Secure Blue is it really Secure?

secureblue is for those whose first priority is using Linux, and second priority is security. secureblue does not claim to be the most secure option available on the desktop. We are limited in that regard by the current state of desktop Linux standardization, tooling, and upstream security development. What we aim for instead is to be the most secure option for those who already intend to use Linux. As such, if security is your first priority, secureblue may not be the best option for you.

SecureBlue has many hardening features enabled by default compared to traditional linux distro where we need to tweak everything manually to harden the system.

There are some cons it has i like to point out that so beginners can understand its limitations

1. If your cpu is vulnerable to SMT then half your cpu cores will be gone because of smt disabled on vulnerable CPUs. It’s a security feature but you can remove this option if you threat model doesn’t need this much.

2. SecureBlue doesnot comes with custom hardened kernel with hardened patch applied it only provides distro kernel. But they mentioned “In the future, we plan to build our own kernel with patches on top of Fedora’s kernel, including the OpenPAX patches ”. Hardening kernel is very important because its the core if the kernel is compromised, an attacker gains full system control.

3. By default your linux user is unconfined in Secure Blue. Malware or compromised user sessions can freely access personal files, configuration data, and potentially escalate privilege s. Its an deliberate choice for choosing unconfined user because switching to confined user break things if you are on DE but its not the case if you are using wm. lets say you switched from uconfined_r to user_r role (selinux role) for alice user. now alice does not have sudo access by design. Even if malware infect the alice user it won’t affect the rest of system the malware can only do things that alice can do in the system like opening browser, watching videos like this doing general stuff nothing more than that. That’s why confining user is very important it will protect your system even on compromise. You don’t need to write selinux policies for generage desktop usage at all just confine your selinux user its gives you a secure environment for you personal desktop.

4. There is no minimal installation iso at all if you really want hardened system you should keep your system minimal and install only the essential packages you need for your system. secureblue has three desktop varients gnome, kde and sway even the lightweight wm sway the iso size is 4.4 GB.

SecureBlue is doing amazing work of enabling many hardening features i genuinely appreciate their work also i am not here to Criticize their work instead i want people to understand these limitations there is no 100% secure distro at all we need to manually secure our system instead of relying on distro like secureblue, kicksecure to protect our system we need to learn how to protect our system by ourself you can slowly learn one by one there’s come one day where it really pays off.