Part of Barrer Software | Based on Ubuntu 24.04 LTS
SecureOS is a hardened Linux distribution designed with security and privacy as the primary focus. Perfect for security-conscious users, privacy advocates, and enterprise deployments.
🌐 Website: https://secureos.xyz
📦 Packages: https://packages.secureos.xyz
💻 GitHub: https://github.com/barrersoftware/SecureOS
📥 Downloads: https://github.com/barrersoftware/SecureOS/releases
- Full Disk Encryption: LUKS2 encryption with Argon2id key derivation
- Hardened Kernel: Security-focused kernel parameters and lockdown mode
- Mandatory Access Control: AppArmor profiles enforced by default
- Firewall: UFW (Uncomplicated Firewall) pre-configured with deny-by-default
- Audit Logging: Comprehensive system auditing with auditd
- Automatic Security Updates: Unattended security patches
- Intrusion Detection: Fail2ban, AIDE, rkhunter, chkrootkit
- Antivirus: ClamAV with automatic definition updates
- Application Sandboxing: Firejail integration for application isolation
- No Telemetry: All telemetry and error reporting disabled
- Encrypted DNS: DNS over TLS with privacy-focused providers (Quad9, Cloudflare)
- MAC Randomization: Network privacy through MAC address randomization
- Tor Support: Pre-installed Tor and Privoxy for anonymous browsing
- Metadata Removal: MAT2 tool for cleaning file metadata
- Minimal Data Collection: No user tracking or analytics
- Kernel lockdown mode enabled
- Secure boot support
- Disabled unnecessary services
- Restricted kernel module loading
- Protected kernel pointers and dmesg
- Hardened network stack
- Secure default permissions
- Root login disabled
- Strong password policies
- SSH hardened configuration
- A computer with:
- 64-bit x86 processor
- 2GB RAM minimum (4GB recommended)
- 20GB disk space minimum
- UEFI or Legacy BIOS support
-
Clone or copy SecureOS files:
cd /home/ubuntu/SecureOS -
Run the ISO builder (requires root):
sudo bash scripts/build_iso.sh
-
Wait for build to complete:
- This process takes 30-60 minutes depending on your system
- The ISO will be created in
iso-build/directory
-
Verify checksums:
cd iso-build sha256sum -c SecureOS-1.0.0-amd64.iso.sha256
sudo dd if=SecureOS-1.0.0-amd64.iso of=/dev/sdX bs=4M status=progress
syncsudo dd if=SecureOS-1.0.0-amd64.iso of=/dev/rdiskX bs=4m- Boot from installation media
- Select language and keyboard layout
- Run the interactive installer:
- Quick Install: Recommended secure defaults
- Custom Install: Full configuration options
- Configure basic settings:
- Hostname
- Username and password
- Disk selection
- Review and confirm installation
- Wait for installation to complete
- Reboot into your new SecureOS system
sudo secureos-auditsudo apt update && sudo apt upgrade -y# Allow specific services
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPSsystemctl start tor
# Configure browser to use SOCKS proxy: localhost:9050sudo macchanger -r eth0 # Replace eth0 with your interfacesudo rkhunter --check
sudo chkrootkit- Security Defaults:
/etc/secureos/security-defaults.conf - Firewall Rules:
/etc/ufw/ - AppArmor Profiles:
/etc/apparmor.d/ - Audit Rules:
/etc/audit/rules.d/ - Kernel Parameters:
/etc/sysctl.d/99-secureos-hardening.conf
| Tool | Purpose |
|---|---|
| UFW | Firewall management |
| AppArmor | Mandatory access control |
| Auditd | System audit logging |
| Fail2ban | Intrusion prevention |
| ClamAV | Antivirus scanning |
| AIDE | File integrity monitoring |
| rkhunter | Rootkit detection |
| chkrootkit | Rootkit scanner |
| Firejail | Application sandboxing |
| Tor | Anonymous networking |
| MAT2 | Metadata removal |
| Bleachbit | Privacy cleaning |
qemu-system-x86_64 -m 2048 -enable-kvm \
-cdrom SecureOS-1.0.0-amd64.iso \
-boot d- Create new VM with Linux/Ubuntu (64-bit)
- Allocate 2GB RAM minimum
- Create 20GB virtual disk
- Attach ISO to optical drive
- Start VM
- Create new VM
- Select "Install from disc image"
- Choose SecureOS ISO
- Configure 2GB RAM, 20GB disk
- Power on VM
Automatic security updates are enabled by default. To check status:
sudo systemctl status unattended-upgradessudo apt update
sudo apt upgradesudo ufw status verbosesudo secureos-auditsudo freshclamsudo clamscan -r /homeEdit /etc/secureos/security-defaults.conf and change settings:
[Privacy]
randomize_mac=false # Disable MAC randomization
[Hardening]
disable_bluetooth=false # Enable BluetoothThen reboot or run:
sudo /usr/local/sbin/apply-secureos-settingssudo ufw allow from 192.168.1.0/24 to any port 22
sudo ufw reloadsudo aa-genprof /path/to/application- Check UEFI/Legacy BIOS settings
- Disable Secure Boot if necessary
- Verify ISO checksum
- Check if firewall is blocking:
sudo ufw status - Verify DNS configuration:
systemd-resolve --status - Test connectivity:
ping 1.1.1.1
- Check AppArmor:
sudo aa-status - View denials:
sudo journalctl -xe | grep -i apparmor - Set profile to complain mode:
sudo aa-complain /path/to/profile
SecureOS/
├── installer/ # Interactive installer
│ └── secure_installer.py # Python curses-based installer
├── config/ # Configuration files
│ └── security-defaults.conf
├── scripts/ # Build and maintenance scripts
│ ├── build_iso.sh # ISO builder
│ └── post_install_hardening.sh
└── iso-build/ # Output directory for ISO
SecureOS is designed to be community-driven. Contributions are welcome!
