Corporate endpoint security?

I am working at a small company that has until now allowed me to do whatever I want with my PC and its OS. They are now requiring that everyone install Bitdefender. I tried my darnedest to get Bitdefender packaged for NIxOS, but I think it’s probably impossible.

As for alternatives, I see ClamAV is available for NIxOS, but it’s not exactly a comprehensive endpoint security solution.

Has anyone else gotten over this hurdle, using some other endpoint security suite?

1 Like

Its not impossible but not easy. Did you try jailing it in a FHS container and limit its CPU that it can scan that container until death?

1 Like

Lol I have considered the “boxed” approach, although I feel like it’s kind of dishonest.

1 Like

Why? If you cannot compile an application from the sources it’s one of the few way you can follow to package it… maybe the other is using patchelf wisely?

1 Like

If it’s boxed and can’t scan the whole system, then it’s not really doing what my employer thinks it’s doing.

I have patchelfed the installation binaries you download (bdconfigure32/64), but the installation script then wants to go off and download more proprietary packages based on your distro, using either yum or apt-get or rpm or zypper. Maybe I could try to figure out how to obtain and use those binaries? But it looks like a giant pain, and not guaranteed to work even if I did all the work to package it.

1 Like

I think another way could be to work with the deb package as the “source”… I see an ubuntu install guide here from that it’s simple to get the url of the .deb you need, and then you can extract the application directly from it and do the elf patching on the real app, instead of the installer. Unfortunately I don’t have much experience with packaging that way…

1 Like

there are other apps that use the .deb as the source, like https://github.com/NixOS/nixpkgs/blob/20dc478985d6545df53f0153f4af125eb014083d/pkgs/applications/audio/bitwig-studio/bitwig-studio4.nix#L12 … you may look there for inspiration :wink:

1 Like

That’s solid advice! I will look into that if they won’t let me get away with ClamAV

1 Like

Thank you for helping me out

2 Likes

I suggest having a look at dropbox - it runs a bootstrapper in an FHS environment and then updates itself.

2 Likes

dream2nix seems to have grown a “debian” subsystem as well that might work, but psshhh, it’s not documented yet so we probably shouldn’t know about it.

1 Like

@WhittlesJr -
I am in pretty much exactly this situation - trying to get Bitdefender going on NixOS so I can deploy it on the corporate network. Curious if you got this resolved ever, and if you would be open to sharing code (I understand if this is not possible due to corporate policy or whatever).
If I can get this going, Nix would be an option for a number of projects on our network, so I’m certainly hoping for some kind of resolution!
Thanks, and anyone else can feel free to chime in as well with input.

Not an immedate solution, but if you’re able to fund work on this, numtide recently launched a project to help people in exactly your situation: Beta launch: Nix packaging as a service

1 Like

Thanks, definitely a good tool to have in the tool bag.

Stuck at this same issue, I found this page at Bitdefender that suggests you can run one of their Security Containers and mount the host fs in for scanning. Will report success or failure soon.

1 Like

Hey guys, I’d still love to see this packaged proper. For now, I’ve been given a pass by the compliance department by running the docker container, although they can’t see my instance talking to the mothership. The logs also don’t show much activity except for a single line with my HWID. For reference, I’m running the following:

docker run \
  --privileged \
  -d \
  -e "BSC_SERVER=https://cloud-ecs.gravityzone.bitdefender.com/hydra" \
  -e "BSC_COMPANY=<my company id>" \
  -v /mnt/data:/data \
  -v /sys:/mnt/host-sys \
  -v /proc:/mnt/host-proc \
  -v /etc/os-release:/mnt/host-os-release \
  -v /:/mnt/host \
  --pid host \
  --net host \
  -u :10000 \
  --name=BSC \
  bdfbusiness/bitdefender-security-container:7.0

I do see stuff related to “bd” going on in /mnt/data, so, maybe it’s working?

1 Like