{{Header}}
{{title|title=
Comparison of secureblue with Kicksecure and Development Notes
}}
{{#seo:
|description=Comparison of some of Secureblue and Kicksecure security enhancements, hardening techniques, and unique development features. Explore detailed differences, overlapping features, and future improvement notes for both security-focused operating systems.
}}
{{intro|
Secureblue and Kicksecure are both hardened operating systems prioritizing security. This wiki page provides a side-by-side comparison of some of their security features, development decisions, and the rationale behind various implementations. Explore how each system addresses security challenges. This guide serves as a resource for developers, security enthusiasts, and users seeking insight into cutting-edge OS security practices.
}}
Quick, preliminary analysis version 0.1, only based on quote [https://github.com/secureblue/secureblue secureblue GitHub repository] README.md as of Nov 30, 2024, commit hash [https://github.com/secureblue/secureblue/blob/e40b70df06a30c3a2d99f337f3cbfe3d5a54aa83/docs/README.md e40b70df06a30c3a2d99f337f3cbfe3d5a54aa83] and related, linked files.
= Hardening =
Hardening
* Installing and enabling [https://github.com/GrapheneOS/hardened_malloc hardened_malloc] globally, including for flatpaks. [[https://github.com/rusty-snake/fedora-extras Thanks to rusty-snake's spec]]
Kicksecure is no longer using hardened_malloc for reasons elaborated in chapter [[Hardened_Malloc#Deprecation_in_Kicksecure|Hardened Malloc, Deprecation in Kicksecure]].
* Installing [https://github.com/secureblue/hardened-chromium hardened-chromium], which is inspired by [https://github.com/GrapheneOS/Vanadium Vanadium]. [[https://grapheneos.org/usage#web-browsing Why chromium?]] [[https://forum.vivaldi.net/post/669805 Why not flatpak chromium?]]
Unavailable in Kicksecure at time of writing. See [[Dev/Default Browser|Kicksecure Default Browser - Development Considerations]] for general considerations and and chapter [[Dev/Default_Browser#hardened-chromium|hardened-chromium]] specifically.
* Setting numerous hardened sysctl values [[https://github.com/secureblue/secureblue/blob/live/files/system/etc/sysctl.d/hardening.conf details]]
secureblue /etc/sysctl.d/hardening.conf file as of commit [https://github.com/secureblue/secureblue/blob/a6b58f042b0e9e9036a6d68a5b202eed96a1a892/files/system/etc/sysctl.d/hardening.conf a6b58f042b0e9e9036a6d68a5b202eed96a1a892] was inspired by, more or less copied and pasted from Kicksecure as can be seen from the following comment found in that file.
## Prevent kernel info leaks in console during boot.
## https://phabricator.whonix.org/T950
kernel.printk = 3 3 3 3
Therefore, Kicksecure has mostly the same settings. These can be found in package [https://github.com/Kicksecure/security-misc security-misc], specifically in folder [https://github.com/Kicksecure/security-misc/tree/master/usr/lib/sysctl.d /usr/lib/sysctl.d].
If there are any differences, these can be discovered during ticket [https://github.com/Kicksecure/security-misc/issues/283 review secureblue sysctl].
Kicksecure might have more complete sysctl settings as per:
{{quotation
|quote=This section is inspired by the Kernel Self Protection Project (KSPP). It attempts to implement all recommended Linux kernel settings by the KSPP and many more sources.
https://kspp.github.io/Recommended_Settings
https://github.com/KSPP/kspp.github.io
|context=security-misc readme
}}
* Remove SUID-root from [https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh numerous binaries] and replace functionality [https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries using capabilities]
Kicksecure has [[SUID Disabler and Permission Hardener]]. See also chapter [[#capabilities|capabilities]].
* Disable Xwayland by default (for GNOME, Plasma, and Sway images)
TODO Kicksecure:
* [https://forums.whonix.org/t/port-to-wayland/17380 port to Wayland]
* https://github.com/Kicksecure/security-misc/issues/168
At this point, Kicksecure (and Whonix) runs primarily inside VMs. GNOME and KDE are unsuitable for Kicksecure.
* GNOME due to security and privacy concerns elaborated on [[Dev/GNOME]].
* In the past [https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235 KDE was Whonix's default desktop environment but then ported to Xfce due to performance issues]. See also [[Dev/KDE]].
No desktop environment suitable for Kicksecure that is already using Wayland has been identified for Kicksecure yet.
* Mitigation of [https://github.com/Aishou/wayland-keylogger LD_PRELOAD attacks] via `ujust toggle-bash-environment-lockdown`
TODO Kicksecure: research
* Disabling coredumps
Implemented in security-misc.
* Disabling all ports and services for firewalld
No open ports for Kicksecure by default.
* Adds per-network MAC randomization
TODO Kicksecure: https://github.com/Kicksecure/security-misc/issues/184
See also [[MAC Address]].
