Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

secureblue and Kicksecure are both hardened operating systems prioritizing security. This wiki page provides a side-by-side comparison of some of their security features, development decisions, and the rationale behind various implementations. Explore how each system addresses security challenges. This guide serves as a resource for developers, security enthusiasts, and users seeking insight into cutting-edge OS security practices.

Quick, preliminary analysis version 0.1, only based on a quote from secureblue GitHub repository README.md as of November, 2024, commit hash e40b70df06a30c3a2d99f337f3cbfe3d5a54aa83 and related linked files, plus a comment on #Unprivileged User Namespaces as of secureblue release 4.3.0.

Quick update: January 2026: Updated to reflect Kicksecure 18.

Based on Fedora, which comes with its own issues. See: Whonix wiki, Dev/Operating System, chapter Fedora

Hardening

• Installing and enabling hardened_malloc globally, including for Flatpaks. ^[1]

Kicksecure is no longer using hardened_malloc for reasons elaborated in chapter Hardened Malloc, Deprecation in Kicksecure.

• Installing Trivalent, which is inspired by Vanadium. ^{[2] [3]}

Unavailable in Kicksecure at time of writing. See Kicksecure Default Browser - Development Considerations for general considerations and chapter Trivalent specifically.

• Setting numerous hardened sysctl values ^[4]

secureblue /etc/sysctl.d/hardening.conf file as of commit cb11fbcaaed34c92d0993fb1f4395824f28d3742 was inspired by, more or less copied and pasted from Kicksecure as can be seen from the following comment found in that file.

## Prevent kernel info leaks in console during boot.
## https://phabricator.whonix.org/T950
kernel.printk = 3 3 3 3

Past attribution as of POSTINSTALL-README.md git commit c824e7e37b8a09d827458a8dac12df0b96e42f37 was.

- Setting numerous hardened sysctl values (Inspired by but not the same as Kicksecure's)

Attribution was removed in git commit 9e11ed2f8e33f2280046808b70317ecf5f5336e6.

Therefore, Kicksecure has mostly the same settings. These can be found in package security-misc, specifically in folder /usr/lib/sysctl.d.

If there are any differences, these can be discovered during ticket review secureblue sysctl.

Kicksecure might have more complete sysctl settings as per:

This section is inspired by the Kernel Self Protection Project (KSPP). It attempts to implement all recommended Linux kernel settings by the KSPP and many more sources.

https://kspp.github.io/Recommended_Settings

https://github.com/KSPP/kspp.github.iosecurity-misc readme

• Remove SUID-root from numerous binaries and replace functionality using capabilities

Kicksecure has SUID Disabler and Permission Hardener. See also chapter capabilities.

• Disable Xwayland by default (for GNOME, Plasma, and Sway images)

Not possible with LXQt sadly yet at the time of writing. lxqt-panel breaks. ^[5]

Kicksecure 18 and higher use Wayland via the labwc display server. The current desktop environment is LXQt.

At this point, Kicksecure (and Whonix) runs primarily inside VMs. GNOME and KDE are unsuitable for Kicksecure.

• GNOME due to security and privacy concerns elaborated on Dev/GNOME.
• In the past KDE was Whonix's default desktop environment but then ported to Xfce due to performance issues. See also Dev/KDE.
• Xfce was not suitable for general use under Wayland in Debian Trixie. It was missing essential desktop features. LXQt was the only desktop environment researched that was suitable for Kicksecure and mature enough to use with Wayland in Debian Trixie.^[6]

• Mitigation of LD_PRELOAD attacks via ujust toggle-bash-environment-lockdown

TODO Kicksecure: research

• Disabling coredumps

Implemented in security-misc.

• Disabling all ports and services for firewalld

No open ports for Kicksecure by default.

• Adds per-network MAC randomization

The effectiveness of this approach is unclear. Leak-proof MAC Randomization has technical implementation challenges. For references, see Dev/MAC wiki page.

TODO Kicksecure:

• MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic #184
• See also MAC Address.

