secureblue · RoyalOughtness · Jan 2, 2025 · Jan 2, 2025 · Jan 2, 2025 · Jan 2, 2025
@@ -2,15 +2,15 @@
     <nav id="site-menu">
         <ul>
             <li {% if include.content == "" %}aria-current="page"{% endif %}><a href="/"><img src="/assets/icons/favicon.svg" alt=""/>secureblue</a></li>
+            <li {% if include.content == "features" %}aria-current="page"{% endif %}><a href="/features">Features</a></li>
             <li {% if include.content == "install" %}aria-current="page"{% endif %}><a href="/install">Install</a></li>
-            <li {% if include.content == "post-install" %}aria-current="page"{% endif %}><a href="/post-install">Post-install</a></li>
-            <li {% if include.content == "contributing" %}aria-current="page"{% endif %}><a href="/contributing">Contributing</a></li>
-            <li {% if include.content == "faq" %}aria-current="page"{% endif %}><a href="/faq">FAQ</a></li>
             <li {% if include.content == "images" %}aria-current="page"{% endif %}><a href="/images">Images</a></li>
+            <li {% if include.content == "faq" %}aria-current="page"{% endif %}><a href="/faq">FAQ</a></li>
+            <li {% if include.content == "contributing" %}aria-current="page"{% endif %}><a href="/contributing">Contributing</a></li>
+            <li {% if include.content == "code-of-conduct" %}aria-current="page"{% endif %}><a href="/code-of-conduct">Code of Conduct</a></li>
             <li {% if include.content == "articles" %}aria-current="page"{% endif %}><a href="/articles">Articles</a></li>
+            <li {% if include.content == "reporting" %}aria-current="page"{% endif %}><a href="/reporting">Reporting</a></li>
             <li {% if include.content == "donate" %}aria-current="page"{% endif %}><a href="/donate">Donate</a></li>
-            <li {% if include.content == "code-of-conduct" %}aria-current="page"{% endif %}><a href="/code-of-conduct">Code of Conduct</a></li>
-            <li {% if include.content == "security" %}aria-current="page"{% endif %}><a href="/security">Security</a></li>
         </ul>
     </nav>
 </header>

@@ -1,8 +1,8 @@
-<div class="content hero">
+<div class="hero">
 
     <div>
         <h1><a href="#secureblue">secureblue</a></h1>
-        <p>Offering hardened operating system images and the hardened-chromium package. Developed collaboratively as an open source project.</p>
+        <p>A security-focused desktop and server linux operating system.</p>
         <a class="button" href="/install">Get secureblue</a>
     </div>
 

@@ -296,6 +296,10 @@ main.normalize {
     align-items: center;
     flex-flow: row nowrap;
     justify-content: space-between;
+    max-width: 832px;
+    margin-left: auto;
+    margin-right: auto;
+    padding: 3.5rem 1rem;
 }
 
 .hero h1 {

@@ -4,14 +4,6 @@ description: "How to contribute to secureblue"
 permalink: /contributing
 ---
 
-# Welcome to secureblue
-
-Thanks for taking the time to look into helping out!
-All contributions are appreciated!
-Please refer to our [Code of Conduct](/code-of-conduct) while you're at it!
-
-Feel free to report issues as you find them!
-
 # Contributing
 
 All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions.
@@ -36,8 +28,7 @@ All types of contributions are encouraged and valued. See the [Table of Contents
 
 ## Code of Conduct
 
-This project and everyone participating in it is governed by the
-CONTRIBUTING.md Code of Conduct.
+This project and everyone participating in it is governed by the [Code of Conduct](/code-of-conduct).
 By participating, you are expected to uphold this code. Please report unacceptable behavior
 to secureblueadmin@proton.me
 

@@ -1,5 +1,5 @@
 ---
-title: "Donate to secureblue"
+title: "Donate | secureblue"
 description: "Donation options for secureblue"
 permalink: /donate
 ---
@@ -14,24 +14,24 @@ There are multiple options available for donation:
 