* Blacklisting numerous unused kernel modules to reduce attack surface [[https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf details]]
secureblue [https://github.com/secureblue/secureblue/commits/live/files/system/etc/modprobe.d/blacklist.conf /etc/modprobe.d/blacklist.conf] as of git commit [https://github.com/secureblue/secureblue/blob/c8eff2ca0bc9f7f2db9e1e172dc70942e6983912/files/system/etc/modprobe.d/blacklist.conf c8eff2ca0bc9f7f2db9e1e172dc70942e6983912]
looks similar, might be inspired/forked from Kicksecure [https://github.com/Kicksecure/security-misc/tree/master/etc/modprobe.d /etc/modprobe.d] files but probably adjusted for secureblue. [
For example, if secureblue does not provide an ISO with squashfs, then secureblue can disable the module.
]
install squashfs /bin/false
* Enabling only the [https://flathub.org/apps/collection/verified/1 flathub-verified] remote by default
Quote [[Install_Software#Kicksecure_Flathub_Repository_Default_Settings|Kicksecure Flathub Repository Default Settings]]:
"Kicksecure mitigates the issues described in chapter [[#Flathub_Package_Sources_Security|Flathub Package Sources Security]] related to unverified applications and non-freedom software by using Flatpak's subset option with the verified_floss parameter, which means that only Flatpaks can be installed that are both verified apps and floss (Freedom Software)."
* Sets numerous hardening kernel arguments (Inspired by [https://madaidans-insecurities.github.io/guides/linux-hardening.html Madaidan's Hardening Guide]) [[https://github.com/secureblue/secureblue/blob/live/KARGS.md details]]
Kicksecure has the same because Madaidan contributed to Kicksecure. Also see KSPP as mentioned above.
* Require wheel user authentication via polkit for `rpm-ostree install` [[https://github.com/rohanssrao/silverblue-privesc why?]]
Not directly appreciable to Kicksecure. User documentation: [[root]]. Future enhancements: [[Dev/boot modes|Role-Based Boot Modes (user versus admin) for Enhanced Security]].
* Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
{{quotation
|quote=User accounts are locked after 50 failed login attempts using pam_faillock.
https://kspp.github.io/Recommended_Settings
https://github.com/KSPP/kspp.github.io
|context=security-misc readme
}}
* Developer documentation: [[Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_User_Account_Passwords_Protection|Bruteforcing Linux User Account Passwords Protection]]
* User documentation: [[Default Passwords]] and [[Passwords]]
* Installing usbguard and providing `ujust` commands to automatically configure it
TODO Kicksecure:
* https://forums.whonix.org/t/usbguard-on-kicksecure-to-prevent-hardware-keyloggers-badusb/11988
* https://github.com/Kicksecure/security-misc/pull/166
* Installing bubblejail for additional sandboxing tooling
TODO Kicksecure: [[sandbox-app-launcher]]
* Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
Kicksecure does not use systemd-resolved by default.
systemd-resolved and other tools would require further research. This and systemd-resolved is mentioned here: [[DNS Security]]
TODO Kicksecure: [https://forums.whonix.org/t/use-dnscrypt-by-default-in-kicksecure-not-whonix/8117/1 Use DNSCrypt by default in Kicksecure?]
* Configure chronyd to use Network Time Security (NTS) [[https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf using chrony config from GrapheneOS]]
Kicksecure uses [[sdwdate]].
* Disable KDE GHNS by default [[https://blog.davidedmundson.co.uk/blog/kde-store-content why?]]
Probably useful for secureblue but not essential for KDE since it not using GNOME by default.
user documentation: [[Other Desktop Environments]]
* Disable install & usage of GNOME user extensions by default
Probably useful for secureblue but not essential for Kicksecure since it not using GNOME by default.
user documentation: [[Other Desktop Environments]]
* Use HTTPS for all rpm mirrors
Kicksecure uses tor+https for APT as configured in [https://github.com/Kicksecure/anon-apt-sources-list anon-apt-sources-list] and documented on the [[About]] wiki page.
* Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
Not applicable to Kicksecure since it is not a container focused operating system at time of writing. Probably useful for secureblue if using [https://github.com/containers/image containers' images].
* Disable a variety of services by default (including cups, geoclue, passim, and others)
Kicksecure does not install these by default and comes with [https://github.com/Kicksecure/security-misc?tab=readme-ov-file#application-specific-hardening Application-specific hardening].
* Removal of the unmaintained and suid-root fuse2 by default
Kicksecure has [[SUID Disabler and Permission Hardener]].
* (Non-userns variants) Disabling unprivileged user namespaces
Disabling unprivileged user namespaces breaks flatpak, AppImages and Firefox's sandbox. Therefore reverted, not implemented.
