scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-03 20:07:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
656bf9b5e2043764e3ef062c0400d355cde25818
secureblue/POSTINSTALL-README.md
qoijjj 2ef32f75c7 docs: improve readability
2024-03-13 16:35:15 -07:00

3.1 KiB
Raw Blame History

secureblue

After rebasing to secureblue, the following steps are recommended.

kargs

Documentation is available here for the kargs set by the commands below.

Set hardened kargs

ujust set-kargs-hardening

Set unstable hardened kargs

Can cause issues on some hardware, but stable on other hardware

ujust set-kargs-hardening-unstable

GRUB

Set a password

Setting a GRUB password helps protect the device from physical tampering and mitigates various attack vectors, such as booting from malicious media devices and changing boot or kernel parameters.

To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries.

sudo grub2-setpassword

GRUB will prompt for a username and password. The default username is root.

If you wish to password-protect booting existing entries, you can add the grub_users root entry in the specific configuration file located in the /boot/loader/entries directory.

Create a separate wheel account for admin purposes

Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors, like:

  1. adduser admin
  2. usermod -aG wheel admin
  3. passwd admin
  4. gpasswd -d {your username here} wheel
  5. reboot

When not in the wheel group, a user can be added to a dedicated group, otherwise certain actions are blocked:

  • use virtual machines: libvirt
  • use adb and fastboot: plugdev
  • use systemwide flatpaks: flatpak

Some actions don't have an associated group yet, you can create your own rules and groups to fix this.

Example: To allow a non-wheel user to use LUKS encrypted external drives:

  1. sudo groupadd diskadmin
  2. sudo usermod -aG diskadmin {your username here}
  3. execute this command (explanation below)
cat >> /etc/polkit-1/rules.d/80-udisks2.rules <<EOF
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.udisks2.encrypted-unlock-system" || action.id == "org.freedesktop.udisks2.filesystem-mount-system" &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("diskadmin"))
        {
        return polkit.Result.YES;
    }
});
EOF

The custom rule allows the groupdiskadmin to do the actions for unlocking and mounting these drives. Note the requirement on active and local, and the exactly specified actions.

Chromium

Extension

  1. Go to uBlock Origin Lite (Why Lite?)
  2. Install it
  3. In the extension's settings, make sure all of the lists under Default and Miscellaneous are checked (and at your preference, lists in the Annoyances section or country-specific lists)