this post was submitted on 16 Apr 2025
29 points (91.4% liked)

Linux

53416 readers
595 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
29
Comprehensive guide to hardening RHEL clones? (lemmy.dbzer0.com)
submitted 6 days ago by marauding_gibberish142@lemmy.dbzer0.com to c/linux@lemmy.ml
24 comments fedilink hide all child comments
 

Is there some sort of comprehensive guide on hardening RHEL clones like Alma and Rocky?

I have read Madaidan's blog, and I plan to go through CIS policies, Alma and Rocky documentation and other general stuff like KSPP, musl, LibreSSL, hardened_malloc etc.

But I feel like this is not enough and I will likely face problems that I cannot solve. Instead of trying to reinvent the wheel by myself, I thought I'd ask if anyone has done this before so I can use their guide as a baseline. Maybe there's a community guide on hardening either of these two? I'd contribute to its maintenance if there is one.

Thanks.

you are viewing a single comment's thread
view the rest of the comments
[–] Charger8232@lemmy.ml 1 points 6 days ago* (last edited 6 days ago) (1 children)

Hey, I recognise you now!

Look mom, I'm famous! :P

That was a great post, I had a lot of fun reading it.

Thank you!

If I could follow people on Lemmy I’d follow you.

The best you can do in regards to that is adding my profile to your preferred RSS reader, so you get notified each time I post. A few good ones for android are Feeder, Read You, or (my favorite) Capy Reader.

What do you think about Kicksecure (and Kicksecure inside of Qubes)?

I'm not sure if you mean actual Kicksecure or if you mean Whonix. Either way, if I were to use Qubes OS, I would do Whonix inside of Qubes (until a secureblue template is made).

SecureBlue too but I hear SecureBlue isn’t a big team, not sure how much time they have to address the broad range of desktop Linux security issues

secureblue backports a lot of fixes from other projects (e.g. their browser, Trivalent, backports fixes from GrapheneOS's Vanadium). Their team is small but mighty.

I personally think that if you were to put GrapheneOS and Qubes OS side-by-side on uncompromised hardware, I’d take Qubes.

GrapheneOS compartmentalizes as well, but in a different fashion. All apps on GrapheneOS are sandboxed, Once GrapheneOS implements App Communication Scopes, apps will be able to be completely* isolated. Without App Communication Scopes, the best way to isolate apps is by setting up separate profiles.

*While APC prevents communication between apps, they are still installed on the same profile, and thus have access to unique profile identifiers. Apps with network access can technically communicate with each other via a third party. Furthermore, apps may be able to directly communicate with each other through a telephone effect (e.g. Pixel Camera tells Google Play Services to tell Google Calendar about the photo you just took). I am massively oversimplifying this, but you get the gist.

I mentioned in my post that security is going to become very interesting with the introduction of the Linux terminal into Android. If GrapheneOS chooses to expand on this, that means, like Qubes OS, GrapheneOS could emulate multiple Linux distros.

Anyways, this is how I would rank them in terms of security (again, oversimplified):

GrapheneOS > Qubes-secureblue > Qubes-Whonix > secureblue

Each project fundamentally has different goals, so there is no one "security" to rank them by.

Though, for desktop, I prefer secureblue, as I don't have a secondary GrapheneOS device, and secureblue is far more usable than Qubes OS.

[–] marauding_gibberish142@lemmy.dbzer0.com 2 points 5 days ago (1 children)

Thanks for the tip, love Capy.

You're right, Whonix is probably the better idea. I use kick secure now but if I move to Qubes then I'll use Whonix as a default.

I'll have to read more about secureblue. I haven't given the documentation as much time as I should have. I guess you could run an HVM for now.

Why do you rank secureblue over Whonix?

[–] Charger8232@lemmy.ml 1 points 5 days ago (1 children)

Why do you rank secureblue over Whonix?

Whonix on its own isn't very secure. It's more privacy focused than security focused. It's based on Debian, which has a host of issues I won't get into. dom0 in Qubes OS is based on Fedora for its security, and it's no coincidence that secureblue is also based on Fedora.

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 5 days ago (1 children)

Dom0 being based on Fedora has been a gripe of mine for a while now. Fedora isn't that secure without some effort either. Unfortunately, I have no way to confirm which one out of them is "more secure".

Do you have any sort of automated test framework in mind which one can use to test distros against attacks?

[–] Charger8232@lemmy.ml 2 points 5 days ago

Fedora isn’t that secure without some effort either.

Fedora's philosophy is being a modern and security oriented (not security focused) distro. An easy example is that Fedora uses Linux kernel 6.14.2, whereas Debian uses Linux kernel 6.1 (I know they backport fixes, but the point remains).

Unfortunately, I have no way to confirm which one out of them is “more secure”.

Do you have any sort of automated test framework in mind which one can use to test distros against attacks?

Generally trust what security experts say about it, but if you really want an automated test, you can look at Lynis