Dom0 being based on Fedora has been a gripe of mine for a while now. Fedora isn’t that secure without some effort either. Unfortunately, I have no way to confirm which one out of them is “more secure”.

Do you have any sort of automated test framework in mind which one can use to test distros against attacks?

Thanks for the tip, love Capy.

You’re right, Whonix is probably the better idea. I use kick secure now but if I move to Qubes then I’ll use Whonix as a default.

I’ll have to read more about secureblue. I haven’t given the documentation as much time as I should have. I guess you could run an HVM for now.

Why do you rank secureblue over Whonix?

You’re right, secureblue isn’t quite there when talking about security on desktop/server Linux.

Hey, I recognise you now! That was a great post, I had a lot of fun reading it. If I could follow people on Lemmy I’d follow you.

What do you think about Kicksecure (and Kicksecure inside of Qubes)? I know they are criticised for backports but leaving that issue aside, I think they have created a very handy distro. I personally go through CIS benchmarks for most of stuff including Kicksecure but it’s definitely nice to have a prey hardened distro (SecureBlue too but I hear SecureBlue isn’t a big team, not sure how much time they have to address the broad range of desktop Linux security issues).

Honestly, Qubes is the best at this by far. Their method of compartmentalisation takes away the complexity of reasonable security from the end-user making it a mostly seamless experience. I personally think that if you were to put GrapheneOS and Qubes OS side-by-side on uncompromised hardware, I’d take Qubes. I’d run GrapheneOS inside Qubes with a software/hardware TPM passed through if I could.

Thanks. You are correct, however since root is required for certain processes, I will use different users and doas for my needs.

I have realised that it is hard for me to justify the reason why I want to harden an OS for personal use. I gave privilege escalation out, but after reading your comment I have realised that that is not the only thing I am looking to “fix”. My intention with running hardened_malloc was to prevent DoS attacks by malicious applications trying to exploit unknown buffer overflow situations, and LibreSSL and musl were to reduce the attack surface.

I agree with your comment though. I’m just wondering about how I can specify a reason (and why such a reason is required to justify hardening of a distro). I haven’t found much of a reason for the existence of OpenBSD, Kicksecure, Qubes etc other than general hardening and security.

Thank you for that. Yes, I only really follow his post roughly.

Unfortunately, I don’t think secureblue is going to be a possible choice. I like the secureblue project, I think it’s awesome but what I’m working with will likely only come with a Rocky/AlmaLinux base.

You raise a valid point. In which case, I want to try and prevent malicious privilege escalation by a process on this system. I know that’s a broad topic and depends on the application being run, but most of the tweaks I’ve listed work towards that to an extent.

To be precise, I’m asking how to harden the upcoming AlmaLinux based Dom0 by the XCP-NG project. I want my system to be difficult to work with even if someone breaks into it (unlikely because I trust Xen as a hypervisor platform but still).

I admit I was a bit surprised by the question since I’ve never consciously thought about a reason to harden my OS. I always just want to do it and wonder why OSes aren’t hardened more by default.

What do you mean? I want to harden it in a general sense against exploitation

Thank you for the note. I’m been cursing myself for not being able to provide my devs with something similar (they don’t complain but I know it will make their lives easier). I will start nix from scratch if I learn it but nixops definitely seems like it can help because terraform isn’t that great at the example you provided. Thanks.

focused on security hardening

Could you elaborate?

I am serious. I am a cloud engineer (glorified system admin for cloud + Linux VMs) and I’m still stuck on Ansible + Terraform (stuck isn’t the right word, we are a RHEL and Alpine shop for our VMs and Containers and things work well enough). My friends in bigger companies are using Nix though, but I was always scared of the learning curve. I want to see clear benefits of using nix so I can push myself to actually learn it, which is why I asked. Thanks for the link.

Please tell me more about your work and how you use Nix in it. I’m interested.

Have you tried bigger models?

Haha I know

Well I guess if you have a GPU then Ryzen Zen 3 processors are better bang for the buck

That’s great to know. Do you regret not having the performance of Nvidia? I would prefer not to buy green but I’m not sure from the comments about the delta in performance from ROCM vs CUDA

I’m not the OP, and yeah I saw that too. Thanks

I see. Thanks

How quantized? I don’t think 16GB of RAM is enough to run a full fat 12B model at FP16 but maybe I’m wrong.

Nvidia cards are just too expensive

How do you not configure the network stack? If you have an Intel NIC on the motherboard/any PCIE lanes in theory it should be able to connect.

What worries me is that someone could perform a reverse shell on my system with/in addition to a magic packet and get full ring 0 access to my system. I’m investigating network monitoring tools that can help me find traces of ME on my network.

Because it lets us disable Intel ME