#32
I went through the secureblue configs, selected the ones I use myself, changed some minor things.
These changes include
- storing scripts in one place,
/usr/local/bin (allowing root users to delete or change them)
- using
/usr/bin/run0 in some of them, some still need to be invoked as root I guess
- adding some scripts
- separating files like modprobe.d hardening, to make "softening" easier
The additions:
- add a secureblue license note and attach the Apache 2.0 license text
- chronyd config from GrapheneOS
- add a few distrobox container configs that use cosign signatures for verification
- configure distrobox
- create a separate directory per box, $HOME/distrobox/boxname
- use the latest Fedora container image by default (needs no maintenance)
- modprobe.d
- block various commonly unused kernel drivers from loading
- separate bluetooth blocking file to make it easy to comment it out to allow it
- same for some filesystems that some people might use
- additional file to override allow modules if people want that
- public cosign keys for various containers to have the root of trust in this OS
- SDDM config to use wayland, basic rendering and remove some advanced features for hardening
- disable coredump as it allows apps to gain detailed info about the OS
- 3 config files, one parameter, see the scripts
- not enforced password quality checks
- enforce SELinux confinement for chrony (as fas as I understood) and improve behavior when having been killed as it did something bad
- various sysctl hardening parameters
- systemd resolved: use encrypted DNS opportunistically. This should keep captive portals working, and is vulnerable to downgrade attacks, but probably most usable. Adding a disabled file for real security hardening (with a few set encrypted DNS providers) could be useful
- udev: add rules for Google titan and various other HOTP keys for 2FA, including Nitrokey, Solokey, Yubikey
- disabled: disable KDE extension support as they are a vector for unchecked executable code (see issues like this one)
- dracut: enable tpm and fido2 for LUKS unlocking
- scripts
- enable and disable the cups systemd service. Provides easy hardening which can easily be turned off. Alternatively firewall rules could be used
- disable and enable coredumps by renaming files and commenting out a config parameter
- enable or disable LUKS unlocking with a FIDO2 key or the TPM
- set capabilities for some binaries for potential future suid replacement. Those binaries will then no longer allow privilege escalation to root that easily
- restart plasmashell. just a nice shortcut, not security relevant
- disable USBGuard to workaround potential breakages
missing:
- these build scripts
- these justfiles converted into bash scripts
- hardnened malloc
- pam-authramp
- bubblejail (could be built for EPEL10)
- SELinux policies to confine the binaries spawning user namespaces
- toggle to mount /var/home
noexec to make malware harder (with drawbacks, like no firefox binary in a random user dir, no appimages in user dirs, no scripts, python, cargo, go will all not work
- flatpak hardening
https://codeberg.org/HeliumOS/bootc/issues/32
I went through the secureblue configs, selected the ones I use myself, changed some minor things.
These changes include
- storing scripts in one place, `/usr/local/bin` (allowing root users to delete or change them)
- using `/usr/bin/run0` in some of them, some still need to be invoked as root I guess
- adding some scripts
- separating files like modprobe.d hardening, to make "softening" easier
The additions:
- add a secureblue license note and attach the Apache 2.0 license text
- chronyd config from GrapheneOS
- add a few distrobox container configs that use cosign signatures for verification
- configure distrobox
- create a separate directory per box, $HOME/distrobox/boxname
- use the latest Fedora container image by default (needs no maintenance)
- modprobe.d
- block various commonly unused kernel drivers from loading
- separate bluetooth blocking file to make it easy to comment it out to allow it
- same for some filesystems that some people might use
- additional file to override allow modules if people want that
- public cosign keys for various containers to have the root of trust in this OS
- SDDM config to use wayland, basic rendering and remove some advanced features for hardening
- disable coredump as it allows apps to gain detailed info about the OS
- 3 config files, one parameter, see the scripts
- not enforced password quality checks
- enforce SELinux confinement for chrony (as fas as I understood) and improve behavior when having been killed as it did something bad
- various sysctl hardening parameters
- systemd resolved: use encrypted DNS opportunistically. This should keep captive portals working, and is vulnerable to downgrade attacks, but probably most usable. Adding a disabled file for real security hardening (with a few set encrypted DNS providers) could be useful
- udev: add rules for Google titan and various other HOTP keys for 2FA, including Nitrokey, Solokey, Yubikey
- disabled: disable KDE extension support as they are a vector for unchecked executable code ([see issues like this one](https://discuss.kde.org/t/12826/))
- dracut: enable tpm and fido2 for LUKS unlocking
- scripts
- enable and disable the cups systemd service. Provides easy hardening which can easily be turned off. Alternatively firewall rules could be used
- disable and enable coredumps by renaming files and commenting out a config parameter
- enable or disable LUKS unlocking with a FIDO2 key or the TPM
- set capabilities for some binaries for potential future suid replacement. Those binaries will then no longer allow privilege escalation to root that easily
- restart plasmashell. just a nice shortcut, not security relevant
- disable USBGuard to workaround potential breakages
missing:
- [these build scripts](https://github.com/secureblue/secureblue/tree/live/files/scripts)
- [these justfiles](https://github.com/secureblue/secureblue/tree/live/files/justfiles) converted into bash scripts
- hardnened malloc
- pam-authramp
- bubblejail (could be built for EPEL10)
- SELinux policies to confine the binaries spawning user namespaces
- toggle to mount /var/home `noexec` to make malware harder (with drawbacks, like no firefox binary in a random user dir, no appimages in user dirs, no scripts, python, cargo, go will all not work
- flatpak hardening