• Blacklisting numerous unused kernel modules to reduce attack surface ^[7]

secureblue /etc/modprobe.d/blacklist.conf as of git commit c8eff2ca0bc9f7f2db9e1e172dc70942e6983912

looks similar, might be inspired/forked from Kicksecure /etc/modprobe.d files but probably adjusted for secureblue. ^[8]

• Enabling only the flathub-verified remote by default

Quote Kicksecure Flathub Repository Default Settings:

"Kicksecure mitigates the issues described in chapter Flathub Package Sources Security related to unverified applications and non-freedom software by using Flatpak's subset option with the verified_floss parameter, which means that only Flatpaks can be installed that are both verified apps and floss (Freedom Software)."

• Sets numerous hardening kernel arguments (Inspired by Madaidan's Hardening Guide) ^[9]

Kicksecure has the same because Madaidan contributed to Kicksecure. Also see KSPP as mentioned above.

• Require wheel user authentication via polkit for rpm-ostree install ^[10]

This feature was inspired by Kicksecure as per quote.

Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors, like:

• https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#LD_PRELOAD
• https://www.kicksecure.com/wiki/Root#Prevent_Malware_from_Sniffing_the_Root_Passwordsecureblue POSTINSTALL-README.md as of git commit c824e7e37b8a09d827458a8dac12df0b96e42f37

Implemented differently in Kicksecure. User documentation: root; sysmaint. Developer documentation: user-sysmaint-split; Strong Linux User Account Isolation

• Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions

User accounts are locked after 50 failed login attempts using pam_faillock.

https://kspp.github.io/Recommended_Settings

https://github.com/KSPP/kspp.github.iosecurity-misc readme

• Developer documentation: Bruteforcing Linux User Account Passwords Protection
• User documentation: Default Passwords and Passwords

• Installing usbguard and providing ujust commands to automatically configure it

USBGuard is installed by default in Kicksecure.

• Installing bubblejail for additional sandboxing tooling

bubblewrap is installed by default in Kicksecure. Installing sandboxing tools by default however does not increase security, unless the user is using it. TODO Kicksecure: sandbox-app-launcher / vm-app-manager

• Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved

Kicksecure does not use systemd-resolved by default due to systemd-resolved security issues, see Dev/systemd-resolved.

DNS security requires further development work. TODO Kicksecure: DNS Security / Use DNSCrypt by default in Kicksecure?

• Configure chronyd to use Network Time Security (NTS) ^[11]

Kicksecure uses sdwdate.

• Disable KDE GHNS by default ^[12]

Probably useful for secureblue but not essential for Kicksecure since it does not use KDE by default.

user documentation: Other Desktop Environments

• Disable install & usage of GNOME user extensions by default

Probably useful for secureblue but not essential for Kicksecure since it does not use GNOME by default.

user documentation: Other Desktop Environments

• Use HTTPS for all RPM mirrors

Kicksecure uses tor+https for APT as configured in anon-apt-sources-list and documented on the About wiki page.

• Set all default container policies to reject, signedBy, or sigstoreSigned

Not applicable to Kicksecure since it is not a container focused operating system at time of writing. Probably useful for secureblue if using containers' images.

• Disable a variety of services by default (including cups, geoclue, passim, and others)

Kicksecure does not install these by default and comes with Application-specific hardening.

• Removal of the unmaintained and suid-root fuse2 by default

Kicksecure has SUID Disabler and Permission Hardener.

• Remove SUID-root from numerous binaries and replace functionality using capabilities

Kicksecure has SUID Disabler and Permission Hardener. As for capabilities, these can be useful but adding capabilities can also increase attack surface.

set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage"

Kicksecure prefers not re-adding capabilities for chage.

These tools probably are used much nowadays on Linux desktop single user computers. If you need any of this, you are better off using root.

