From 584d8d4cb3d4eab7595650209511abbd4ba49eb6 Mon Sep 17 00:00:00 2001 From: River Date: Thu, 22 May 2025 18:55:07 -0400 Subject: [PATCH] Add Hardening --- Hardening.md | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 Hardening.md diff --git a/Hardening.md b/Hardening.md new file mode 100644 index 0000000..095b442 --- /dev/null +++ b/Hardening.md @@ -0,0 +1,74 @@ +# System Hardening + +A number of different methods are employed to make HalogenOS more resistant to exploits and tampering, and are explained below. + +## Build Settings + +These are configurations performed during the compilation stage. All the settings here apply strictly to binaries which ship within the HalogenOS image, not to binaries downloaded via Flatpak or Distrobox. + +- Gentoo hardened compiler & flags +- SELinux support included +- X11 and systemd support disabled + +## Kernel + +The kernel has been configured to utilize several security features that limit what APIs processes can use and which side channels might be available to leak information. + +- Kernel Self Protection Project enabled +- Signed kernel module loading only +- Quiet boot parameter +- Common CPU vulnerabilities mitigated +- Lockdown mode set to confidentiality +- SELinux enabled +- Unnecessary modules blacklisted + +## Full Verified Boot + +If the hardware running HalogenOS is properly manufactured and configured, it should provide a reasonably strong guarantee that software on the system is in a known good state. + +- Checks & reports on hardware/firmware security +- Unified Kernel Image boot +- Secure Boot with locally generated keys +- dm-verity enabled for system partition +- squashfs based system images +- LUKS encryption enabled for user partition +- TPM2 based automatic unlocking +- Automatic repair in case of tampering +- User alerted if hardware security baseline changes + +## Configuration + +Various controls on the kernel's networking stack, filesystem stack, and on some userland components like malloc further reduce attack surface. + +- Hardened sysctl values +- hardened_malloc used by default +- `nosuid` set for non-system partitions +- `noexec` set for `/tmp` +- Root logon disabled +- No superuser access on production builds +- sshd disabled + +## Updates + +System updates are fully verified as well. In a secure build, signatures are required and the system will not install an unsigned or improperly signed update or overlay. + +- Signed image updates +- Signed system overlays +- Updates performed over HTTPS + +## Sandboxing + +Applications are run in sandboxes by default so they do not make undesired modifications or read files without authorization. + +- Flatpak centered package management +- Distrobox with gvisor for container work +- Hardened Docker configuration +- BubbleWrap for arbitrary binary sandboxing + +## Applications + +The default applications have been selected with security as a first priority. + +- GNOME desktop environment +- Wayland display compositor +- Trivalent browser