System Security Settings¶
Checks if critical system security settings are properly configured
Checks¶
wheel_only
- Only wheel group members should be allowed to use sudossh_password_authentication
- Password authentication should be disabled for SSHusers_immutable
- Users should be managed through NixOS configurationfirewall_enabled
- The system firewall should be enabled for better securitylog_refused_connections
- The logging of refused connections should be deactivated to avoid flooding the logs and possibly leaving important messages unseen. Consider using it only for debugging firewall rules.
Details¶
wheel_only
¶
Description: Only wheel group members should be allowed to use sudo
How to fix:
Set security.sudo.execWheelOnly = true
ssh_password_authentication
¶
Description: Password authentication should be disabled for SSH
How to fix:
Set services.openssh.settings.PasswordAuthentication = false
users_immutable
¶
Description: Users should be managed through NixOS configuration
How to fix:
Set users.mutableUsers = false
firewall_enabled
¶
Description: The system firewall should be enabled for better security
How to fix:
Set networking.firewall.enable = true
log_refused_connections
¶
Description: The logging of refused connections should be deactivated to avoid flooding the logs and possibly leaving important messages unseen. Consider using it only for debugging firewall rules.
How to fix:
Set networking.firewall.logRefusedConnections = false