scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-01 10:57:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
418 Commits 1 Branch 0 Tags
c8bd1eb510a32d8b19017bd2c140a73b44a085dd
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

secureblue

secureblue

This repo takes the uBlue starting point and selectively applies hardening with the following goals:

  • Increase defenses against the exploitation of both known and unknown vulnerabilities.
  • Avoid sacrificing usability for most use cases where possible

The following are not in scope for this project:

  • Anything related to increasing "privacy", especially when at odds with improving security
  • Anything related to "degoogling"

What

Hardening applied:

  • Setting numerous hardened sysctl values (Inspired by but not the same as Kicksecure's)
  • Disabling coredumps in limits.conf
  • Disabling all ports and services for firewalld
  • Blacklisting numerous unused kernel modules to reduce attack surface
  • Setting more restrictive file permissions (Based on recommendations from lynis)
  • Installing dnf-automatic and chkrootkit
  • Disabling unprivileged user namespaces and removing flatpak
  • Sets numerous hardening kernel parameters (Inspired by Madaidan's Hardening Guide)
  • Installs and enables hardened_malloc globally
  • Installing Chromium from the koji updates-testing repo to always have the latest version of chromium, the stable chromium package lags behind on security patches (Why chromium?)

Why

Fedora is one of the few distributions that ships with selinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a hardened system. However, out of the box it's lacking hardening in numerous other areas. This project's goal is to improve on that significantly.

For more info on uBlue, check out the uBlue homepage and the main uBlue repo

Installation

Warning

This is an experimental feature and should not be used in production, try it in a VM for a while!

Available Images

Note: gaming utilities like Steam and Lutris are not included and in my experience are largely incompatible with hardened_malloc

  • kinoite-main-hardened
  • kinoite-nvidia-hardened
  • silverblue-main-hardened
  • silverblue-nvidia-hardened

Rebasing

To rebase an existing Silverblue/Kinoite installation to the latest build:

  • First rebase to the unsigned image, to get the proper signing keys and policies installed: 
    rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/$IMAGE_NAME:latest
  • Reboot to complete the rebase: 
    systemctl reboot
  • Then rebase to the signed image, like so: 
    rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/$IMAGE_NAME:latest
  • Reboot again to complete the installation 
    systemctl reboot

Post-install

The following command is available to append kernel boot parameters that apply additional hardening (reboot required):

just set-kargs-hardening

Contributing

Follow the contributing documentation, and make sure to respect the CoC.

Development

For local Development building locally is the recommended approach.

Description
No description provided
Readme Apache-2.0 1.9 MiB
Languages
Shell 33.2%
Just 33.2%
YAML 31.2%
JSON 2.4%