I'm developing a Linux hardening script. The goal is to develop the most secure system possible, while not sacrificing usability.

@Serpent27 Maybe start with (Or install OpenBSD, as that's immune to almost all Linux vulnerabilities.)

While I could install OpenBSD to avoid Linux vulnerabilities, that doesn't protect me against OpenBSD vulnerabilities

@Serpent27 Do your scripts have any advantage over [just nailing everything down tight with SELinux] while we wait for the Linux ecosystem to be rewritten in rust?

My scripts setup AppArmor with a set of default policies if you're running an Artix system. However, this doesn't protect against certain vulnerabilities. For example, even an app isolated via SELinux cannot be protected against vulnerabilities in the kernel itself, while my script's boot parameter and sysctl hardening can prevent such vulnerabilities from allowing malicious code to escape isolation by hardening the kernel itself

@Serpent27 Oh you're using AppArmor. I remember looking into AppArmor years ago. I concluded that "AppArmor is easier to use, which makes it better and safer than SELinux" conflicted with my lemma, "If you don't find SELinux easy, then you should leave security to someone else, (and probably do front-end dev or something with paint by numbers.)" I look forward to making time to reading your scripts. Thanks.

I chose AppArmor because these scripts are meant to bring improved security to the average Linux desktop. The "AppArmor is easier to use" point is a trade-off to allow not-so-expert users to have at least a hope of customizing their MAC. Although my scripts mostly use Bubblewrap to provide isolation, not the full-system MAC.

Also, I would like to shout out to Whonix developer Madaidan. My script uses many of the hardening measures discussed in his Linux hardening guide, as well as measures from Arch Wiki's security guide


Additionally, my scripts increase the difficulty of heap exploitation to initially gain access to a system by using Daniel Micay's hardened malloc. For the even more paranoid, my scripts allow users to enforce isolation via QEMU-KVM, which is itself isolated within a Bubblewrap sandbox. I also include scripts for sandboxing basic functionality within the command line, such as isolating GPG, mplayer, mpv, elinks, and more, within a Bubblewrap sandbox

@Serpent27 Is there any comparison between your scripts and GrSecurity?

My scripts do not replace GrSecurity. They are additional hardening that is applied on top of an already-hardened kernel

Sign in to participate in the conversation

InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

We have a Getting Started Guide here: