secureblue
-Offering hardened operating system images and the hardened-chromium package. Developed collaboratively as an open source project.
+A security-focused desktop and server linux operating system.
Get secureblue
`bc1qj4nxpfhsgj3f7w8c2689kq865apfla2jyxgaem`
## Monero
-
`43fry9taGiwhAtNYEZNfssdzJ8Ra12ewAbQoVsvFzoLS6qMSgsE2FvE7xY52rAnKjPL5r2N88KYvqXpthUfSwa23K1BBMD9`
## Litecoin
-
`ltc1q65hpetza8stgje640pcn25mef6xpdzxqazcawq`
## Ethereum
-
`0x10289B51aEF109BBc07F68341F2Df8Ef60a5b618`
diff --git a/content/FAQ.md b/content/FAQ.md
index 6d6cb34b..763e0ea6 100644
--- a/content/FAQ.md
+++ b/content/FAQ.md
@@ -32,11 +32,12 @@ Table of contents:
- [Why won't `hardened-chromium` start on Nvidia?](#hardened-chromium-start-nvidia)
- [Why don't some websites that require JIT/WebAssembly work in `hardened-chromium` even with the V8 Optimizer toggle enabled?](#hardened-chromium-exceptions)
- [Why don't extensions work in `hardened-chromium`?](#hardened-chromium-extensions)
+- [How do I customize secureblue?](#customization)
#### Why is Flatpak included? Should I use Flatpak?
{: #flatpak}
-[https://github.com/secureblue/secureblue/issues/125#issuecomment-1859610560](https://github.com/secureblue/secureblue/issues/125#issuecomment-1859610560)
+Consult our Flatpak article.
#### Should I use Electron apps? Why don't they work well with hardened_malloc?
{: #electron}
@@ -209,3 +210,8 @@ Extensions in `hardened-chromium` are disabled by default, for security reasons
\
\
If the extension you installed doesn't work, it is likely because it requires WebAssembly (WASM) for some cryptographic library or some other optimizations (this is the case with the Bitwarden extension). To re-enable JavaScript JIT and WASM for extensions, enable the feature `chrome://flags/#internal-page-jit`.
+
+#### How do I customize secureblue?
+{: #customization}
+
+If you want to add your own customizations on top of secureblue, you are advised strongly against forking. Instead, create a repo for your own image by using the [BlueBuild template](https://github.com/blue-build/template), then change your `base-image` to a secureblue image. This will allow you to apply your customizations to secureblue in a concise and maintainable way, without the need to constantly sync with upstream. For local development, [building locally](/contributing#building-locally) is the recommended approach.
\ No newline at end of file
diff --git a/content/FEATURES.md b/content/FEATURES.md
new file mode 100644
index 00000000..1994f4f9
--- /dev/null
+++ b/content/FEATURES.md
@@ -0,0 +1,48 @@
+---
+title: "Features | secureblue"
+description: "List of secureblue features"
+permalink: /features
+---
+
+# Features
+
+## Exploit mitigation
+- Installing and enabling [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally, including for flatpaks. [Thanks to rusty-snake's spec](https://github.com/rusty-snake/fedora-extras)
+- Installing [hardened-chromium](https://github.com/secureblue/hardened-chromium), which is inspired by [Vanadium](https://github.com/GrapheneOS/Vanadium). [Why chromium?](https://grapheneos.org/usage#web-browsing) [Why not flatpak chromium?](https://forum.vivaldi.net/post/669805)
+- Setting numerous hardened sysctl values [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/sysctl.d/hardening.conf)
+- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) [details](/articles/kargs)
+- Configure chronyd to use Network Time Security (NTS) [using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf)
+- Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
+- Installing usbguard and providing `ujust` commands to automatically configure it
+
+## Filling holes in the linux security posture
+- Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh), replacing functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries), and remove `sudo`, `su`, and `pkexec` entirely in favor of `run0` [why?](https://mastodon.social/@pid_eins/112353324518585654)
+- Disable Xwayland by default (for GNOME, Plasma, and Sway images)
+- Mitigation of [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger) via `ujust toggle-bash-environment-lockdown`
+- Require wheel user authentication via polkit for `rpm-ostree install` [why?](https://github.com/rohanssrao/silverblue-privesc)
+- Disable install & usage of GNOME user extensions by default
+- Disable KDE GHNS by default [why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/)
+- Removal of the unmaintained and suid-root fuse2 by default
+- Disabling unprivileged user namespaces by default for the unconfined domain and the container domain [why?](/articles/userns)
+
+## Security by default
+- Disabling all ports and services for firewalld
+- Use HTTPS for all rpm mirrors
+- Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
+- Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default
+
+## Reduce information leakage
+- Adds per-network MAC randomization
+- Disabling coredumps
+
+## Attack surface reduction
+- Blacklisting numerous unused kernel modules to reduce attack surface [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf)
+- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
+- Disable and mask a variety of services by default (including cups, geoclue, passim, and others)
+
+## Security ease-of-use
+- Installing bubblejail for additional sandboxing tooling
+- Tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives
+- Tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives
+- Toggles for controlling access to [unprivileged user namespaces](/articles/userns) via SELinux
+- Toggles for a variety of the hardening set by default, for user convenience (`ujust --choose`)
diff --git a/content/IMAGES.md b/content/IMAGES.md
index c3d04d01..35deb6c0 100644
--- a/content/IMAGES.md
+++ b/content/IMAGES.md
@@ -9,30 +9,20 @@ permalink: /images
Table of Contents
- [Desktop](#desktop)
- - [Recommended](#recommended)
-- - - [Silverblue](#silverblue)
- - [Stable](#stable)
-- - - [Kinoite](#kinoite)
-- - - [Sericea](#sericea)
- - [Beta](#beta)
-- - - [Wayfire](#wayfire)
-- - - [Hyprland](#hyprland)
-- - - [River](#river)
-- - - [Sway](#sway)
- - [Experimental](#experimental)
-- - - [Cosmic](#cosmic)
- [Server](#server)
-*`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau.*
-
-*`nvidia` images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.*
+{% include alert.html type='note' content='nvidia-open images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new open kernel modules from NVIDIA, not Nouveau. nvidia images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.' %}
## Desktop
### Recommended
-#### Silverblue
+{% include alert.html type='note' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has plans to fix this.GNOME also provides thumbnailer sandboxing in Gnome Files, which mitigates attacks via thumbnailers. The recommendation of GNOME is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %}
-{% include alert.html type='note' content='This is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %}
+#### Silverblue
| Name | Base | NVIDIA Support |
|-------------------------------------------|-----------|-------------------------|
@@ -40,7 +30,6 @@ Table of Contents
| `silverblue-nvidia-hardened` | Silverblue| Yes, closed drivers |
| `silverblue-nvidia-open-hardened` | Silverblue| Yes, open drivers |
-{% include alert.html type='caution' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has plans to fix this.GNOME also provides thumbnailer sandboxing in Gnome Files, which mitigates attacks via thumbnailers.' %} ### Stable diff --git a/content/INDEX.md b/content/INDEX.md index 38e35fad..e185fdf1 100644 --- a/content/INDEX.md +++ b/content/INDEX.md @@ -1,66 +1,17 @@ --- title: "secureblue: Hardened Fedora Atomic and Fedora CoreOS images" -description: "secureblue offers hardened operating system images based on Fedora Atomic Desktop and Fedora CoreOS" +description: "Hardened operating system images based on Fedora Atomic Desktop and Fedora CoreOS" permalink: / --- -secureblue offers hardened operating system images generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with selinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a hardened system. However, out of the box it's lacking hardening in numerous other areas. This project's goal is to improve on that significantly. +## About -The project also maintains [hardened-chromium](https://github.com/secureblue/hardened-chromium), a hardened fork inspired by GrapheneOS's [Vanadium](https://github.com/GrapheneOS/Vanadium), using [Fedora's Chromium](https://src.fedoraproject.org/rpms/chromium) as a base, intended for use with [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) as packaged and provided by secureblue. In fact, hardened-chromium is included in the secureblue desktop images. +secureblue is a security-focused desktop and server linux operating system, developed as an open-source project. It is shipped as a set of [OCI](https://en.wikipedia.org/wiki/Open_Container_Initiative) bootable container images, which are generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with SELinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a secure desktop system. However, the security posture of desktop linux is broadly and significantly lacking. The goal of secureblue is to build a maximally secure linux operating system by proactively increasing defenses against the exploitation of both known and unknown vulnerabilities while avoiding sacrificing usability for most use cases where possible. For more details, see the features list. -# Scope +## Who is secureblue for? -secureblue applies hardening with the following goals in mind: +secureblue is for those whose first priority is using linux, and second priority is security. secureblue does not claim to be the most secure option available. We are limited in that regard by the current state of desktop linux standardization, tooling, and upstream security development. What we aim for instead is to be the most secure option for those who already intend to use linux. As such, if security is your first priority, secureblue may not the best option for you. -- Increase defenses against the exploitation of both known and unknown vulnerabilities. -- Avoid sacrificing usability for most use cases where possible. -- Avoid sacrificing tangible security for "privacy", as that's often a euphemism for security theater. +## Support and community -For hardened-chromium, these goals are extended to specifically include the following: - -- Desktop-relevant patches from Vanadium. -- Changes that make secondary browser features opt-in instead of opt-out (for example, making the password manager and search suggestions opt-in). -- Changes that disable opt-in metrics and data collection, so long as they have no security implications. - -The following is out of scope across all secureblue projects: - -- Any novel functionality that is unrelated to security. -- Anything related to "degoogling" chromium. For example, we will not be replacing [hardened-chromium](https://github.com/secureblue/hardened-chromium) with Brave or ungoogled-chromium. Both of them make changes that sacrifice tangible security for "privacy", such as enabling MV2. [why?](https://developer.chrome.com/docs/extensions/develop/migrate/improve-security) - -# Hardening - -- Installing and enabling [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally, including for flatpaks. [Thanks to rusty-snake's spec](https://github.com/rusty-snake/fedora-extras) -- Installing [hardened-chromium](https://github.com/secureblue/hardened-chromium), which is inspired by [Vanadium](https://github.com/GrapheneOS/Vanadium). [Why chromium?](https://grapheneos.org/usage#web-browsing) [Why not flatpak chromium?](https://forum.vivaldi.net/post/669805) -- Setting numerous hardened sysctl values [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/sysctl.d/hardening.conf) -- Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh), replace functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries), and remove `sudo`, `su`, and `pkexec` entirely in favor of `run0` [why?](https://mastodon.social/@pid_eins/112353324518585654) -- Disable Xwayland by default (for GNOME, Plasma, and Sway images) -- Mitigation of [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger) via `ujust toggle-bash-environment-lockdown` -- Disabling coredumps -- Disabling all ports and services for firewalld -- Adds per-network MAC randomization -- Blacklisting numerous unused kernel modules to reduce attack surface [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf) -- Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default -- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) [details](/articles/kargs) -- Require wheel user authentication via polkit for `rpm-ostree install` [why?](https://github.com/rohanssrao/silverblue-privesc) -- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions -- Installing usbguard and providing `ujust` commands to automatically configure it -- Installing bubblejail for additional sandboxing tooling -- Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved -- Configure chronyd to use Network Time Security (NTS) [using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) -- Disable KDE GHNS by default [why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/) -- Disable install & usage of GNOME user extensions by default -- Use HTTPS for all rpm mirrors -- Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned` -- Disable a variety of services by default (including cups, geoclue, passim, and others) -- Removal of the unmaintained and suid-root fuse2 by default -- Disabling unprivileged user namespaces by default for the unconfined domain and the container domain [why?](/articles/userns) - -# Customization - -If you want to add your own customizations on top of secureblue, you are advised strongly against forking. Instead, create a repo for your own image by using the [BlueBuild template](https://github.com/blue-build/template), then change your `base-image` to a secureblue image. This will allow you to apply your customizations to secureblue in a concise and maintainable way, without the need to constantly sync with upstream. - -For local development, [building locally](/contributing#building-locally) is the recommended approach. - -# Support and community - -Opening [GitHub issues](https://github.com/secureblue/secureblue) for support is preferred, but [Discord](https://discord.gg/qMTv5cKfbF) is available as well and it counts with a broader community of secureblue users. \ No newline at end of file +Both [GitHub issues](https://github.com/secureblue/secureblue) and [Discord](https://discord.gg/qMTv5cKfbF) are available for support from the secureblue community. diff --git a/content/INSTALL.md b/content/INSTALL.md index 61226929..148d2988 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -1,12 +1,12 @@ --- -title: "Install secureblue" +title: "Install | secureblue" description: "Steps to install secureblue" permalink: /install --- -The recommended method to install secureblue is to first install a Fedora Atomic ISO and then rebase to a secureblue image, or to first install Fedora CoreOS if you want to use securecore server images. Unless specified otherwise, secureblue is used to refer to both the secureblue set of images and the securecore set of images, for the sake of brevity. The install script presented in a later step lets you choose between them. +# Install -Following the recommended method, you *must not* rebase from a Fedora Atomic Desktop install to securecore, or from a Fedora CoreOS install to secureblue, or from secureblue to securecore or vice-versa. +To install secureblue, you will use a Fedora Atomic (or CoreOS, for securecore) ISO to install Fedora Atomic, then rebase to a secureblue image using the installer. Unless specified otherwise, secureblue is used to refer to both the secureblue set of images and the securecore set of images, for the sake of brevity. The install script presented in a later step lets you choose between them. You *must* start from a Fedora Atomic ISO for secureblue desktop images, and *must* start from a Fedora CoreOS ISO for securecore images. Table of Contents - [Pre-install](#pre-install) @@ -15,7 +15,7 @@ Table of Contents - [Rebase](#rebase) - [Post-install](#post-install) -# Pre-install +## Pre-install The following is advice on what to do before and during the installation of a Fedora ISO, and how. @@ -27,23 +27,23 @@ The following is advice on what to do before and during the installation of a Fe Before rebasing and during the installation, the following checks are recommended. -## Fedora installation +### Fedora installation - Select the option to encrypt the drive you're installing to. - Use a [strong password](https://security.harvard.edu/use-strong-passwords) when prompted. - Leave the root account disabled. - Select wheel group membership for your user. -## BIOS hardening +### BIOS hardening - Ensure secureboot is enabled. - Ensure your BIOS is up to date by checking its manufacturer's website. - Disable booting from USB (some manufacturers allow firmware changes from live systems). - Set a BIOS password to prevent tampering. -# Rebase +## Rebase To rebase a Fedora Atomic or Fedora CoreOS installation to a secureblue image, download the script below. This script does not install secureblue into the existing system. It rebases (fully replaces the existing system) with secureblue. -[](https://github.com/secureblue/secureblue/releases/latest/download/install_secureblue.sh) +Download secureblue installer Then, run it from the directory you downloaded it to: @@ -51,8 +51,207 @@ Then, run it from the directory you downloaded it to: bash install_secureblue.sh ``` -# Post-install +## Post-install After installation, [yafti](https://github.com/ublue-os/yafti) will open. Make sure to follow the steps listed carefully and read the directions closely. -Then follow the [post-install instructions](/post-install). \ No newline at end of file +Then, follow the following steps in order: + +- [Subscribe to secureblue release notifications](#release-notifications) +- [Set NVIDIA-specific kargs if applicable](#nvidia) +- [Enroll secureboot key](#secureboot) +- [Set hardened kargs](#kargs) +- - [32-bit support](#kargs-32-bit) +- - [Force disable simultaneous multithreading](#kargs-smt) +- - [Unstable hardening kargs](#kargs-unstable) +- [Setup USBGuard](#usbguard) +- [GRUB](#grub) +- - [Set a password](#grub-password) +- [Create a separate wheel account for admin purposes](#wheel) +- [Setup system DNS](#dns) +- [Bash environment lockdown](#bash) +- [LUKS TPM2 Unlock](#luks-tpm2) +- [Validation](#validation) +- [Optional: `hardened-chromium` Flags](#hardened-chromium-flags) +- [Read the FAQ](#faq) + +### Subscribe to secureblue release notifications +{: #release-notifications} + +[FAQ](/faq#releases) + +### Set NVIDIA-specific kargs if applicable +{: #nvidia} + +If you are using an `nvidia` image, run this after installation: + +``` +ujust set-kargs-nvidia +``` + +You may also need this (solves flickering and luks issues on some NVIDIA hardware): + +``` +rpm-ostree kargs \ + --append-if-missing=initcall_blacklist=simpledrm_platform_driver_init +``` + +### Enroll secureboot key +{: #secureboot} + +``` +ujust enroll-secure-boot-key +``` + +### Set hardened kargs +{: #kargs} + +{% include alert.html type='note' content='Learn about the hardening applied by the kargs set by the command below [here](/articles/kargs).' %} + +``` +ujust set-kargs-hardening +``` + +This command applies a fixed set of hardened boot parameters, and asks you whether or not the following kargs should *also* be set along with those (all of which are documented in the link above): + +#### 32-bit support +{: #kargs-32-bit} + +If you answer `N`, or press enter without any input, support for 32-bit programs will be disabled on the next boot. If you run exclusively modern software, chances are likely you don't need this, so it's safe to disable for additional attack surface reduction. + +However, there are certain exceptions. A couple common usecases are if you need Steam, or run an occasional application in Wine you'll likely want to keep support for 32-bit programs. If this is the case, answer `Y`. + +#### Force disable simultaneous multithreading +{: #kargs-smt} + +If you answer `Y` when prompted, simultaneous multithreading (SMT, often called Hyperthreading) will be forcefully disabled, regardless of known vulnerabilities in the running hardware. This can cause a reduction in the performance of certain tasks in favor of security. + +#### Unstable hardening kargs +{: #kargs-unstable} + +If you answer `Y` when prompted, unstable hardening kargs will be additionally applied, which can cause issues on some hardware, but are stable on other hardware. + +### Setup USBGuard +{: #usbguard} + +*This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard.* + +``` +ujust setup-usbguard +``` + +### GRUB +{: #grub} + +#### Set a password +{: #grub-password} + +Setting a GRUB password helps protect the device from physical tampering and mitigates various attack vectors, such as booting from malicious media devices and changing boot or kernel parameters. + +To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries. + +1. `run0` +2. `grub2-setpassword` + +GRUB will prompt for a username and password. The default username is root. + +If you wish to password-protect booting existing entries, you can add the `grub_users root` entry in the specific configuration file located in the `/boot/loader/entries` directory. + +## Create a separate wheel account for admin purposes +{: #wheel} + +Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain privilege escalation attack vectors and password sniffing. + +{% include alert.html type='caution' content='If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.' %} + +1. `run0` +2. `adduser admin` +3. `usermod -aG wheel admin` +4. `passwd admin` +5. `exit` +6. `reboot` + +{% include alert.html type='note' content='We log in as admin to do the final step of removing the user account\'s wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.' %} + +5. Log in as `admin` +6. `run0` +7. `gpasswd -d {your username here} wheel` +8. `reboot` + +When using a non-wheel user, you can add the user to other groups if you want. For example: + +- use libvirt: `libvirt` +- use `adb` and `fastboot`: `plugdev` +- use systemwide flatpaks: `flatpak` +- use usbguard: `usbguard` + +{% include alert.html type='note' content='You don\'t need to login using your wheel user to use it for privileged operations. When logged in as your non-wheel user, polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling
run0.' %}
+
+### Setup system DNS
+{: #dns}
+
+Interactively setup system DNS resolution for systemd-resolved (optionally also set the resolver for hardened-chromium via management policy):
+
+```
+ujust dns-selector
+```
+
+{% include alert.html type='note' content='If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case.' %}
+
+## Bash environment lockdown
+{: #bash}
+
+To mitigate [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger), run:
+
+```
+ujust toggle-bash-environment-lockdown
+```
+
+### LUKS Hardware-Unlock
+
+{% include alert.html type='note' content='There are two options available for hardware-based unlocking. You can either enroll FIDO2 or TPM2 for your luks volume. FIDO2 enrollment is preferable if you own a hardware security key. It\'s recommended that you choose only one of these, and not both at the same time.' %}
+
+
+#### LUKS FIDO2 Unlock
+{: #luks-fido2}
+
+
+To enable FIDO2 LUKS unlocking with your FIDO2 security key, run:
+
+```
+ujust setup-luks-fido2-unlock
+```
+
+#### LUKS TPM2 Unlock
+{: #luks-tpm2}
+
+{% include alert.html type='warning' content='Do not use this if you have an AMD CPU.' %}
+
+To enable TPM2 LUKS unlocking, run:
+
+```
+ujust setup-luks-tpm-unlock
+```
+
+Type `Y` when asked if you want to set a PIN.
+
+### Validation
+{: #validation}
+
+To validate your secureblue setup, run:
+
+```
+ujust audit-secureblue
+```
+
+### Optional: `hardened-chromium` Flags
+{: #hardened-chromium-flags}
+
+The included [hardened-chromium](https://github.com/secureblue/hardened-chromium) browser has some additional settings in `chrome://flags` you *may* want to set for additional hardening and convenience (can cause functionality issues in some cases).
+
+You can read about these settings [here](https://github.com/secureblue/hardened-chromium?tab=readme-ov-file#post-install).
+
+### Read the FAQ
+{: #faq}
+
+Lots of important stuff is covered in the [FAQ](/faq). AppImage toggles, GNOME extension toggles, Xwayland toggles, etc.
diff --git a/content/POSTINSTALL-README.md b/content/POSTINSTALL-README.md
deleted file mode 100644
index 9c6fcf41..00000000
--- a/content/POSTINSTALL-README.md
+++ /dev/null
@@ -1,197 +0,0 @@
----
-title: "Post-install instructions | secureblue"
-description: "Instructions meant to be followed succeeding a secureblue rebase"
-permalink: /post-install
----
-
-# secureblue post-install
-
-After rebasing to secureblue, follow the following steps in order:
-
-- [Subscribe to secureblue release notifications](#release-notifications)
-- [Set NVIDIA-specific kargs if applicable](#nvidia)
-- [Enroll secureboot key](#secureboot)
-- [Set hardened kargs](#kargs)
-- - [32-bit support](#kargs-32-bit)
-- - [Force disable simultaneous multithreading](#kargs-smt)
-- - [Unstable hardening kargs](#kargs-unstable)
-- [Setup USBGuard](#usbguard)
-- [GRUB](#grub)
-- - [Set a password](#grub-password)
-- [Create a separate wheel account for admin purposes](#wheel)
-- [Setup system DNS](#dns)
-- [Bash environment lockdown](#bash)
-- [LUKS TPM2 Unlock](#luks-tpm2)
-- [Validation](#validation)
-- [Optional: `hardened-chromium` Flags](#hardened-chromium-flags)
-- [Read the FAQ](#faq)
-
-## Subscribe to secureblue release notifications
-{: #release-notifications}
-
-[FAQ](/faq#releases)
-
-## Set NVIDIA-specific kargs if applicable
-{: #nvidia}
-
-If you are using an `nvidia` image, run this after installation:
-
-```
-ujust set-kargs-nvidia
-```
-
-You may also need this (solves flickering and luks issues on some NVIDIA hardware):
-
-```
-rpm-ostree kargs \
- --append-if-missing=initcall_blacklist=simpledrm_platform_driver_init
-```
-
-## Enroll secureboot key
-{: #secureboot}
-
-```
-ujust enroll-secure-boot-key
-```
-
-## Set hardened kargs
-{: #kargs}
-
-[!NOTE]
-Learn about the hardening applied by the kargs set by the command below [here](/articles/kargs).
-
-```
-ujust set-kargs-hardening
-```
-
-This command applies a fixed set of hardened boot parameters, and asks you whether or not the following kargs should *also* be set along with those (all of which are documented in the link above):
-
-### 32-bit support
-{: #kargs-32-bit}
-
-If you answer `N`, or press enter without any input, support for 32-bit programs will be disabled on the next boot. If you run exclusively modern software, chances are likely you don't need this, so it's safe to disable for additional attack surface reduction.
