Secureblue is a security-focused desktop Linux operating system.

Features

Exploit mitigation:

Installing and enabling GrapheneOS' hardened_malloc globally, including for flatpaks.

Installing our chromium-based browser Trivalent, which is inspired by Vanadium.

SELinux-restricted unprivileged user namespaces

Setting numerous hardened sysctl values details

Sets numerous hardening kernel arguments

Configure chronyd to use Network Time Security (NTS) using chrony config from #GrapheneOS

Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved

Installing usbguard and providing ujust commands to automatically configure it

Filling holes in the linux security posture

Remove SUID-root from numerous binaries, replacing functionality using capabilities, and remove sudo, su, and pkexec entirely in favor of run0

Disable Xwayland by default (for GNOME, Plasma, and Sway images)

Mitigation of LD_PRELOAD attacks via ujust toggle-bash-environment-lockdown

Disable install & usage of GNOME user extensions by default

Disable KDE GHNS by default

Removal of the unmaintained and suid-root fuse2 by default

Disabling unprivileged user namespaces by default for the unconfined domain and the container domain

Security by default:

Disabling all ports and services for firewalld

Use HTTPS for all rpm mirrors

Set all default container policies to reject, signedBy, or sigstoreSigned

Enabling only the flathub-verified remote by default

Reduce information leakage:

Adds per-network MAC randomization

Disabling coredumps

Attack surface reduction:

Blacklisting numerous unused kernel modules to reduce attack surface

Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions

Disable and mask a variety of services by default (including cups, geoclue, passim, and others)

Security ease-of-use:

Installing bubblejail for additional sandboxing tooling

Tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives

Tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives

Toggles for a variety of the hardening set by default, for user convenience (ujust --choose)