https://github.com/secureblue/secureblue Skip to content Toggle navigation Sign in * Product + Actions Automate any workflow + Packages Host and manage packages + Security Find and fix vulnerabilities + Codespaces Instant dev environments + Copilot Write better code with AI + Code review Manage code changes + Issues Plan and track work + Discussions Collaborate outside of code Explore + All features + Documentation + GitHub Skills + Blog * Solutions For + Enterprise + Teams + Startups + Education By Solution + CI/CD & Automation + DevOps + DevSecOps Resources + Learning Pathways + White papers, Ebooks, Webinars + Customer Stories + Partners * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles Repositories + Topics + Trending + Collections * Pricing Search or jump to... Search code, repositories, users, issues, pull requests... Search [ ] Clear Search syntax tips Provide feedback We read every piece of feedback, and take your input very seriously. [ ] [ ] Include my email address so I can be contacted Cancel Submit feedback Saved searches Use saved searches to filter your results more quickly Name [ ] Query [ ] To see all available qualifiers, see our documentation. Cancel Create saved search Sign in Sign up You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert {{ message }} secureblue / secureblue Public forked from ublue-os/startingpoint * Notifications * Fork 262 * Star 15 Immutable Fedora images for GNOME, KDE, and Sway with some hardening applied License Apache-2.0 license 15 stars 262 forks Activity Star Notifications * Code * Issues 7 * Pull requests 0 * Actions * Projects 1 * Security * Insights Additional navigation options * Code * Issues * Pull requests * Actions * Projects * Security * Insights secureblue/secureblue This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. live Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags Name already in use A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch? Cancel Create 2 branches 1 tag Code * Local * Codespaces * Clone HTTPS GitHub CLI [https://github.com/s] Use Git or checkout with SVN using the web URL. [gh repo clone secure] Work fast with our official CLI. Learn more about the CLI. * Open with GitHub Desktop * Download ZIP Sign In Required Please sign in to use Codespaces. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching Xcode If nothing happens, download Xcode and try again. Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. This branch is 48 commits ahead of ublue-os:template. Latest commit @qoijjj qoijjj Merge branch 'ublue-os:template' into live ... e1c0af9 Dec 13, 2023 Merge branch 'ublue-os:template' into live e1c0af9 Git stats * 468 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github Merge branch 'ublue-os:template' into live December 13, 2023 14:14 config Add kargs password prompt for yafti December 13, 2023 11:39 modules docs: yaml not yml, directions qualifier October 1, 2023 16:36 .gitignore added kate and dolphin files to .directory December 3, 2023 17:23 CODE_OF_CONDUCT.md Replace email for CoC contact (#47) November 26, 2023 18:24 CONTRIBUTING.md Replace email for CoC contact (#47) November 26, 2023 18:24 CONTRIBUTORS.md Add CONTRIBUTORS November 28, 2023 15:27 Containerfile chore: Bump to Fedora 39 (ublue-os#186) November 8, 2023 16:22 LICENSE Initial commit December 8, 2022 12:07 README.md Fix readme error December 11, 2023 10:47 boot_menu.yml feat: ISO build action (ublue-os#133) August 4, 2023 06:53 build.sh docs: module working directory, style guides October 1, 2023 15:24 cosign.pub Rebase secureblue with a new, clean commit history November 26, 2023 16:42 View code [ ] secureblue What Why Installation Available Images desktop laptop server Rebasing Post-install Kargs Nvidia Contributing Development README.md [285617920-292e0ecc-50b8-] secureblue secureblue This repo takes the uBlue starting point and selectively applies hardening with the following goals: * Increase defenses against the exploitation of both known and unknown vulnerabilities. * Avoid sacrificing usability for most use cases where possible The following are not in scope for this project: * Anything related to increasing "privacy", especially when at odds with improving security * Anything related to "degoogling" What Hardening applied: * Setting numerous hardened sysctl values (Inspired by but not the same as Kicksecure's) * Disabling coredumps in limits.conf * Disabling all ports and services for firewalld * Adds per-network MAC randomization * Blacklisting numerous unused kernel modules to reduce attack surface * Require a password for sudo every time it's called * Disable passwordless sudo for rpm-ostree * Setting more restrictive file permissions (Based on recommendations from lynis) * Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions * Installing chkrootkit * Disabling unprivileged user namespaces * Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces * Sets numerous hardening kernel parameters (Inspired by Madaidan's Hardening Guide) * Installs and enables hardened_malloc globally, including for flatpaks * Installing Chromium into the base image (Why chromium?) (Why not flatpak chromium?) * Including a hardened chromium config (disabling JIT javascript) * Pushing upstream fedora to harden the build for all fedora users, including secureblue users (for example, by enabling CFI) Why Fedora is one of the few distributions that ships with selinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a hardened system. However, out of the box it's lacking hardening in numerous other areas. This project's goal is to improve on that significantly. For more info on uBlue, check out the uBlue homepage and the main uBlue repo Installation Warning This is an experimental feature and should not be used in production, try it in a VM for a while! Available Images desktop * kinoite-main-hardened * kinoite-nvidia-hardened * silverblue-main-hardened * silverblue-nvidia-hardened * sericea-main-hardened * sericea-nvidia-hardened laptop * kinoite-main-laptop-hardened * kinoite-nvidia-laptop-hardened * silverblue-main-laptop-hardened * silverblue-nvidia-laptop-hardened * sericea-main-laptop-hardened * sericea-nvidia-laptop-hardened server * server-main-hardened * server-nvidia-hardened Rebasing To rebase an existing Silverblue/Kinoite installation to the latest build: * First rebase to the unsigned image, to get the proper signing keys and policies installed: rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/$IMAGE_NAME:latest * Reboot to complete the rebase: systemctl reboot * Then rebase to the signed image, like so: rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/$IMAGE_NAME:latest * Reboot again to complete the installation systemctl reboot Post-install After installation, yafti will open. Make sure to follow the steps listed carefully and read the directions closely. Kargs To append kernel boot parameters that apply additional hardening (reboot required): just set-kargs-hardening Nvidia If you are using an nvidia image, run this after installation: rpm-ostree kargs \ --append=rd.driver.blacklist=nouveau \ --append=modprobe.blacklist=nouveau \ --append=nvidia-drm.modeset=1 Contributing Follow the contributing documentation, and make sure to respect the CoC. Development For local Development building locally is the recommended approach. About Immutable Fedora images for GNOME, KDE, and Sway with some hardening applied Resources Readme License Apache-2.0 license Code of conduct Code of conduct Activity Stars 15 stars Watchers 1 watching Forks 262 forks Report repository Releases 1 tags Packages 14 + 11 packages Languages * Shell 71.1% * Dockerfile 28.9% Footer (c) 2023 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact * You can't perform that action at this time.