 ## Bitcoin
 
-<img src="https://github.com/secureblue/secureblue/assets/129108030/d5399003-92b9-43f4-b012-5bc476e78337" width=200 />
+<img src="/assets/bitcoin.png" width=200 />
 
 `bc1qj4nxpfhsgj3f7w8c2689kq865apfla2jyxgaem`
 
 ## Monero
 
-<img src="https://github.com/secureblue/secureblue/assets/129108030/c71a68a7-b4bd-4847-9a46-e77a01edf2d1" width=200 />
+<img src="/assets/monero.png" width=200 />
 
 `43fry9taGiwhAtNYEZNfssdzJ8Ra12ewAbQoVsvFzoLS6qMSgsE2FvE7xY52rAnKjPL5r2N88KYvqXpthUfSwa23K1BBMD9`
 
 ## Litecoin
 
-<img src="https://github.com/secureblue/secureblue/assets/129108030/ca599a38-40fc-40c7-87dd-bf1e024956b0" width=200 />
+<img src="/assets/litecoin.png" width=200 />
 
 `ltc1q65hpetza8stgje640pcn25mef6xpdzxqazcawq`
 
 ## Ethereum
 
-<img src="https://github.com/secureblue/secureblue/assets/129108030/f7f241d9-e4bf-4858-81bd-242b2c268647" width=200 />
+<img src="/assets/ethereum.png" width=200 />
 
 `0x10289B51aEF109BBc07F68341F2Df8Ef60a5b618`
@@ -32,11 +32,12 @@ Table of contents:
 - [Why won't `hardened-chromium` start on Nvidia?](#hardened-chromium-start-nvidia)
 - [Why don't some websites that require JIT/WebAssembly work in `hardened-chromium` even with the V8 Optimizer toggle enabled?](#hardened-chromium-exceptions)
 - [Why don't extensions work in `hardened-chromium`?](#hardened-chromium-extensions)
+- [How do I customize secureblue?](#customization)
 
 #### Why is Flatpak included? Should I use Flatpak?
 {: #flatpak}
 
-[https://github.com/secureblue/secureblue/issues/125#issuecomment-1859610560](https://github.com/secureblue/secureblue/issues/125#issuecomment-1859610560)
+Consult our <a href="/articles/flatpak">Flatpak article</a>.
 
