Hardening script

[solidc0re]

Hi all,

I've had the idea of creating a hardening script for immutable Fedora variants for a while.

Why? Well, some may prefer to have a hardened system as their daily driver, perhaps because of the work they do or simply for peace of mind. For others, they may like to increase their security when they are travelling, in case their device gets stolen. They could always uninstall the script or re-base to a less hardened variant when they are at home.

Potential hardening strategies include kernel hardening, network sysctl tweaks, locking down USB ports, improving password policies, etc.

I am no developer but that I've made a start on something that, I hope, will increase the security of immutable variants of Fedora:
https://github.com/solidc0re/solidcore-scripts (NB, it's a work in progress)

Could something like this be included in ublue - for example, in the 'just' tool? So people could type 'just secure' and they could rest in the knowledge that their device would be a little more secure as a result?

Let me know what you folks think :)

[solidc0re]

I've given this some more thought as I work towards releasing v0.1 of my script.

As it stands, the script provides more hardening that I think most ublue users would expect or want, so I suggest a 'lite' hardening process for when someone is venturing out into the world to travel, stay in hotels and using public wifi networks.

The idea is that this lite version would make the device more secure against evil maid attacks, bruteforcing of local password and some basic network protection.

To achieve this, this lite version could include:

• Installation of USBGuard to prevent unwanted USB drives from being automounted,
• Change the firewalld zone to 'drop' to provide basic hardening on public networks. (The default zone allows ssh, which to an uncareful user could present an opportunity for compromising their system.)
• Set a GRUB password to prevent bootloader alterations,
• Enforce stronger password and ask the user to update theirs,
• If more than one user set up, prevent users from seeing each other's files.

All of these changes are revertable and undoing the changes could easily be written into a script, so it could be as simple as typing one command, entering a new password and reboot to apply the changes, then typing a second command, entering a new password (optional) reboot to undo.

What do you think? Would you use this if you were out and about, attending conferences, etc. with your ublue laptop?

[throwaway43]

What do you think? Would you use this if you were out and about, attending conferences, etc. with your ublue laptop?

I definitely favor hardening and your scripts do look very interesting so far. Generally speaking, I would lean towards the 'full-package-deal' for the hardening. However, I'm very aware that not everyone is as paranoid sensitive when it comes to security. So the lite version might be more appealing to more people.

[solidc0re]

Thanks for your encouragement - it's good to read that the scripts look interesting and may be of use to someone other than myself!

The hardening scripts should work on all immutable Fedora variants, including ublue images. The minor inconvenience is that if you want to update the hardening to align with updates to the scripts, you have to uninstall then re-install (please refrain from doing so until I get the uninstall script fully tested and operational; prob in v0.1.5). The plan is to get the hardening applied to images directly so folk can re-base to the hardened images, but that's more of a long-term project and won't be something I re-visit until I get the scripts in a good place.

Totally agree that a solidcore-lite might be more accessible to others. Will implement and/or port the existing features from the main scripts if I get more postive feedback.

[throwaway43]

I don't have any numbers on this, but I wouldn't be surprised if there's a substantial number of people that start using Silverblue/Kinoite on privacyguides.org's recommendation. Heck, I'm one of them.

While privacyguides.org even offers some advice on how one should go about hardening it beyond what's available by default, they don't actually provide very in-depth guide-lines on this. If I'm not mistaken, one of the team-members mentioned once that it was related to the difficulty of maintaining an advanced guide as such and due to fearing that a guide as such would discourage less technical people from hardening at all.

However, I'm quite positive that they would be very appreciative of this work and they might even be able to help out with a thing or two. IIRC, one of their primary contributors/mods (Daniel Gray AKA dngray) even uses Silverblue on at least one of his devices. At the very least, they might spread the word and perhaps more users would gravitate towards this project after being exposed to it.

Furthermore, an ex-member of their team (and I believe the primary contributor on the pieces related to Linux) continues to write on his own page. He often shouts out and refers to others' efforts in the pieces he writes. Furthermore, he already has some hardening script to use on Fedora CoreOS. So I wouldn't be surprised at all if he would be very interested to somehow collaborate in some way or fashion.

[solidc0re]

Good shout - I have privsec.dev on my RSS feed but hadn't thought to check it out for hardening content in relation to the solidcore project. I'll reach out to him and see if he's interested. I had plans to keep it low key for the time being, until I was a bit happier with the project but you're the second person to reach out and prompt me to get in touch with others and collaborate, so I'm gonna go with it :)