matt/patronageos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hardened malloc. networking + firewall. json based config.

Browse Source
This commit is contained in:
matt
2026-02-08 12:36:23 -07:00
parent cdb972579a
commit 2770dfc964
46 changed files with 1443 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
config/apply_initial_host_configuration.sh Normal file
View File

@@ -0,0 +1,54 @@
#!/bin/bash
set -e
set -x
echo 'initial configuration'
# Parse the JSON file
while IFS="=" read -r key value; do
declare "$key=$value"
done < <(jq -r 'to_entries|map("\(.key)=\(.value|tostring)")|.[]' config.json)
echo "$hostname" > /etc/hostname
echo "127.0.0.1 $hostname"> /etc/hosts
echo "$timezone" > /etc/timezone
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
# Set the root password
echo "root:$root_password" | chpasswd
#set additional profile options.
jq --compact-output -r '.profile[]' config.json | while read -r line; do
echo "$line" >> /etc/profile
done
echo "export PATH=$PATH:/usr/local/go/bin" >> /etc/profile
#set default shell to bash.
sed -i 's|^SHELL=.*|SHELL=/bin/bash|' /etc/default/useradd
user_mod() {
echo "$1"
username=$(echo "$1" | jq -r '.username')
password=$(echo "$1" | jq -r '.password')
# Create user
if getent passwd "$username" >/dev/null 2>&1; then
echo "User already exists"
else
useradd -m "$username"
fi
# Set password
echo "$username:$password" | chpasswd
# Add to sudo group
usermod -aG sudo "$username"
}
jq --compact-output -r '.users[]' config.json | while read -r line; do
user_mod "$line"
done
echo "Configuration applied."
rm /config.json
rm /apply_initial_host_configuration.sh
rm /filesystem_chroot_install.sh

28
config/config.json Normal file
View File

@@ -0,0 +1,28 @@
{
"hostname": "linuxhost",
"timezone": "America/Denver",
"root_password": "password",
"locale":"en_US.UTF-8",
"users": [
{
"username": "user1",
"password": "password1"
},
{
"username": "user2",
"password": "password2"
}
],
"packages": [
"htop",
"git",
"ffmpeg",
"vlc",
"pciutils",
"usbutils"
],
"profile":[],
"allowed_dns":[],
"allowed_host":[]
}

2
config/container_cmd.sh
View File

@@ -7,3 +7,5 @@ cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_optio
cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_options.json > ./.config
/usr/bin/make olddefconfig
/usr/bin/make -j ${cores}
mkdir -p /linux/modules
/usr/bin/make modules_install INSTALL_MOD_PATH=/linux/modules