-
-However, there are certain exceptions. A couple common usecases are if you need Steam, or run an occasional application in Wine you'll likely want to keep support for 32-bit programs. If this is the case, answer `Y`.
-
-### Force disable simultaneous multithreading
-{: #kargs-smt}
-
-If you answer `Y` when prompted, simultaneous multithreading (SMT, often called Hyperthreading) will be forcefully disabled, regardless of known vulnerabilities in the running hardware. This can cause a reduction in the performance of certain tasks in favor of security.
-
-### Unstable hardening kargs
-{: #kargs-unstable}
-
-If you answer `Y` when prompted, unstable hardening kargs will be additionally applied, which can cause issues on some hardware, but are stable on other hardware.
-
-## Setup USBGuard
-{: #usbguard}
-
-*This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard.*
-
-```
-ujust setup-usbguard
-```
-
-## GRUB
-{: #grub}
-
-### Set a password
-{: #grub-password}
-
-Setting a GRUB password helps protect the device from physical tampering and mitigates various attack vectors, such as booting from malicious media devices and changing boot or kernel parameters.
-
-To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries.
-
-1. `run0`
-2. `grub2-setpassword`
-
-GRUB will prompt for a username and password. The default username is root.
-
-If you wish to password-protect booting existing entries, you can add the `grub_users root` entry in the specific configuration file located in the `/boot/loader/entries` directory.
-
-## Create a separate wheel account for admin purposes
-{: #wheel}
-
-Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors, like:
-
-- https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#LD_PRELOAD
-- https://www.kicksecure.com/wiki/Root#Prevent_Malware_from_Sniffing_the_Root_Password
-
-{% include alert.html type='caution' content='If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.' %}
-
-1. `run0`
-2. `adduser admin`
-3. `usermod -aG wheel admin`
-4. `passwd admin`
-5. `exit`
-6. `reboot`
-
-{% include alert.html type='note' content='We log in as admin to do the final step of removing the user account\'s wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.' %}
-
-5. Log in as `admin`
-6. `run0`
-7. `gpasswd -d {your username here} wheel`
-8. `reboot`
-
-When using a non-wheel user, you can add the user to other groups if you want. For example:
-
-- use libvirt: `libvirt`
-- use `adb` and `fastboot`: `plugdev`
-- use systemwide flatpaks: `flatpak`
-- use usbguard: `usbguard`
-
-{% include alert.html type='note' content='You don\'t need to login using your wheel user to use it for privileged operations. When logged in as your non-wheel user, polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling run0.' %}
-
-## Setup system DNS
-{: #dns}
-
-Interactively setup system DNS resolution for systemd-resolved (optionally also set the resolver for hardened-chromium via management policy):
-
-```
-ujust dns-selector
-```
-
-NOTE: If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case.
-
-## Bash environment lockdown
-{: #bash}
-
-To mitigate [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger), run:
-
-```
-ujust toggle-bash-environment-lockdown
-```
-
-## LUKS TPM2 Unlock
-{: #luks-tpm2}
-
-{% include alert.html type='warning' content='Do not use this if you have an AMD CPU.' %}
-
-To enable TPM2 LUKS unlocking, run:
-
-```
-ujust setup-luks-tpm-unlock
-```
-
-Type `Y` when asked if you want to set a PIN.
-
-## Validation
-{: #validation}
-
-To validate your secureblue setup, run:
-
-```
-ujust audit-secureblue
-```
-
-## Optional: `hardened-chromium` Flags
-{: #hardened-chromium-flags}
-
-The included [hardened-chromium](https://github.com/secureblue/hardened-chromium) browser has some additional settings in `chrome://flags` you *may* want to set for additional hardening and convenience (can cause functionality issues in some cases).
-
-You can read about these settings [here](https://github.com/secureblue/hardened-chromium?tab=readme-ov-file#post-install).