 #### Should I use Electron apps? Why don't they work well with hardened_malloc?
 {: #electron}
@@ -209,3 +210,8 @@ Extensions in `hardened-chromium` are disabled by default, for security reasons
 \
 \
 If the extension you installed doesn't work, it is likely because it requires WebAssembly (WASM) for some cryptographic library or some other optimizations (this is the case with the Bitwarden extension). To re-enable JavaScript JIT and WASM for extensions, enable the feature `chrome://flags/#internal-page-jit`.
+
+#### How do I customize secureblue?
+{: #customization}
+
+If you want to add your own customizations on top of secureblue, you are advised strongly against forking. Instead, create a repo for your own image by using the [BlueBuild template](https://github.com/blue-build/template), then change your `base-image` to a secureblue image. This will allow you to apply your customizations to secureblue in a concise and maintainable way, without the need to constantly sync with upstream. For local development, [building locally](/contributing#building-locally) is the recommended approach.
@@ -0,0 +1,48 @@
+---
+title: "Features | secureblue"
+description: "List of secureblue features"
+permalink: /features
+---
+
+# Features
+
+## Exploit mitigation
+- Installing and enabling [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally, including for flatpaks. <sup>[Thanks to rusty-snake's spec](https://github.com/rusty-snake/fedora-extras)</sup>
+- Installing [hardened-chromium](https://github.com/secureblue/hardened-chromium), which is inspired by [Vanadium](https://github.com/GrapheneOS/Vanadium). <sup>[Why chromium?](https://grapheneos.org/usage#web-browsing)</sup> <sup>[Why not flatpak chromium?](https://forum.vivaldi.net/post/669805)</sup>
+- Setting numerous hardened sysctl values <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/sysctl.d/hardening.conf)</sup>
+- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](/articles/kargs)</sup>
+- Configure chronyd to use Network Time Security (NTS) <sup>[using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf)</sup>
+- Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
+- Installing usbguard and providing `ujust` commands to automatically configure it
+
+## Filling holes in the linux security posture
+- Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh), replacing functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries), and remove `sudo`, `su`, and `pkexec` entirely in favor of `run0` <sup>[why?](https://mastodon.social/@pid_eins/112353324518585654)</sup>
+- Disable Xwayland by default (for GNOME, Plasma, and Sway images)
+- Mitigation of [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger) via `ujust toggle-bash-environment-lockdown`
+- Require wheel user authentication via polkit for `rpm-ostree install` <sup>[why?](https://github.com/rohanssrao/silverblue-privesc)
+- Disable install & usage of GNOME user extensions by default
+- Disable KDE GHNS by default <sup>[why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/)</sup>
+- Removal of the unmaintained and suid-root fuse2 by default
+- Disabling unprivileged user namespaces by default for the unconfined domain and the container domain <sup>[why?](/articles/userns)</sup>
+
+## Security by default
+- Disabling all ports and services for firewalld
+- Use HTTPS for all rpm mirrors
+- Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
+- Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default
+
+## Reduce information leakage
+- Adds per-network MAC randomization
+- Disabling coredumps
+
+## Attack surface reduction
+- Blacklisting numerous unused kernel modules to reduce attack surface <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf)</sup>
+- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
+- Disable and mask a variety of services by default (including cups, geoclue, passim, and others)
+
+## Security ease-of-use
+- Installing bubblejail for additional sandboxing tooling
+- Tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives
+- Tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives
+- Toggles for controlling access to [unprivileged user namespaces](/articles/userns) via SELinux
+- Toggles for a variety of the hardening set by default, for user convenience (`ujust --choose`)
@@ -9,38 +9,27 @@ permalink: /images
 Table of Contents
 - [Desktop](#desktop)
 - - [Recommended](#recommended)
-- - - [Silverblue](#silverblue)
 - - [Stable](#stable)
-- - - [Kinoite](#kinoite)
-- - - [Sericea](#sericea)
 - - [Beta](#beta)
-- - - [Wayfire](#wayfire)
-- - - [Hyprland](#hyprland)
-- - - [River](#river)
-- - - [Sway](#sway)
 - - [Experimental](#experimental)
-- - - [Cosmic](#cosmic)
 - [Server](#server)
 
-*`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau.*
-
-*`nvidia` images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.*
+{% include alert.html type='note' content='<b>nvidia-open</b> images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new <a href="https://github.com/NVIDIA/open-gpu-kernel-modules">open kernel modules</a> from NVIDIA, not Nouveau. <b>nvidia</b> images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.' %}
 
 ## Desktop
 
 ### Recommended
 
-#### Silverblue
+{% include alert.html type='note' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has <a href="https://invent.kde.org/plasma/xdg-desktop-portal-kde/-/issues/7">plans</a> to fix this.GNOME also provides <a href="https://gitlab.gnome.org/GNOME/gnome-desktop/-/issues/213">thumbnailer sandboxing</a> in Gnome Files, which mitigates attacks <a href="https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html">via thumbnailers</a>. The recommendation of GNOME is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %}
 
-{% include alert.html type='note' content='This is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %}
+#### Silverblue
 
 | Name                                      | Base      | NVIDIA Support         |
 |-------------------------------------------|-----------|-------------------------|
 | `silverblue-main-hardened`               | Silverblue| No                      |
 | `silverblue-nvidia-hardened`             | Silverblue| Yes, closed drivers     |
 | `silverblue-nvidia-open-hardened`        | Silverblue| Yes, open drivers       |
 
-{% include alert.html type='caution' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has <a href="https://invent.kde.org/plasma/xdg-desktop-portal-kde/-/issues/7">plans</a> to fix this.<br>GNOME also provides <a href="https://gitlab.gnome.org/GNOME/gnome-desktop/-/issues/213">thumbnailer sandboxing</a> in Gnome Files, which mitigates attacks <a href="https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html">via thumbnailers</a>.' %}
 
 ### Stable