Compliance Standard Checking

Has anyone checked against security standards etc. for NixOS?

I imagine NixOS simplifies it a lot seeing as the configuration can be easily read, reproduced, checked etc…

I don’t think so.

What standards would you like to see checked and where is that needed?

2 Likes

For example, my employer (v large company) have internal security standards, which tell you how to configure things (e.g. firewalls) and example checks which tell you what the system state should look at the end (e.g. how IP tables should look) etc.

Basically a configuration checklist and list of tests, which from my POV is something NixOS is v suitable for.

This is one of the things that keep me from deploying Nix at the company level, although I have been able to use it there for some ancillary roles. It’d be nice if there was support from third party tools, or something that can be used for confirming a security posture. I’m thinking of things like OpenSCAP, CIS benchmarks, etc…

2 Likes

That’s exactly where I’m at. It would be much easier than making a copy of Rocky. I noticed there is a hardened config, but I want to be confident that it complies with CIS Level 2. Benchmarking tools make this easy. I suppose I could manual install OpenSCAP but I’m not sure if it’s going to be compatible

1 Like