7.3 KiB
secureblue
This repo takes the uBlue starting point and selectively applies hardening with the following goals:
- Increase defenses against the exploitation of both known and unknown vulnerabilities.
- Avoid sacrificing usability for most use cases where possible
The following are not in scope for this project:
- Anything related to increasing "privacy", especially when at odds with improving security
- Anything related to "degoogling" chromium. For example, we will not be replacing chromium with Brave or ungoogled-chromium.
What
Hardening applied:
- Setting numerous hardened sysctl values (Inspired by but not the same as Kicksecure's)
- Disabling coredumps in limits.conf
- Disabling all ports and services for firewalld
- Adds per-network MAC randomization
- Blacklisting numerous unused kernel modules to reduce attack surface
- Require a password for sudo every time it's called
- Disable passwordless sudo for rpm-ostree
- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
- Installing chkrootkit, usbguard, and bubblejail
- Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
- Configure chronyd to use Network Time Security (NTS)
- (Non-userns variants) Disabling unprivileged user namespaces
- (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces
- Enabling only the flathub-verified remote by default
- Sets numerous hardening kernel parameters (Inspired by Madaidan's Hardening Guide)
- Installs and enables hardened_malloc globally, including for flatpaks
- Installing Chromium instead of Firefox in the base image Why chromium? Why not flatpak chromium?
- Including a hardened chromium config that disables JIT javascript why?
- Pushing upstream fedora to harden the build for all fedora users, including secureblue users (for example, by enabling CFI)
Why
Fedora is one of the few distributions that ships with selinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a hardened system. However, out of the box it's lacking hardening in numerous other areas. This project's goal is to improve on that significantly.
For more info on uBlue, check out the uBlue homepage and the main uBlue repo
Installation
Have a look at PREINSTALL-README before proceeding.
Available Images
Without User Namespaces What's the difference?
desktop
- kinoite-main-hardened
- kinoite-nvidia-hardened
- cinnamon-main-hardened
- cinnamon-nvidia-hardened
- bluefin-main-hardened
- bluefin-nvidia-hardened
- silverblue-main-hardened
- silverblue-nvidia-hardened
- sericea-main-hardened
- sericea-nvidia-hardened
- wayblue-wayfire-main-hardened
- wayblue-wayfire-nvidia-hardened
laptop
- kinoite-main-laptop-hardened
- kinoite-nvidia-laptop-hardened
- cinnamon-main-laptop-hardened
- cinnamon-nvidia-laptop-hardened
- bluefin-main-laptop-hardened
- bluefin-nvidia-laptop-hardened
- silverblue-main-laptop-hardened
- silverblue-nvidia-laptop-hardened
- sericea-main-laptop-hardened
- sericea-nvidia-laptop-hardened
- wayblue-wayfire-main-laptop-hardened
- wayblue-wayfire-nvidia-laptop-hardened
framework
- kinoite-framework-hardened
- bluefin-framework-hardened
- silverblue-framework-hardened
- sericea-framework-hardened
server
- server-main-hardened
- server-nvidia-hardened
With User Namespaces What's the difference?
desktop
- kinoite-main-userns-hardened
- kinoite-nvidia-userns-hardened
- cinnamon-main-userns-hardened
- cinnamon-nvidia-userns-hardened
- bluefin-dx-main-userns-hardened
- bluefin-dx-nvidia-userns-hardened
- bluefin-main-userns-hardened
- bluefin-nvidia-userns-hardened
- silverblue-main-userns-hardened
- silverblue-nvidia-userns-hardened
- sericea-main-userns-hardened
- sericea-nvidia-userns-hardened
- wayblue-wayfire-main-userns-hardened
- wayblue-wayfire-nvidia-userns-hardened
laptop
- kinoite-main-laptop-userns-hardened
- kinoite-nvidia-laptop-userns-hardened
- cinnamon-main-laptop-userns-hardened
- cinnamon-nvidia-laptop-userns-hardened
- bluefin-dx-main-laptop-userns-hardened
- bluefin-dx-nvidia-laptop-userns-hardened
- bluefin-main-laptop-userns-hardened
- bluefin-nvidia-laptop-userns-hardened
- silverblue-main-laptop-userns-hardened
- silverblue-nvidia-laptop-userns-hardened
- sericea-main-laptop-userns-hardened
- sericea-nvidia-laptop-userns-hardened
- wayblue-wayfire-main-laptop-userns-hardened
- wayblue-wayfire-nvidia-laptop-userns-hardened
framework
- kinoite-framework-userns-hardened
- bluefin-framework-userns-hardened
- silverblue-framework-userns-hardened
- sericea-framework-userns-hardened
server
- server-main-userns-hardened
- server-nvidia-userns-hardened
Rebasing
To rebase an existing Silverblue/Kinoite installation to the latest build:
- First rebase to the unsigned image, to get the proper signing keys and policies installed:
rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/$IMAGE_NAME:latest - Reboot to complete the rebase:
systemctl reboot - Then rebase to the signed image, like so:
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/$IMAGE_NAME:latest - Reboot again to complete the installation
systemctl reboot
Post-install
After installation, yafti will open. Make sure to follow the steps listed carefully and read the directions closely.
Have a look at POSTINSTALL-README.
Kargs
To append kernel boot parameters that apply additional hardening (reboot required):
ujust set-kargs-hardening
To append additional kernel boot parameters that apply additional hardening, but cause boot issues on some hardware (reboot required):
ujust set-kargs-hardening-unstable
Nvidia
If you are using an nvidia image, run this after installation:
rpm-ostree kargs \
--append=rd.driver.blacklist=nouveau \
--append=modprobe.blacklist=nouveau \
--append=nvidia-drm.modeset=1
Contributing
Follow the contributing documentation, and make sure to respect the CoC.
Development
For local Development building locally is the recommended approach.