• chage man (change user password expiry information)Kicksecure, SUID Disabler and Permission Hardener, SUID SGID Hardening Issues

No user has reported yet that they need the ability to use chage. For the benefit of security hardening, chage remains non-functional in Kicksecure (lower attack surface) for non-root user.

set_caps_if_present "cap_chown,cap_dac_override,cap_fowner,cap_audit_write=ep" "/usr/bin/chfn"

Same as above.

set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd"

Same as above.

cap_dac_read_search is dangerous.

CAP_DAC_READ_SEARCH

• Bypass file read permission checks and directory read and execute permission checks;https://man7.org/linux/man-pages/man7/capabilities.7.html

set_caps_if_present "cap_dac_read_search=ep" "/usr/libexec/openssh/ssh-keysign"

TODO: Kicksecure: While cap_dac_read_search is still dangerous, it's better than SUID.

set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3"

• Kicksecure whitelists fusermount SUID, which is dangerous. (Optional user opt-in: Disable All SUID Binaries) When using Dev/user-sysmaint-split, fusermount is only accessible during sysmaint session by account sysmaint.
• secureblue sets cap_sys_admin for fusermount, which is dangerous. CAP_SYS_ADMIN: the new root
• Most other Linux desktop distributions: Neither SUID nor capabilities hardening.

Disabling unprivileged user namespaces by default for the unconfined domain and the container domain

• SecureBlue v4.3.0 Release Notes

This is probably useful.

Without this security hardening, all locally running applications could use user namespaces (userns) and attempt to exploit them for user-to-root escalation. With this hardening, userns usage is restricted to specific applications such as Chromium that explicitly require it.Kicksecure Unprivileged User Namespace wiki page

Quote SecureBlue documentation on SELinux-based USERNS restrictions

Since user namespaces are now restricted via selinux, we no longer need separate userns images.

Separate userns enabled versus userns disabled images or setting would still be useful.

However, even with all of this hardening in place, as described in Chrome sandbox escape, if the browser gets exploited, the browser is allowed to use userns and the system remains vulnerable to userns-based attacks.

Given that browsers are evolving into operating systems where users do almost everything, the effective security gain from these measures is not as significant as it might seem. Nowadays, Java isn't the "write once, run anywhere" framework we all rely on. The browser is.

Therefore, completely disabling user namespaces using user.max_user_namespaces=0 is the safer setting.Kicksecure Unprivileged User Namespace wiki page

The term "sudoless" can be confusing. See also definition of "sudoless".

v4.2.0 - secureblue goes sudoless! In a continuing effort to minimize and eventually eliminate suid-root binaries, sudo, su, and pkexec have all been removed from the images. As noted at the end of this section of the postinstall readme, polkit prompts and manual polkit invokations via run0 can be used to accomplish the same functionality without suid-root, notably even for non-wheel users (by prompting for the wheel user's password). In addition, suid-root has been removed from numerous other binaries that don't require it.secureblue release announcement: v4.2.0 - secureblue goes sudoless!

Kicksecure does not use run0 at time of writing due to security concerns, quote:

It’s larger than doas. Way larger. run0 (really systemd-run) is 2642 lines long (including newlines and whatnot), and is heavily tied into the systemd codebase, which is about 1.3 million lines of C code. It’s unclear how much of that could be used to exploit run0, but some of it quite possibly can. doas on the other hand is relatively isolated (the only library it uses beyond the C standard library is PAM), and is only 1,850 lines long. Ergo, less attack surface.Kicksecure developer, Aaron Rainbolt, forum post

Instead, Kicksecure has user-sysmaint-split (Role-Based Boot Modes for Enhanced Security), where privilege escalation tools such as sudo, su, and pkexec are non-executable by account user. These can only be used during the sysmaint session by account sysmaint.

• Kicksecure Security Features
• Comparison with Others
• About

For reference only.

• https://github.com/secureblue/secureblue/issues/67
• https://github.com/secureblue/secureblue/pull/90
• https://github.com/secureblue/secureblue/issues/173
• https://github.com/secureblue/secureblue/issues/814 (security-misc licensing discuss (keyword: legal))

Dev/Debian Design Dev/Chromium Previous page: Dev/Debian Index page: Design Next page: Dev/Chromium

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2026 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!