[Nix-dev] New NixOS module: grsecurity

Austin Seipp aseipp at pobox.com
Sat Apr 12 19:20:39 CEST 2014 

Hello all,

(Sending to nix-dev as I imagine several users might be interested).

As of nixpkgs commit 172dc1336f108ee8, there is a new NixOS module
which greatly enhances support for the grsecurity project*. This is a
significant upgrade of the existing support (which was mostly just
kernel packages), and makes usage far easier and less error prone to
configure.

You can enable it by just specifying which kernel you want (stable,
stable+vserver patches, or testing), and the system configuration
(desktop or server):

        security.grsecurity.enable          = true;
        security.grsecurity.testing         = true;      # testing 3.13 kernel
        security.grsecurity.config.system   = "desktop"; # or "server"

This defaults to high-security enhancements, and auto-selects all the
appropriate configuration options and enabled protections. This
implies no virtualisation support, which is needed for all your
expected software functionality to work properly. For example, to
enable KVM support:

        security.grsecurity.enable = true;
        security.grsecurity.stable = true; # enable stable 3.2 kernel
        security.grsecurity.config = {
          system   = "server";
          priority = "security";
          virtualisationConfig   = "host";
          virtualisationSoftware = "kvm";
          hardwareVirtualisation = true;
        }

You can also use the 'custom' grsecurity configuration, in combination
with custom kernel options. See the options 'security.grsecurity.mode'
and 'security.grsecurity.config.kernelExtraConfig' for more
information.

At the moment, Hydra will not build packages for your grsec kernel. If
you enable it, you'll have to build it yourself. In the future, I hope
to alleviate this (perhaps by providing binary packages for
'pre-canned' automatic configurations).

At the moment, gradm's learning mode is broken, so be careful playing
with it. I hope to fix this soon.

I've been using this module with NixOps and deploying to multiple
Hetzner servers successfully for a month or two. (I suspect EC2 should
work fine as well).

Please do try it out - and be sure to keep a backup system
configuration for now, just in case something goes wrong.

Thanks to Ricardo Correia for review and feedback.

---------------------------------

* For those who aren't familiar - quoting https://grsecurity.net

"Grsecurity is an extensive security enhancement to the Linux kernel,
touching nearly 2000 files and composed of over 60,000 lines of
changes. It has been actively developed and maintained for the past 13
years. Grsecurity defends against a wide range of security threats
through intelligent access control, memory corruption-based exploit
prevention, and a host of other system hardening that generally
require no configuration."

-- 
Regards,
Austin - PGP: 4096R/0x91384671

More information about the nix-dev mailing list