scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-03 11:58:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Provide Link to Implimentation Details (#191)

Browse Source 
* Provide Link to Implimentation Details

Provide link to the file that implements the changes stated in readme. Inspired by, https://github.com/secureblue/secureblue/issues/180
This commit is contained in:
Cheng Zhang
2024-01-30 16:48:30 -05:00
committed by GitHub
parent de9b5a7aeb
commit cf6d4beb5a
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -22,11 +22,11 @@ The following are not in scope for this project:
Hardening applied: Hardening applied:
- Setting numerous hardened sysctl values (Inspired by but not the same as Kicksecure's) - Setting numerous hardened sysctl values (Inspired by but not the same as Kicksecure's) <sup>[details](https://github.com/secureblue/secureblue/blob/live/config/files/usr/etc/sysctl.d/hardening.conf)</sup>
- Disabling coredumps in limits.conf - Disabling coredumps in limits.conf
- Disabling all ports and services for firewalld - Disabling all ports and services for firewalld
- Adds per-network MAC randomization - Adds per-network MAC randomization
- Blacklisting numerous unused kernel modules to reduce attack surface - Blacklisting numerous unused kernel modules to reduce attack surface <sup>[details](https://github.com/secureblue/secureblue/blob/live/config/files/usr/etc/modprobe.d/blacklist.conf)</sup>
- Require a password for sudo every time it's called - Require a password for sudo every time it's called
- Disable passwordless sudo for rpm-ostree - Disable passwordless sudo for rpm-ostree
- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions - Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
@@ -36,7 +36,7 @@ Hardening applied:
- (Non-userns variants) Disabling unprivileged user namespaces - (Non-userns variants) Disabling unprivileged user namespaces
- (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces - (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces
- Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default - Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default
- Sets numerous hardening kernel parameters (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) - Sets numerous hardening kernel parameters (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](https://github.com/secureblue/secureblue/blob/live/config/files/usr/share/ublue-os/just/60-custom.just.readme.md)</sup>
- Installs and enables [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally, including for flatpaks - Installs and enables [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally, including for flatpaks
- Installing Chromium instead of Firefox in the base image <sup>[Why chromium?](https://grapheneos.org/usage#web-browsing)</sup> <sup>[Why not flatpak chromium?](https://forum.vivaldi.net/post/669805)</sup> - Installing Chromium instead of Firefox in the base image <sup>[Why chromium?](https://grapheneos.org/usage#web-browsing)</sup> <sup>[Why not flatpak chromium?](https://forum.vivaldi.net/post/669805)</sup>
- Including a hardened chromium config that disables JIT javascript <sup>[why?](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/#is-jit-worth-it)</sup> - Including a hardened chromium config that disables JIT javascript <sup>[why?](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/#is-jit-worth-it)</sup>