This repo uses BlueBuild to generate hardened operating system images, using uBlue's Fedora Atomic-based base images as a starting point.
secureblue applies hardening with the following goals in mind:
- Increase defenses against the exploitation of both known and unknown vulnerabilities.
- Avoid sacrificing usability for most use cases where possible
- Disabling metrics and data collection by default where they exist, so long as this has no security implications (for example, disabling vscode data collection by default on
dx
images)
The following are not in scope:
- Anything that sacrifices security for "privacy". Fedora is already sufficiently private and "privacy" often serves as a euphemism for security theater. This is especially true when at odds with improving security.
- Anything related to "degoogling" chromium. For example, we will not be replacing chromium with Brave or ungoogled-chromium. Both of them make changes that sacrifice security for "privacy", such as enabling MV2.
- Installing and enabling hardened_malloc globally, including for flatpaks. Thanks to rusty-snake's hardened_malloc spec
- Installing hardened-chromium, which is inspired by and incorporates patches from Vanadium. Why chromium? Why not flatpak chromium?
- Setting numerous hardened sysctl values details
- Disabling coredumps in limits.conf
- Disabling all ports and services for firewalld
- Adds per-network MAC randomization
- Blacklisting numerous unused kernel modules to reduce attack surface details
- Enabling only the flathub-verified remote by default
- Sets numerous hardening kernel arguments (Inspired by Madaidan's Hardening Guide) details
- Reduce the sudo timeout to 1 minute
- Disable passwordless sudo for
rpm-ostree install
why? - Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
- Installing usbguard and providing
ujust
commands to enable it - Installing bubblejail for additional sandboxing tooling
- Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
- Configure chronyd to use Network Time Security (NTS) using chrony config from GrapheneOS
- Disable KDE GHNS by default why?
- Use HTTPS for all rpm mirrors
- Set all default container policies to
reject
,signedBy
, orsigstoreSigned
- Remove SUID-root from numerous binaries and replace functionality using capabilities
- (Non-userns variants) Disabling unprivileged user namespaces
- (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces
Fedora is one of the few distributions that ships with selinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a hardened system. However, out of the box it's lacking hardening in numerous other areas. This project's goal is to improve on that significantly.
For more info on uBlue and BlueBuild, check out the uBlue homepage and the BlueBuild homepage.
If you want to add your own customizations on top of secureblue, you are advised strongly against forking. Instead, create a repo for your own image by using the BlueBuild template, then change your base-image
to a secureblue image. This will allow you to apply your customizations to secureblue in a concise and maintainable way, without the need to constantly sync with upstream.
Have a look at PREINSTALL-README before proceeding.
To rebase a Fedora Atomic installation, choose an $IMAGE_NAME from the list below, then follow these steps:
(Important note: the only supported tag is latest
)
- First rebase to the unsigned image, to get the proper signing keys and policies installed:
rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/$IMAGE_NAME:latest
- Reboot to complete the rebase:
systemctl reboot
- Then rebase to the signed image, like so:
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/$IMAGE_NAME:latest
- Reboot again to complete the installation
systemctl reboot
While it's recommended to use a Fedora Atomic iso to install and then rebase that installation to secureblue, you can also generate an iso and install that directly using this script. Please note you should still follow the post-install steps when installing from a generated iso:
./generate_secureblue_iso.sh
Images userns?
Recommended why?
silverblue-main-hardened
silverblue-nvidia-hardened
bluefin-main-hardened
bluefin-nvidia-hardened
bluefin-dx-main-userns-hardened
bluefin-dx-nvidia-userns-hardened
bluefin-main-userns-hardened
bluefin-nvidia-userns-hardened
silverblue-main-userns-hardened
silverblue-nvidia-userns-hardened
kinoite-main-hardened
kinoite-nvidia-hardened
aurora-main-hardened
aurora-nvidia-hardened
sericea-main-hardened
sericea-nvidia-hardened
kinoite-main-userns-hardened
kinoite-nvidia-userns-hardened
aurora-main-userns-hardened
aurora-nvidia-userns-hardened
aurora-dx-main-userns-hardened
aurora-dx-nvidia-userns-hardened
sericea-main-userns-hardened
sericea-nvidia-userns-hardened
cinnamon-main-hardened
cinnamon-nvidia-hardened
cosmic-main-hardened
cosmic-nvidia-hardened
wayblue-wayfire-main-hardened
wayblue-wayfire-nvidia-hardened
wayblue-hyprland-main-hardened
wayblue-hyprland-nvidia-hardened
wayblue-river-main-hardened
wayblue-river-nvidia-hardened
wayblue-sway-main-hardened
wayblue-sway-nvidia-hardened
cinnamon-main-userns-hardened
cinnamon-nvidia-userns-hardened
cosmic-main-userns-hardened
cosmic-nvidia-userns-hardened
wayblue-wayfire-main-userns-hardened
wayblue-wayfire-nvidia-userns-hardened
wayblue-hyprland-main-userns-hardened
wayblue-hyprland-nvidia-userns-hardened
wayblue-river-main-userns-hardened
wayblue-river-nvidia-userns-hardened
wayblue-sway-main-userns-hardened
wayblue-sway-nvidia-userns-hardened
Asus source
silverblue-asus-hardened
silverblue-asus-nvidia-hardened
silverblue-asus-userns-hardened
silverblue-asus-nvidia-userns-hardened
aurora-asus-hardened
aurora-asus-nvidia-hardened
kinoite-asus-hardened
kinoite-asus-nvidia-hardened
aurora-asus-userns-hardened
aurora-asus-nvidia-userns-hardened
aurora-dx-asus-userns-hardened
aurora-dx-asus-nvidia-userns-hardened
kinoite-asus-userns-hardened
kinoite-asus-nvidia-userns-hardened
Surface source
aurora-surface-hardened
aurora-surface-nvidia-hardened
aurora-surface-userns-hardened
aurora-surface-nvidia-userns-hardened
aurora-dx-surface-userns-hardened
aurora-dx-surface-nvidia-userns-hardened
server-main-hardened
server-nvidia-hardened
server-zfs-main-hardened
server-zfs-nvidia-hardened
server-main-userns-hardened
server-nvidia-userns-hardened
server-zfs-main-userns-hardened
server-zfs-nvidia-userns-hardened
After installation, yafti will open. Make sure to follow the steps listed carefully and read the directions closely.
Then follow the POSTINSTALL-README.
Follow the contributing documentation, and make sure to respect the CoC.
For local Development building locally is the recommended approach.
Opening issues is preferred, but Discord is available as well.