Features
- Install and enable hardened_malloc globally, including for Flatpaks.
- Install Trivalent, our security-focused, Chromium-based browser inspired by Vanadium. Why Chromium-based? Why not a Flatpak?
- Kernel hardening via sysctl. details
- Kernel hardening via kernel arguments. details
- Configure chronyd to use Network Time Security (NTS).
- Configurable system-wide DNS-over-TLS via systemd-resolved.
- Install USBGuard and provide
ujust commands to automatically configure it.
- Remove suid-root from numerous binaries, replacing functionality using capabilities, and remove
sudo, su, and pkexec entirely in favor of run0. why?
- Disable XWayland by default (for GNOME, Plasma, and Sway images).
- Mitigate LD_PRELOAD attacks via
ujust toggle-bash-environment-lockdown.
- Disable install & usage of GNOME user extensions by default.
- Disable KDE GHNS by default. why?
- Remove the unmaintained and suid-root fuse2 by default.
- Disable unprivileged user namespaces by default for the unconfined SELinux domain and the container SELinux domain, while retaining support for flatpaks, Trivalent, and other applications that need unprivileged user namespaces. why?
- Prohibit ptrace attachment by default. why?
- Locking down Flatpak permissions to close sandbox escapes. why?
- Disable all ports and services for firewalld.
- Use HTTPS for all rpm mirrors.
- Set all default container policies to
reject, signedBy, or sigstoreSigned.
- Enable only the Flathub-verified remote by default.
- Add per-network or per-connection MAC randomization.
- Disable coredumps.
- Blacklist numerous unused kernel modules to reduce attack surface. details
- Protect against brute force by locking user accounts for 24 hours after 50 failed login attempts, providing password quality suggestions and making use of hardened password hashing.
- Disable and mask a variety of services by default (including cups, geoclue, passim, and others).
- Provide system auditing tooling to verify the status of system hardening and provide users with suggestions.
- Setup commands via
ujust for installing desktop apps from common VPN providers.
- Install Bubblejail for additional sandboxing tooling.
- Provide tooling for automatically setting up and enabling LUKS TPM2+PIN integration for unlocking LUKS drives (on devices where the TPM is free of known vulnerabilities).
- Provide tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives.
- Provide toggles for a variety of the hardening set by default, for user convenience (
ujust --choose).