For example, ones that implement these guidelines? …github.io/…/linux-hardening.html
Alternatively, packages for Fedora that would set this up automatically
How about Kicksecure Hardened Debian?
Do any hardened Linux distributions exist?
Submitted 9 months ago by Dislodge3233@feddit.de to privacyguides@lemmy.one
Comments
chemicalwonka@discuss.tchncs.de 9 months ago
Syrup@lemmy.world 9 months ago
This is the best choice IMHO. You have a rock solid OS (Debian) and all possible taken measures to harden it with Kicksecure patch.
chemicalwonka@discuss.tchncs.de 9 months ago
It’s a solid option indeed but a little difficult to install in my opinion
MicroMacro@sh.itjust.works 9 months ago
Kicksecure is a good choice for an install on bare metal. For a level-plus secure and private system you can even install a Whonix VM on Kicksecure, so you can use Kicksecure daily use your Whonix VM to get on internet. It’s a great combo i thinkk, as they use the same base, the same DE (xfce) and have a lot of defaults programs in common.
catsup@lemmy.one 9 months ago
This might be way off, but iirc OpenBSD is pretty secure
shortwavesurfer@monero.town 9 months ago
My first thought is tails.
flathead@lemm.ee 9 months ago
The Rocky or Alma (red hat clones) installation provides a set of hardening options to make the system compliant with various published standards. cyberithub.com/step-by-step-guide-to-install-rock…
furrowsofar@beehaw.org 9 months ago
You might want to look at Debian, and just read through the security guide. If you care about security, I am not sure automated is the way to go, or at least not without some personal knowledge and a personal audit of the supposedly secure system.
furrowsofar@beehaw.org 9 months ago
Keep in mind that security is boring. You want it to be boring. Long established distributions with good team and release cycle, really good security team, and minimal software (i.e. less is more). Just mention because Fedora is a test bed really, and so not exactly what one would choose for a secure system.
This is why of the list that people provided I would personally favor Rocky (RHEL), Debian, or OpenBSD. All of the others have a lot to prove to me frankly. Not saying bad, lot were good suggestions, but they have the downsides of being less mainstream and/or more cutting edge, or more specialized.
ctr1@fl0w.cc 9 months ago
I would look into Gentoo’s Hardened + SELinux profile if you want good security in a standard system, but as others have mentioned QubesOS is probably the most secure option OOTB (but it is very limiting). SELinux is pretty difficult to use but it’s really effective, and there is good information about it on the Gentoo wiki. Not sure what exactly goes into their hardened profile but I know it implements at least some of the suggestions listed on that site (like hardened compilation flags). Also it’s probably more vulnerable to 0-day attacks than Qubes, since it uses up-to-date software. But it’s really flexible, and learning SELinux is useful
ruination@discuss.tchncs.de 9 months ago
You can even mix and match it H/SELinux with musl (and Clang, if you’re up for some masochism and performance boost), though it does require patching sometimes. From my experience, you can find patches from Alpine’s Aports and that should fix it ~90% of the time, but sometimes you’d need to write your own. Another tip in case you’re interested in trying musl on Gentoo is that there’s a compilation flag for large file support documented in Gentoo Wiki’s musl development page which fixes compilation failures caused by calls to functions with names ending in 64 (e.g. fseek64). This is yet another massive source of compilation failure in musl. Lastly, you should mask musl versions greater than 1.2.4 if you want to have any semblance of a good time with it.
ctr1@fl0w.cc 9 months ago
Oh good to know! Thanks for the tips. What do you like about musl it over glibc?