NixOS in CIS benchmark Level 1


#1

Hey,

Has anyone tried checking whether NixOS passed CIS benchmark level 1 for servers?

It’s a requirement for my company to use an OS on our hosts, so I was wondering whether someone had already attempted this.

If not, I’m going to spend some time doing it. I’m probably going to edit a module cis-hardened.nix that can be included to a config to be compliant.

Here’s a linux “distribution independent” list of checks:


#2

Your PDF link requires authentication.


#3

https://github.com/cismirror/benchmarks/raw/master/CIS_Distribution_Independent_Linux_Benchmark_v1.1.0.pdf should be the same document.


#4

Seems like a big checklist to go over. But generally speaking almost all of those points should be passing if your configuration.nix specifies it according to the document.


#5

Where it makes sense to you should consider trying to get these settings as new defaults in NixOS.


#6

@eeva, by default, no. But you have a much better chance to reproduce passing the benchmark and distributing it with NixOS. I would be interesting to have it as a module and provide some additional assurances.


#7

I would consider creating a nixos test that basically checks all the boxes if possible. Not sure how feasible it is for some of the requirements tho…


#8

I have this on my todo list for ~2 years by now :sob:
I might not find the time to help considerable in the near future but I will at least find the time for a quick review if that helps.


#9

My bad, was tired yesterday apparently. Fixed.


#10

Hi @eeva did you end up starting this work? If so, is there a public repo? I’m curious on tracking progress if you are.

Thanks!


#11

Hi there,

Well, I did some preliminary work yes, but I won’t be continuing this until this summer for several reasons:

  • NixOS already has AppArmor support
  • SELinux support is being worked on (or at least there are plans to add it to NixOS)
  • The benchmark is a moving target, I got a XML document with the tests that I could adapt manually, but that’s wasted work if this needs to be (re)done every 2-3 months. It’s better to come up with a program that can read the tests and run them straight. It might not be legal.

So in short, priority for this has decreased while complexity increased. I’ll explore this once again during the summer (I may have less priority work to do).


#12

Thanks for the update!