From a7b58938f19d931453ca349f8294777a08dee03e Mon Sep 17 00:00:00 2001 From: River Date: Mon, 30 Jun 2025 18:14:02 -0400 Subject: [PATCH] Update Hardening --- Hardening.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/Hardening.md b/Hardening.md index fab7224..0c8ceb5 100644 --- a/Hardening.md +++ b/Hardening.md @@ -9,6 +9,7 @@ These are configurations performed during the compilation stage. All the setting - Gentoo hardened compiler & flags - SELinux support included - X11 and systemd support disabled +- Musl libc used instead of GNU libc (glibc) ## Kernel @@ -17,7 +18,7 @@ The kernel has been configured to utilize several security features that limit w - Kernel Self Protection Project enabled - Signed kernel module loading only - Quiet boot parameter -- Common CPU vulnerabilities mitigated +- Common CPU vulnerabilities mitigated when possible - Lockdown mode set to confidentiality - SELinux enabled - Unnecessary modules blacklisted @@ -49,7 +50,8 @@ Various controls on the kernel's networking stack, filesystem stack, and on some - Root logon disabled - No superuser access on production builds - System files on non-system partitions only accessible by root -- sshd disabled +- Integrity of symlinks to system partition enforced by the kernel +- sshd not included ## Updates @@ -57,7 +59,8 @@ System updates are fully verified as well. In a secure build, signatures are req - Signed image updates - Signed system overlays -- Updates performed over HTTPS +- OTA updates performed strictly over HTTPS +- Failed or tampered updates cause failover to known-good system slot ## Sandboxing @@ -70,8 +73,9 @@ Applications are run in sandboxes by default so they do not make undesired modif ## Applications -The default applications have been selected with security as a first priority. +The default applications have been selected with security as a first priority. Also, smaller implementations are preferred to minimize the trusted computing base (TCB) of the system. -- GNOME desktop environment +- KDE desktop environment - Wayland display compositor - Trivalent browser +- OpenRC init system