Warning
Do not rebase to one of the hardened Fedora variants in this repo at this stage. Kernels are unsigned and the hardened_malloc is causing issues. See this repo in the meantime.
Update August 2023: Builds are building, so the infrastructure is in place. I do not recommend rebasing to one of the hardened variants in this repo at this stage. Kernels are unsigned and the hardened_malloc is causing issues.
Currently working on creating and testing bash scripts that implement many of the hardening features over in this repo. The benefit of the bash script is that it's aimed at working on an existing install of Silverblue/Kinoite/Sericea/Vauxite/Onyx, so there's no need to rebase your entire image just yet. There's also an uninstall script that more-or-less reverts everything back to normal.
Once the script is fully operational then I will turn my attention to this repo again and get the builds to incorporate all the hardening features.
In the meantime, if anyone can help with getting the hardened kernel signed server-side so SecureBoot can continue to work, that would be a great help!
- Solidcore = hardened base (no desktop)
- Solidblue = hardened Silverblue (GNOME Desktop)
- Kinsolid = hardened Kinoite (KDE Desktop)
- Sersolid = hardened Sericea (Sway Desktop) - pronounced 'Sir Solid'
- Solidx = hardened Vauxite (XFCE Desktop)
- Solidbud = hardened Onyx (Budgie Desktop, to be released when Fedora 39 is available)
All based on Fedora community maintained images, with custom hardening to further improve security. Hardening invariably may reduce usability, so pin your current installation before re-basing to one of the Solidcore builds so you can always revert back to your previous rpm-ostree configuration.
This project will focus on customisations that improve the security of the operating system and hardware. Few, if any, user-facing improvements will be made - such as pre-installing a separate browser, a VPN product, etc.
- rebase images to hardened linux kernel
- add hardened_malloc (currently on hold - breaks login function on GNOME)
- add auto updates for rpm-ostree and flatpak
- baked-in support for Yubikey, Nitrokey and Google Titan USB
- add USBGuard to lockdown USB ports
- harden network settings to block various ICMP based attacks
- revised firewall rules
- implement DNSCrypt-proxy to encrypt all DNS lookups
- review potential data leaks, e.g. fedora pings, NTP servers
- lock root access
- enforce strong passwords
- remove unique identifiers
- disable core dumps
- review of SELinux policies
- plus more...
- installation of Silverblue (or other version of immutable Fedora) on a LUKS encrypted HDD/SSD.
Details to follow...
- Configure and enable USBGuard - details to follow
- Configure and restart DNSCrypt-proxy
- Consider installing a more secure and private out-of-the-box browser
- Use a VPN on non-WPA3 wifi connections
People needed to:
- Port sodalite into Solidcore (planned name... wait for it... Sosolid 😅)
- Create logo
- Test builds
- Document use cases
- Suggest ideas and improvements
- GrapheneOS for creating the hardened kernel and hardened malloc library
- Arch Linux team for maintaining the hardened kernel
- Divested Computer Group for maintaining the hardened malloc library
- HardHatOS for inspiring this project and creating the RPM build of the hardened kernel and malloc library
- Fedora team, especially the CoreOS developers
- Jorge Castro and the Universal Blue team for inspiring the creation of custom build immutable images and providing templates for us to use!