* https://forums.kicksecure.com/t/unprivileged-user-namespaces-kernel-unprivileged-userns-clone-can-not-run-flatpak-apps-appimages-after-kicksecure-update/592/
* https://github.com/Kicksecure/security-misc/issues/274
* (Non-userns variants) Replacing bubblewrap with suid-root bubblewrap so flatpak can be used without unprivileged user namespaces
SUID is also a risk. (Hence, [[SUID Disabler and Permission Hardener]] exists.)
{{quotation
|quote=This mode is not recommended, and some Flatpak apps and features will not work.
[...]
This is a security trade-off. Disallowing unprivileged use of user namespaces reduces the kernel's attack surface, which mitigates some attacks; but it also disallows some sandboxing techniques, which prevents other attacks from being mitigated. Making bwrap or flatpak-bwrap setuid root also carries some risk: an attacker might be able to exploit vulnerabilities in bwrap to achieve root privilege escalation.
|context=flatpak wiki, chapter [https://github.com/flatpak/flatpak/wiki/User-namespace-requirements#setuid-bubblewrap Setuid bubblewrap]
}}
Therefore Kicksecure does not use suid-root bubblewrap.
= capabilities =
* Remove SUID-root from [https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh numerous binaries] and replace functionality [https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries using capabilities]
Kicksecure has [[SUID Disabler and Permission Hardener]]. As for capabilities, these can be useful but adding capabilities, while sometimes useful, can also add attack surface.
set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage"
Kicksecure prefers not re-adding capabilities for chage.
{{quotation
|quote=
These tools probably are used much nowadays on Linux desktop single user computers. If you need any of this, you are better off using root.
* chage [https://manpages.debian.org/chage man] (change user password expiry information)
|context=[[SUID_Disabler_and_Permission_Hardener#SUID_SGID_Hardening_Issues|Kicksecure, SUID Disabler and Permission Hardener, SUID SGID Hardening Issues]]
}}
No user has reported yet that they need the ability to use chage. For the benefit of security hardening, chage remains non-functional in Kicksecure (lower attack surface) for non-root user.
set_caps_if_present "cap_chown,cap_dac_override,cap_fowner,cap_audit_write=ep" "/usr/bin/chfn"
Same as above.
set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd"
Same as above.
cap_dac_read_search is dangerous.
{{quotation
|quote=CAP_DAC_READ_SEARCH
* Bypass file read permission checks and directory read and execute permission checks;
|context=https://man7.org/linux/man-pages/man7/capabilities.7.html
}}
set_caps_if_present "cap_dac_read_search=ep" "/usr/libexec/openssh/ssh-keysign"
TODO: Kicksecure: While cap_dac_read_search is still dangerous, it's better than SUID.
set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3"
* Kicksecure whitelists fusermount SUID, which is dangerous. (Optional user opt-in: [[SUID_Disabler_and_Permission_Hardener#Disable_All_SUID_Binaries|Disable All SUID Binaries]]) In the future, when [[Dev/boot modes]] has been implemented, fusermount might only be accessible for user "admin".
* secureblue sets fusermount cap_sys_admin is dangerous. [https://lwn.net/Articles/486306/ CAP_SYS_ADMIN: the new root]
* Most other Linux desktop distributions: Neither SUID nor capabilities hardening.
= sudoless =
The term "sudoless" can confusing. See also [[Root#sudoless|definition of "sudoless"]].
{{quotation
|quote=v4.2.0 - secureblue goes sudoless!
In a continuing effort to minimize and eventually eliminate suid-root binaries, sudo, su, and pkexec have all been removed from the images. As noted at the end of this section of the postinstall readme, polkit prompts and manual polkit invokations via run0 can be used to accomplish the same functionality without suid-root, notably even for non-wheel users (by prompting for the wheel user's password). In addition, suid-root has been removed from numerous other binaries that don't require it.
|context=secureblue release announcement: [https://github.com/secureblue/secureblue/releases/tag/v4.2.0 v4.2.0 - secureblue goes sudoless!]
}}
Kicksecure won't be using [https://www.freedesktop.org/software/systemd/man/256/run0.html run0] anytime soon.
{{quotation
|quote=It’s larger than doas. Way larger. run0 (really systemd-run) is 2642 lines long (including newlines and whatnot), and is heavily tied into the systemd codebase, which is about 1.3 million lines of C code. It’s unclear how much of that could be used to exploit run0, but some of it quite possibly can. doas on the other hand is relatively isolated (the only library it uses beyond the C standard library is PAM), and is only 1,850 lines long. Ergo, less attack surface.
|context=Kicksecure developer, Aaron Rainbolt], [https://forums.whonix.org/t/replace-sudo-with-doas/17482/28 forum post]
}}
Instead, Kicksecure will implement [[Dev/boot modes|Role-Based Boot Modes (user versus admin) for Enhanced Security]], where sudo, su, and pkexec will be non-executable by user user.
= See Also =
* https://www.kicksecure.com/#security
* [[About]]
= Footnotes =
{{Footer}}