built by docker, 
and then decide docker's network access by yourself (using iptables or 
nftables):

===============================================

(service docker-service-type
       (docker-configuration
                    (enable-iptables? #f)))

===============================================

* On the public network server, I closed icmp, closed the ssh port, and then 
used wireguard to access it.


* In ~/.ssh/rc I wrote a script to automatically send emails after sign in 
suceesfully in the background (although pam_exec can be used to do it, and it 
can do better, but I don’t know pam too much)


* Use some code that is not a lot, but reliable programs such as (suckless st, 
cwm, password-store, libressl)


thank

luhux