-
-## Read the FAQ
-{: #faq}
-
-Lots of important stuff is covered in the [FAQ](/faq). AppImage toggles, GNOME extension toggles, Xwayland toggles, etc.
diff --git a/content/SECURITY.md b/content/REPORTING.md
similarity index 78%
rename from content/SECURITY.md
rename to content/REPORTING.md
index b46b0449..a5729224 100644
--- a/content/SECURITY.md
+++ b/content/REPORTING.md
@@ -1,7 +1,7 @@
---
-title: "Security policy | secureblue"
+title: "Reporting | secureblue"
description: "Project security policy"
-permalink: /security
+permalink: /reporting
---
# Security Policy
diff --git a/content/articles/ARTICLES.md b/content/articles/ARTICLES.md
index 389cfda4..1a927f41 100644
--- a/content/articles/ARTICLES.md
+++ b/content/articles/ARTICLES.md
@@ -8,5 +8,6 @@ The main documentation for secureblue is at the top-level of the site, accessibl
Other articles on assorted topics related to secureblue:
-- [userns](/articles/userns) - Brief overview of what are user namespaces in Linux, why is the feature considered a security risk and how is it handled in secureblue.
-- [kargs](/articles/kargs) - List and brief explanation of the hardening kargs that the `ujust set-kargs-hardening` command can set.
+- [User Namespaces](/articles/userns) - Brief overview of unprivileged User Namespaces, the security risk they enabled and how secureblue handles that risk.
+- [Kernel Arguments](/articles/kargs) - List and brief explanation of the hardening kargs that the `ujust set-kargs-hardening` command can set.
+- [Flatpak](/articles/flatpak) - Flatpak: the good, the bad, the ugly.
diff --git a/content/articles/FLATPAK.md b/content/articles/FLATPAK.md
new file mode 100644
index 00000000..7407623a
--- /dev/null
+++ b/content/articles/FLATPAK.md
@@ -0,0 +1,25 @@
+---
+title: "Flatpak | secureblue"
+description: "Flatpak: the good, the bad, the ugly"
+permalink: /articles/flatpak
+---
+
+# Flatpak
+
+Flatpak is an application packaging and distribution system for desktop linux. It uses bubblewrap under the hood to sandbox those applications and provide desktop linux with a de-facto standard sandboxing and permissions system. However, it has flaws and its sandboxing strength can vary significantly depending on how it is configured. secureblue addresses these flaws in a couple different ways.
+
+As with any application sandboxing system, flatpaks should be scoped down by default to as few permissions as they need to function. Even better, permissions should be granted directly by the user at app runtime like in android. Sadly, neither of these are the case today. Flatpak manifest maintainers define the set of permissions they believe to be necessary and sufficient for operation of their applications. When a flatpak is installed by a user, the flatpak's permissions default to those defined by the manifest.
+
+This is of course not ideal, but it's also [not a reason to abandon flatpak entirely](https://en.wikipedia.org/wiki/Perfect_is_the_enemy_of_good). There are many ways we can mitigate this issue:
+
+- users should configure permissions to their liking
+- users should submit default permissions changes to upstream flatpaks at their repos.
+- developers should overhaul flatpak and xdg portals to introduce a better permissions model
+
+What secureblue does in this case is provide a mitigation along the lines of the first option. We provide a `ujust` command to strip flatpaks of permissions by default, such that the user will need to specifically and deliberately grant permissions required by each application:
+
+```
+ujust flatpak-permissions-lockdown
+```
+
+This is not enabled out of the box on secureblue because it has a somewhat significant usability impact (many flatpaks will break due to missing permissions). Until the flatpak and xdg portal permissions model is improved, this is the most secure option we can offer. That said, users are still encouraged to report unnecessary permissions to upstream projects when found, while incremental development progresses on flatpak and portals.
diff --git a/content/articles/USERNS.md b/content/articles/USERNS.md
index ce8d0d82..8fd3801b 100644
--- a/content/articles/USERNS.md
+++ b/content/articles/USERNS.md
@@ -1,5 +1,5 @@
---
-title: "userns | secureblue"
+title: "User Namespaces | secureblue"
description: "Brief explanation of unprivileged user namespaces and how the feature is handled in secureblue"
permalink: /articles/userns
---