This table shows, for each systemd service in nixos, the hardening options that are configured.
The items are sorted by decreasing count of configured options, then by name.
The goal of the project is to audit the security of every systemd service in NixOS. For the moment (modulo the power of my static analysis tool, that may miss some parts of nixpkgs), I built a list of all the systemd services that are defined in NixOS and I automatically read the configuration of these services with respect to systemd hardening. The entries in the table are green if the service configures the option, and red otherwise.
The analysis was performed on this commit.
For now, I only target a restricted list of options (boolean options that are “well-behaved”).
This shows the options that are configured, but not necessarily secured: for instance,
PrivateNetworkand this options appears in green,
yet it is configured by default to
false. This means there may be false positives.
There may also be some false negatives: for instance, nginx does not configure
but this is expected because nginx has no reason to shut itself from the Internet.