• Euphoma@lemmy.ml
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 year ago

    Qubes OS is pretty secure, everything you do in it is in virtual machines. That includes putting wifi and usbs in separate virtual machines. The root virtual machine is completely separated from everything else so any attackers can’t get access to it. There are also temporary virtual machines that you can use for unsafe stuff.

      • Euphoma@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I think most computers have at least that much ram these days, my phone has that much ram.

  • ctr1@fl0w.cc
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    I would look into Gentoo’s Hardened + SELinux profile if you want good security in a standard system, but as others have mentioned QubesOS is probably the most secure option OOTB (but it is very limiting). SELinux is pretty difficult to use but it’s really effective, and there is good information about it on the Gentoo wiki. Not sure what exactly goes into their hardened profile but I know it implements at least some of the suggestions listed on that site (like hardened compilation flags). Also it’s probably more vulnerable to 0-day attacks than Qubes, since it uses up-to-date software. But it’s really flexible, and learning SELinux is useful

    • ruination@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      You can even mix and match it H/SELinux with musl (and Clang, if you’re up for some masochism and performance boost), though it does require patching sometimes. From my experience, you can find patches from Alpine’s Aports and that should fix it ~90% of the time, but sometimes you’d need to write your own. Another tip in case you’re interested in trying musl on Gentoo is that there’s a compilation flag for large file support documented in Gentoo Wiki’s musl development page which fixes compilation failures caused by calls to functions with names ending in 64 (e.g. fseek64). This is yet another massive source of compilation failure in musl. Lastly, you should mask musl versions ≥ 1.2.4 if you want to have any semblance of a * good time with it.

      • ctr1@fl0w.cc
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Oh good to know! Thanks for the tips. What do you like about musl over glibc?

        • ruination@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          To be honest, I only use it for fun. Unless you enjoy tinkering like I do, or you have really low RAM, there’s no reason to use it over glibc. I’m aware that Madaidan also mentioned that it is more secure, but I’m not too knowledgeable on that so I can’t really comment.

          • ctr1@fl0w.cc
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Ah gotcha, just asking because I’ve never used it before. Good to know that Gentoo supports hardening it

            • ruination@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Gentoo lets you do basically whatever you want. The whole idea of it is that you make all the decisions in your system, as opposed to how most distros impose their developers’ choices.

                • ruination@discuss.tchncs.de
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  Really fasttracked my Linux learning experience too. If you’re starting out Linux and are predisposed to masochism like I am, using Gentoo as your first distro really catalysed my understanding of Linux (at the cost of a week’s worth of crying and self-loathing lmao).

    • Syrup@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      This is the best choice IMHO. You have a rock solid OS (Debian) and all possible taken measures to harden it with Kicksecure patch.

        • Syrup@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          The kicksecure documentation is well written. Go here for distro-morphing of Debian 12, step by step things to do are pretty explicit and you can even copy the command lines if you think you’ll make a mistake…

          • librechad@lemm.ee
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            1 year ago

            Does Kicksecure implement proprietary software into Debian? Personally me, I run OpenRC and the linux-libre kernel on my Debian 12 system on a Libreboot laptop with fully free software. Haven’t used Kicksecure in awhile.

            • Chemical Wonka@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              1 year ago

              Awesome!

              You have the holy grail of Free Software

              Richard Stallman approves!

              I really like Linux libre kernel but it has some downsides because it doesn’t have patchs to fix some critical vulnerabilities. Libreboot is just a distant dream unfortunately few devices are compatible with it.

            • Syrup@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I don’t think so, mostly it’s hardening, and few security related software, all FOSS

                • Syrup@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  According to their Wiki, other Distros (including DE) are not supported/documented and if you do it’s at your own risk. Personally, I wouldn’t dare trying that.

    • MicroMacro@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Kicksecure is a good choice for an install on bare metal. For a level-plus secure and private system you can even install a Whonix VM on Kicksecure, so you can use Kicksecure daily use your Whonix VM to get on internet. It’s a great combo i thinkk, as they use the same base, the same DE (xfce) and have a lot of defaults programs in common.

  • throwawayish@lemmy.ml
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    1 year ago

    I’ll assume that you intend to use it as a traditional daily driver, as such Tails and Whonix will not be taken into consideration. Qubes OS will also be dismissed as it’s technically not a Linux distro. Though, it’s simply the best if you take security seriously.

    Within the space of traditional Linux distros, the closest one would probably be Kicksecure. Madaidan even works on the distro, so I’d say it’s fair to assume that it upholds some of the values that are mentioned in the article.

    Alternatively, packages for Fedora that would set this up automatically

    Hehe, wishful thinking 😂. Uhmm…, bummer, but such a thing simply does not exist. Best we’ve got would be relying on so-called hardening scripts made by people that you don’t know but somehow trust for hardening your system. Honestly, I’m also -to a degree- guilty of this as I one day hope to either adopt these scripts or rebase to one of these hardened ‘immutable’ Fedora images (when they’re ready); Madaidan’s guidelines have actually been an initial inspiration for the scripts found in the first link, so yeah 🙂. Until then, our best bet would probably be relying on hardening guides like this one; the guide has been carefully written (and is still getting regularly updated) with consideration for all the different major distros one might be using. Alternatively, you might try to implement Madaidan’s guidelines directly. But, my previous attempts on Fedora didn’t bear the best results. Though your mileage may vary. Special shout out to Brace as it’s the closest thing to a package that does the hardening for you and works on multiple distros including Fedora. It’s maintained by the same people that have brought us the excellent DivestOS, so it’s trustworthy.

    • constantokra@lemmy.one
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Thanks for this comment. I had not come across that hardening guide. It is extremely well written, and it’s worth a read, even if you have no intention of trying to harden your system, just to see what’s out there.

      I’d consider most of it overkill for my threat model, but there are some things I’ll probably implement or try out just because they look pretty neat.

  • flatbield@beehaw.org
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    You might want to look at Debian and install only minimal components, and then just read through the security guide. If you care about security, I am not sure automated is the way to go, or at least not without some personal knowledge and a personal audit of the supposedly secure system.

  • flatbield@beehaw.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Keep in mind that security is boring. You want it to be boring. Long established distributions with good team and release cycle, really good security team, and minimal software, minimal attack surface (i.e. less is more). Just mention because Fedora is a test bed really, and so not exactly what one would choose for a secure system.

    This is why of the list that people provided I would personally favor Rocky (RHEL), Debian, or OpenBSD. All of the others have a lot to prove to me frankly. Not saying bad, lot were good suggestions, but they have the downsides of being less mainstream and/or more cutting edge, or more specialized.