Features | secureblue

Exploit mitigation

Install and enable hardened_malloc globally, including for Flatpaks.
Install Trivalent, our security-focused, Chromium-based browser inspired by Vanadium. ^{Why Chromium-based?} ^{Why not a Flatpak?}
SELinux confinement for Trivalent.
Kernel hardening via sysctl. ^details
Kernel hardening via kernel arguments. ^details
Configure chronyd to use Network Time Security (NTS).
Configurable DNS over TLS and local DNSSEC validation with Unbound via ujust dns-selector. systemd‑resolved is optionally available for compatibility.
Install USBGuard and provide ujust commands to automatically configure it.

Remove suid-root from numerous binaries, replacing functionality using capabilities, and remove sudo, su, and pkexec entirely in favor of run0. ^why?
Disable Xwayland by default (for GNOME, Plasma, and Sway images).
Disable install & usage of GNOME user extensions by default.
Disable KDE GHNS by default. ^why?
Remove the unmaintained and suid-root fuse2 by default.
Disable unprivileged user namespaces by default for the unconfined SELinux domain and the container SELinux domain, while retaining support for flatpaks, Trivalent, and other applications that need unprivileged user namespaces. ^why?
Prohibit ptrace attachment by default. ^why?
Locking down Flatpak permissions to close sandbox escapes. ^why?

Disable all ports and services for firewalld.
Use HTTPS for all rpm mirrors.
Set all default container policies to reject, signedBy, or sigstoreSigned.
Enable only the Flathub-verified remote by default.

Blacklist numerous unused kernel modules to reduce attack surface. ^details
Protect against brute force by locking user accounts for 24 hours after 50 failed login attempts, providing password quality suggestions and making use of hardened password hashing.
Disable and mask a variety of services by default (including cups, geoclue, passim, and others).

Provide system auditing tooling to verify the status of system hardening and provide users with suggestions.
Setup commands via ujust for installing desktop apps from common VPN providers.
Install Bubblejail for additional sandboxing tooling.
Provide tooling for automatically setting up and enabling LUKS TPM2+PIN integration for unlocking LUKS drives (on devices where the TPM is free of known vulnerabilities).
Provide tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives.
Provide toggles for a variety of the hardening set by default, for user convenience (ujust --choose).

Provide out-of-the-box support for patent-encumbered codecs and drivers, which Fedora doesn’t provide for legal reasons.
Provide server images with the ZFS kmod and tooling preinstalled (-zfs).
Provide images for any desired Nvidia driver and kmod configuration: main images with Nouveau + NVK, nvidia images with the Nvidia-closed kmod and drivers, and nvidia-open images with the Nvidia-open kmod and drivers.
Provide tooling to easily change desktop environments by rebasing between our images (ujust rebase-secureblue).
Install Homebrew, which (optionally) simplifies software installation and management of CLI apps.