Final on Nostr: Secureblue is a security-focused desktop Linux operating system. Features Exploit ...
Secureblue is a security-focused desktop Linux operating system.
Features
Exploit mitigation:
Installing and enabling GrapheneOS' hardened_malloc globally, including for flatpaks.
Installing our chromium-based browser Trivalent, which is inspired by Vanadium.
SELinux-restricted unprivileged user namespaces
Setting numerous hardened sysctl values details
Sets numerous hardening kernel arguments
Configure chronyd to use Network Time Security (NTS) using chrony config from #GrapheneOS
Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
Installing usbguard and providing ujust commands to automatically configure it
Filling holes in the linux security posture
Remove SUID-root from numerous binaries, replacing functionality using capabilities, and remove sudo, su, and pkexec entirely in favor of run0
Disable Xwayland by default (for GNOME, Plasma, and Sway images)
Mitigation of LD_PRELOAD attacks via ujust toggle-bash-environment-lockdown
Disable install & usage of GNOME user extensions by default
Disable KDE GHNS by default
Removal of the unmaintained and suid-root fuse2 by default
Disabling unprivileged user namespaces by default for the unconfined domain and the container domain
Security by default:
Disabling all ports and services for firewalld
Use HTTPS for all rpm mirrors
Set all default container policies to reject, signedBy, or sigstoreSigned
Enabling only the flathub-verified remote by default
Reduce information leakage:
Adds per-network MAC randomization
Disabling coredumps
Attack surface reduction:
Blacklisting numerous unused kernel modules to reduce attack surface
Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
Disable and mask a variety of services by default (including cups, geoclue, passim, and others)
Security ease-of-use:
Installing bubblejail for additional sandboxing tooling
Tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives
Tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives
Toggles for a variety of the hardening set by default, for user convenience (ujust --choose)
https://secureblue.dev/
Features
Exploit mitigation:
Installing and enabling GrapheneOS' hardened_malloc globally, including for flatpaks.
Installing our chromium-based browser Trivalent, which is inspired by Vanadium.
SELinux-restricted unprivileged user namespaces
Setting numerous hardened sysctl values details
Sets numerous hardening kernel arguments
Configure chronyd to use Network Time Security (NTS) using chrony config from #GrapheneOS
Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
Installing usbguard and providing ujust commands to automatically configure it
Filling holes in the linux security posture
Remove SUID-root from numerous binaries, replacing functionality using capabilities, and remove sudo, su, and pkexec entirely in favor of run0
Disable Xwayland by default (for GNOME, Plasma, and Sway images)
Mitigation of LD_PRELOAD attacks via ujust toggle-bash-environment-lockdown
Disable install & usage of GNOME user extensions by default
Disable KDE GHNS by default
Removal of the unmaintained and suid-root fuse2 by default
Disabling unprivileged user namespaces by default for the unconfined domain and the container domain
Security by default:
Disabling all ports and services for firewalld
Use HTTPS for all rpm mirrors
Set all default container policies to reject, signedBy, or sigstoreSigned
Enabling only the flathub-verified remote by default
Reduce information leakage:
Adds per-network MAC randomization
Disabling coredumps
Attack surface reduction:
Blacklisting numerous unused kernel modules to reduce attack surface
Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
Disable and mask a variety of services by default (including cups, geoclue, passim, and others)
Security ease-of-use:
Installing bubblejail for additional sandboxing tooling
Tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives
Tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives
Toggles for a variety of the hardening set by default, for user convenience (ujust --choose)
https://secureblue.dev/