Add Hardening
parent
37e7cd21e5
commit
584d8d4cb3
74
Hardening.md
Normal file
74
Hardening.md
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
# System Hardening
|
||||||
|
|
||||||
|
A number of different methods are employed to make HalogenOS more resistant to exploits and tampering, and are explained below.
|
||||||
|
|
||||||
|
## Build Settings
|
||||||
|
|
||||||
|
These are configurations performed during the compilation stage. All the settings here apply strictly to binaries which ship within the HalogenOS image, not to binaries downloaded via Flatpak or Distrobox.
|
||||||
|
|
||||||
|
- Gentoo hardened compiler & flags
|
||||||
|
- SELinux support included
|
||||||
|
- X11 and systemd support disabled
|
||||||
|
|
||||||
|
## Kernel
|
||||||
|
|
||||||
|
The kernel has been configured to utilize several security features that limit what APIs processes can use and which side channels might be available to leak information.
|
||||||
|
|
||||||
|
- Kernel Self Protection Project enabled
|
||||||
|
- Signed kernel module loading only
|
||||||
|
- Quiet boot parameter
|
||||||
|
- Common CPU vulnerabilities mitigated
|
||||||
|
- Lockdown mode set to confidentiality
|
||||||
|
- SELinux enabled
|
||||||
|
- Unnecessary modules blacklisted
|
||||||
|
|
||||||
|
## Full Verified Boot
|
||||||
|
|
||||||
|
If the hardware running HalogenOS is properly manufactured and configured, it should provide a reasonably strong guarantee that software on the system is in a known good state.
|
||||||
|
|
||||||
|
- Checks & reports on hardware/firmware security
|
||||||
|
- Unified Kernel Image boot
|
||||||
|
- Secure Boot with locally generated keys
|
||||||
|
- dm-verity enabled for system partition
|
||||||
|
- squashfs based system images
|
||||||
|
- LUKS encryption enabled for user partition
|
||||||
|
- TPM2 based automatic unlocking
|
||||||
|
- Automatic repair in case of tampering
|
||||||
|
- User alerted if hardware security baseline changes
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
Various controls on the kernel's networking stack, filesystem stack, and on some userland components like malloc further reduce attack surface.
|
||||||
|
|
||||||
|
- Hardened sysctl values
|
||||||
|
- hardened_malloc used by default
|
||||||
|
- `nosuid` set for non-system partitions
|
||||||
|
- `noexec` set for `/tmp`
|
||||||
|
- Root logon disabled
|
||||||
|
- No superuser access on production builds
|
||||||
|
- sshd disabled
|
||||||
|
|
||||||
|
## Updates
|
||||||
|
|
||||||
|
System updates are fully verified as well. In a secure build, signatures are required and the system will not install an unsigned or improperly signed update or overlay.
|
||||||
|
|
||||||
|
- Signed image updates
|
||||||
|
- Signed system overlays
|
||||||
|
- Updates performed over HTTPS
|
||||||
|
|
||||||
|
## Sandboxing
|
||||||
|
|
||||||
|
Applications are run in sandboxes by default so they do not make undesired modifications or read files without authorization.
|
||||||
|
|
||||||
|
- Flatpak centered package management
|
||||||
|
- Distrobox with gvisor for container work
|
||||||
|
- Hardened Docker configuration
|
||||||
|
- BubbleWrap for arbitrary binary sandboxing
|
||||||
|
|
||||||
|
## Applications
|
||||||
|
|
||||||
|
The default applications have been selected with security as a first priority.
|
||||||
|
|
||||||
|
- GNOME desktop environment
|
||||||
|
- Wayland display compositor
|
||||||
|
- Trivalent browser
|
||||||
Loading…
Reference in New Issue
Block a user