Basically, you want to improve the security of Linux, by reducing the attack surface and adding authentication wherever possible? There’s a bunch of practices involved - using a custom hardened kernel focused on security, as well as enabling strong firewall config and disk encryption. I’ve never tried hardening before, so I don’t know if I’m missing anything.
Honestly, you could use OpenBSD here, as it comes hardened out of the box, and it seems be the preferred choice for a security-first computing. But if platform is a constraint, then you may try your luck with linux-hardened.
They developed new system calls (pledge and unveil) which restrict they system calls and file access of programs (here’s a good writeup by Andreas Kling after he added support in SerenityOS: https://awesomekling.github.io/pledge-and-unveil-in-SerenityOS/). As an example, the Firefox port for OpenBSD uses them to heavily restrict what random websites can do or get from your system.
Just one example since you’ve somehow yet to see any.
Basically, you want to improve the security of Linux, by reducing the attack surface and adding authentication wherever possible? There’s a bunch of practices involved - using a custom hardened kernel focused on security, as well as enabling strong firewall config and disk encryption. I’ve never tried hardening before, so I don’t know if I’m missing anything.
Honestly, you could use OpenBSD here, as it comes hardened out of the box, and it seems be the preferred choice for a security-first computing. But if platform is a constraint, then you may try your luck with
linux-hardened.I wouldn’t recommend OpenBSD as it is fairly obscure compared to Linux. I’ve yet to see a real world example of how it is somehow better
They developed new system calls (pledge and unveil) which restrict they system calls and file access of programs (here’s a good writeup by Andreas Kling after he added support in SerenityOS: https://awesomekling.github.io/pledge-and-unveil-in-SerenityOS/). As an example, the Firefox port for OpenBSD uses them to heavily restrict what random websites can do or get from your system.
Just one example since you’ve somehow yet to see any.