top | item 44939058

(no title)

0xfedcafe | 6 months ago

Best systemd hardening is switching to OpenRC or runit

discuss

Do you have any references for doing similar system hardening under either of those?

Yeah. With OpenRC or runit, the idea is you just layer the security on yourself since the base is so minimal. Honestly, the best place to start for any system is Madaidan’s Linux Hardening Guide. It’s super thorough and works for pretty much anything. From there, you can add other tools. The Gentoo Hardened setup with SELinux is an option, but it’s a ton of work. AppArmor is way easier for just locking down specific services and apps, it’s what Alpine uses and it’s pretty effective. And for sandboxing random apps, Firejail is perfect. You can just wrap it around your browser or anything else you don’t fully trust to keep it contained. Gives you a lot of control.

https://madaidans-insecurities.github.io/guides/linux-harden...

https://discuss.privacyguides.net/t/add-gentoo-linux-void-li...

https://github.com/gentoo/hardened-refpolicy

https://krython.com/post/hardening-alpine-linux-system-secur...

fsflover|6 months ago

No, switching to Qubes OS is the real hardening.

0xfedcafe|6 months ago

also true

gf000|6 months ago

An unbootable system is indeed harder to exploit!

yjftsjthsd-h|6 months ago

Why would OpenRC or runit be any less likely to boot?