- Additional security hardening
- Privacy tools integration
- Documentation improvements
- Bug fixes and testing
- Localization
- Physical access attacks
- Zero-day exploits
- User error (weak passwords, social engineering)
- State-level adversaries with unlimited resources
- Hardware backdoors
- Use strong, unique passwords
- Keep system updated
- Review audit logs regularly
- Use encryption for sensitive data
- Be cautious with unknown software
- Regular backups
SecureOS is based on Ubuntu/Debian and inherits their respective licenses. Custom components are provided as-is for educational and security purposes.
For issues, questions, or contributions:
- Check documentation
- Review logs:
/var/log/ - Run security audit:
sudo secureos-audit
- Zero Trust Architecture: Never trust, always verify with OPA and microsegmentation
- HSM Integration: TPM 2.0 and YubiKey support for hardware-backed security
- Threat Intelligence: Real-time feeds, Suricata IDS, YARA scanning, automated blocking
- Cloud Security: AWS/Azure/GCP auditing, compliance, IaC scanning, Falco protection
- Enterprise Features: Complete security platform for financial, healthcare, government sectors
- Live ISO Environment: Bootable desktop with XFCE
- Advanced Installer: Interactive desktop/server selection
- 12 Server Roles: Web, VPN, dev, VS Code, file, ZFS, mail, DB, monitoring, containers, backup
- Professional Deployment: Production-ready server configurations
- Complete Documentation: Full guides for all features
- Custom Kernel Builder: Build hardened kernels with security patches
- Advanced IDS: Real-time intrusion detection with automated response
- GUI Security Manager: PyQt5-based graphical management interface
- APT Repository: Host custom SecureOS packages
- Enhanced privacy and container security
- VPN Integration: WireGuard and OpenVPN with kill switch
- Enhanced MAC Randomization: Per-connection privacy
- Container Security: Docker/LXC hardening with seccomp
- SecureOS CLI: Interactive command-line management
- Custom Packages: Debian packages for easy installation
- Base system on Ubuntu 24.04.3 LTS
- Full disk encryption with LUKS2
- Kernel hardening with security parameters
- AppArmor enforcement
- UFW firewall pre-configured
- Audit logging with auditd
- Privacy-focused DNS
- Automatic security updates
- Interactive installer with curses interface
- Comprehensive security toolset
- VPN integration (WireGuard & OpenVPN)
- Enhanced MAC randomization
- Container security hardening
- Additional desktop environments
- Secure boot signing (in progress)
- Biometric authentication support (planned)
- Custom kernel builder with security patches
- Advanced intrusion detection system
- Automated security response
- Enhanced privacy features
- GUI security management tools
- APT repository infrastructure
- Live ISO with desktop environment
- Advanced interactive installer
- Desktop vs Server installation modes
- 12 pre-configured server roles
- Role-based service installation
- Web host, VPN, dev environment, VS Code Server
- File server with ZFS, mail server, databases
- Monitoring stack, container host, backup server
- Zero-trust network architecture
- Hardware security module integration (TPM 2.0, YubiKey)
- Advanced threat intelligence
- Cloud security integration (AWS, Azure, GCP)
- Multi-cloud compliance monitoring
- Runtime workload protection
- AI-powered threat detection (ML-based behavioral analysis)
- Blockchain-based audit logs (immutable security logging)
- Quantum-resistant cryptography (NIST PQC algorithms)
- Self-healing security (autonomous remediation)
- Advanced malware sandboxing (hardware-isolated analysis)
- Decentralized security mesh
- Homomorphic encryption for data-in-use protection
- AI-driven security orchestration (SOAR)
- Federated threat intelligence sharing
- Secure multi-party computation
Copyright © 2025 Barrer Software. All rights reserved.
SecureOS is free and open source software, licensed under the MIT License.
- 📄 See LICENSE for full license text
- 📋 See COPYRIGHT.md for detailed attribution and third-party licenses
- 🌐 Website: https://secureos.xyz
- SecureOS is a trademark of Barrer Software
- Ubuntu is a registered trademark of Canonical Ltd.
- All other trademarks are property of their respective owners
SecureOS is based on Ubuntu 24.04 LTS and includes numerous open source components. Each component retains its original license and copyright. See COPYRIGHT.md for details.
SecureOS - Security and Privacy First | Barrer Software © 2025