Corporate endpoint security?

WhittlesJr · September 20, 2022, 2:08pm

I am working at a small company that has until now allowed me to do whatever I want with my PC and its OS. They are now requiring that everyone install Bitdefender. I tried my darnedest to get Bitdefender packaged for NIxOS, but I think it’s probably impossible.

As for alternatives, I see ClamAV is available for NIxOS, but it’s not exactly a comprehensive endpoint security solution.

Has anyone else gotten over this hurdle, using some other endpoint security suite?

Sandro · September 20, 2022, 3:01pm

Its not impossible but not easy. Did you try jailing it in a FHS container and limit its CPU that it can scan that container until death?

WhittlesJr · September 20, 2022, 3:07pm

Lol I have considered the “boxed” approach, although I feel like it’s kind of dishonest.

azazel75 · September 20, 2022, 3:12pm

Why? If you cannot compile an application from the sources it’s one of the few way you can follow to package it… maybe the other is using patchelf wisely?

WhittlesJr · September 20, 2022, 3:25pm

If it’s boxed and can’t scan the whole system, then it’s not really doing what my employer thinks it’s doing.

I have patchelfed the installation binaries you download (bdconfigure32/64), but the installation script then wants to go off and download more proprietary packages based on your distro, using either yum or apt-get or rpm or zypper. Maybe I could try to figure out how to obtain and use those binaries? But it looks like a giant pain, and not guaranteed to work even if I did all the work to package it.

azazel75 · September 20, 2022, 3:31pm

I think another way could be to work with the deb package as the “source”… I see an ubuntu install guide here from that it’s simple to get the url of the .deb you need, and then you can extract the application directly from it and do the elf patching on the real app, instead of the installer. Unfortunately I don’t have much experience with packaging that way…

azazel75 · September 20, 2022, 3:34pm

there are other apps that use the .deb as the source, like https://github.com/NixOS/nixpkgs/blob/20dc478985d6545df53f0153f4af125eb014083d/pkgs/applications/audio/bitwig-studio/bitwig-studio4.nix#L12 … you may look there for inspiration

WhittlesJr · September 20, 2022, 3:54pm

That’s solid advice! I will look into that if they won’t let me get away with ClamAV

WhittlesJr · September 20, 2022, 3:54pm

Thank you for helping me out

peterhoeg · September 21, 2022, 5:49am

I suggest having a look at dropbox - it runs a bootstrapper in an FHS environment and then updates itself.

TLATER · September 21, 2022, 3:19pm

dream2nix seems to have grown a “debian” subsystem as well that might work, but psshhh, it’s not documented yet so we probably shouldn’t know about it.

daver98 · November 10, 2023, 3:52pm

@WhittlesJr -
I am in pretty much exactly this situation - trying to get Bitdefender going on NixOS so I can deploy it on the corporate network. Curious if you got this resolved ever, and if you would be open to sharing code (I understand if this is not possible due to corporate policy or whatever).
If I can get this going, Nix would be an option for a number of projects on our network, so I’m certainly hoping for some kind of resolution!
Thanks, and anyone else can feel free to chime in as well with input.

TLATER · November 18, 2023, 6:49am

Not an immedate solution, but if you’re able to fund work on this, numtide recently launched a project to help people in exactly your situation: Beta launch: Nix packaging as a service

daver98 · November 18, 2023, 12:37pm

Thanks, definitely a good tool to have in the tool bag.

Kritnich · December 4, 2023, 2:39pm

Stuck at this same issue, I found this page at Bitdefender that suggests you can run one of their Security Containers and mount the host fs in for scanning. Will report success or failure soon.

WhittlesJr · January 22, 2024, 4:41pm

Hey guys, I’d still love to see this packaged proper. For now, I’ve been given a pass by the compliance department by running the docker container, although they can’t see my instance talking to the mothership. The logs also don’t show much activity except for a single line with my HWID. For reference, I’m running the following:

docker run \
  --privileged \
  -d \
  -e "BSC_SERVER=https://cloud-ecs.gravityzone.bitdefender.com/hydra" \
  -e "BSC_COMPANY=<my company id>" \
  -v /mnt/data:/data \
  -v /sys:/mnt/host-sys \
  -v /proc:/mnt/host-proc \
  -v /etc/os-release:/mnt/host-os-release \
  -v /:/mnt/host \
  --pid host \
  --net host \
  -u :10000 \
  --name=BSC \
  bdfbusiness/bitdefender-security-container:7.0

I do see stuff related to “bd” going on in /mnt/data, so, maybe it’s working?

daver98 · April 29, 2024, 6:27pm

Did you ever try this?

Kritnich · April 29, 2024, 6:47pm

Unfortunately I didn’t get the chance and don’t work with it anymore

daver98 · April 29, 2024, 8:55pm

Ok, no worries. I’m just digging into this again, so wanted to see if you’d made progress.

daver98 · March 19, 2025, 4:58pm

Posting my current config here - it’s far from ideal as I’m hardcoding the path to a downloaded deb file. It’s also not building properly - I keep getting dependency issues related to the openssl version being out of date error such as

auto-patchelf could not satisfy dependency libssl.so.1.0.0 wanted by /nix/store/q82gc67bzq9mry03ra0aihh94vymdfx6-bitdefender-endpoint-security-tools-7.1.1.200141/opt/bitdefender-security-tools/lib/patchmanagement/sles12/libIxpPatch.so.2.3.0

{ lib
, pkgs
, stdenv
, dpkg
, fetchurl
, makeWrapper
, autoPatchelfHook
, libxml2
, zlib
, gcc
, glibc
, libcxx
, libgcc
, audit
, libgcrypt
}:

stdenv.mkDerivation rec {
  pname = "bitdefender-endpoint-security-tools";
  version = "7.1.1.200141";

  openssl = pkgs.openssl_1_1; # Specify the correct version here

  src = fetchurl {
    url = "file://${/path/to/config/nixos-config/pkgs/bitdefender/src/bitdefender-security-tools_${version}_amd64.deb}";
    sha256 = "a8ba0225f2ee342e1f0ed41772eb0d53c8a3caffe419138fe0a2b029171a4a58";
  };

  nativeBuildInputs = [
    dpkg
    makeWrapper
    autoPatchelfHook
  ];

  buildInputs = [
    stdenv.cc.cc.lib
    libxml2
    openssl
    zlib
    gcc
    glibc
    libcxx
    libgcc
    audit
    libgcrypt
  ];

  preBuild = ''
    export NIXPKGS_ALLOW_INSECURE=1
  '';

  unpackPhase = ''
    dpkg-deb -x $src $out
    dpkg-deb -e $src $out/DEBIAN
  '';

  # Commented out installPhase as it's not necessary
  /*
  installPhase = ''
    mkdir -p $out
    cp -r $out/opt $out/
  '';
  */

  postFixup = ''
    # Manually patch libraries and ELF executables ONLY, EXCLUDING /bin
    for libfile in $out/opt/bitdefender-security-tools/lib/*.so*; do
      echo "Processing $libfile"
      if file "$libfile" | grep -q "ELF"; then
         echo "...Patching"
         patchelf --set-rpath "${lib.makeLibraryPath buildInputs}:$out/lib:$out/lib64:$out/opt/bitdefender-security-tools/lib" "$libfile"
      fi
    done

    # Manually set RPATH for binaries and libraries with missing dependencies
    for bin in $out/opt/bitdefender-security-tools/bin/* $out/opt/bitdefender-security-tools/lib/*.so*; do
      if file "$bin" | grep -q "ELF"; then
        echo "Setting RPATH for $bin"
        patchelf --set-rpath "${lib.makeLibraryPath buildInputs}:$out/lib:$out/lib64:$out/opt/bitdefender-security-tools/lib" "$bin"
      fi
    done
  '';

  meta = with lib; {
    description = "Bitdefender Endpoint Security Tools for Linux";
    homepage = "https://www.bitdefender.com/business/enterprise-products/endpoint-security.html";
    platforms = [ "x86_64-linux" ];
    maintainers = with maintainers; [ "User Name" ];
  };
}