Operating systems - Secureblue
Unfortunately while desktop Linux is great for privacy and software freedoms it lacks many security features. Taking into account the current state of the Linux desktop it attempts to build a secure operating system by protecting against known and unknown of vulnerabilities.
Secureblue is a secure operating system based on Fedora Atomic Desktop. Multiple images offer several desktop options, Silverblue based on Gnome and Kinoite based on KDE.
Security
The OS protect against know and unknown vulnerabilities.
Attack surface reduction
The attack surface is reduced by removing unnecessary kernel modules; disabling simultaneous multi-threading (SMT) on CPU vulnerable to Spectre and Meltdown, limiting the numbers of binaries running as root user as security flaws can lead to arbitrary code execution, disabling services, disabling all ports and services for firewalld, enabling bruteforce protection for user accounts, disabling X11 as it allows applications to spy on each others keystroke input.
Exploit mitigation
Secureblue hardens the kernel, removes privilege escalation binaries, replaces standard glibc, enforces stricter SELinux access control policies to restrict unauthorized access and tampering, protects against rogue USB devices.
Privacy
The Media Access Control (MAC) address used to identify hardware on a network is randomized.
Usability
Target Audience
Users already familiar with Fedora in need of greater security may want to give it a try.
Web browser
Secureblue comes with Trivalent their own Chromium-based Vanadium-inspired web browser.
Update
System update
On traditional Linux distributions a failed update can result in a corrupt system, in an atomic one a base image is downloaded with packages overlays applied on top of it. Its read-only root file-system ensure identical installation for the same version improving stability, reducing bugs, making testing easier. After restart, the system boot into the new deployment. A rollback operation is provided if breakage occurs.
Package update
The system offers three ways to install packages:
- the universal package system Flatpak only showing by default verified application from Flathub
- the cross platform package manager Homebrew to install CLI applications
- or the default package manager of Fedora Atomic rpm-ostree to install packages with deeper system integration or not available on Flatpak and Homebrew
Desktop environment
By rebasing the system to a new image the desktop environment can be easily switch.
Security
Secureblue provides many convenient features to tweak the security parameters:
- simplified full disk encryption with TPM2+PIN or FIDO2 integration
- an audit tool providing hardening suggestions
- toggles providing hardening options
- additional sandboxing