55
config/filesystem_chroot_install.sh
View File

@@ -1,51 +1,54 @@
#add sources list for noble.
#add sources list for questing.
set -e
set -x
echo "deb https://archive.ubuntu.com/ubuntu questing main restricted universe multiverse" > /etc/apt/sources.list
echo "deb https://archive.ubuntu.com/ubuntu questing-updates main restricted universe multiverse" >> /etc/apt/sources.list
echo "deb https://archive.ubuntu.com/ubuntu questing-backports main restricted universe multiverse" >> /etc/apt/sources.list
echo "deb https://security.ubuntu.com/ubuntu questing-security main restricted universe multiverse" >> /etc/apt/sources.list
apt update
apt upgrade -y
#set locale
locale-gen "en_US.UTF-8"
echo "LANG=en_US.UTF-8" > /etc/default/locale
apt install -y jq bubblewrap curl make build-essential git libselinux1 iptables nftables libnetfilter-queue-dev
#install base system packages
apt install -y --install-recommends --install-suggests --reinstall systemd
apt install -y --no-install-recommends gnome-core
apt install -y git curl flatpak systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping fish python3-bpfcc python3-pip bpfcc-tools gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant ffmpeg vlc pciutils usbutils
apt install -y --install-recommends --install-suggests systemd
apt install -y vanilla-gnome-desktop vanilla-gnome-default-settings gdm3 gnome-shell-extension-appindicator gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant
apt install -y rlwrap dnsutils systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping python3-pip keepassxc ufw opensnitch
#install python systemwide
pip install --break-system-packages dnslib psutil
#install packages from config
jq -r '.packages | .[]' config.json | while read -r item; do
apt install -y "$item"
done
#set locale
locale=$(jq -r '.locale' config.json)
echo "$locale"
locale-gen "$locale"
echo "LANG=$locale" > /etc/default/locale
#add setuid for some applications
chmod u+s /usr/bin/bwrap
chmod u+s /usr/bin/ping
#disable setup screen config
mkdir -p ~/.config
touch ~/.config/gnome-initial-setup-done
#enable services
systemctl enable systemd-resolved
systemctl enable systemd-networkd
systemctl enable mem-alloc
#ui changes
gsettings set org.gnome.desktop.interface color-scheme 'prefer-dark'
#run echo "permit persist :sudo as root" >> /etc/doas.conf
#create the default user
useradd -m -s /bin/bash ubuntu
usermod -a -G sudo ubuntu
yes defaultpass | passwd ubuntu
#install flatpak apps
flatpak remote-add flathub https://dl.flathub.org/repo/flathub.flatpakrepo
flatpak install --system --noninteractive flathub org.keepassxc.KeePassXC
#firewall enable (inbound block)
ufw enable
#install brave browser
curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
curl -fsSLo /etc/apt/sources.list.d/brave-browser-release.sources https://brave-browser-apt-release.s3.brave.com/brave-browser.sources
apt update
apt install -y brave-browser
#configure permissions for opensnitch firewall
rsync -a /usr/src/opensnitchd/ /etc/opensnitchd/
chown -R root:root /etc/opensnitchd/
chmod 777 /etc/opensnitchd/settings.conf

210
config/kernel_options.json
View File

@@ -1,4 +1,6 @@
{
"CONFIG_IKCONFIG":"y",
"CONFIG_IKCONFIG_PROC":"y",
"CONFIG_104_QUAD_8": "m",
"CONFIG_60XX_WDT": "m",
"CONFIG_64BIT": "y",
@@ -2908,6 +2910,8 @@
"CONFIG_HDC100X": "m",
"CONFIG_HDC2010": "m",
"CONFIG_HDC3020": "m",
"CONFIG_BPF_SUPPORT_RAW_CT":"y",
"CONFIG_NFT_DNS":"y",
"CONFIG_HDLC": "m",
"CONFIG_HDLC_CISCO": "m",
"CONFIG_HDLC_FR": "m",
@@ -3641,6 +3645,7 @@
"CONFIG_IO_URING": "y",
"CONFIG_IO_WQ": "y",
"CONFIG_IP5XXX_POWER": "m",
"CONFIG_IP6_NF_QUEUE": "m",
"CONFIG_IP6_NF_FILTER": "m",
"CONFIG_IP6_NF_IPTABLES": "m",
"CONFIG_IP6_NF_IPTABLES_LEGACY": "m",
@@ -3750,11 +3755,12 @@
"CONFIG_IP_ROUTE_MULTIPATH": "y",
"CONFIG_IP_ROUTE_VERBOSE": "y",
"CONFIG_IP_SCTP": "m",
"CONFIG_IP_SET": "m",
"CONFIG_IP_SET": "y",
"CONFIG_IP_FILTER": "m",
"CONFIG_IP_SET_BITMAP_IP": "m",
"CONFIG_IP_SET_BITMAP_IPMAC": "m",
"CONFIG_IP_SET_BITMAP_PORT": "m",
"CONFIG_IP_SET_HASH_IP": "m",
"CONFIG_IP_SET_HASH_IP": "y",
"CONFIG_IP_SET_HASH_IPMAC": "m",
"CONFIG_IP_SET_HASH_IPMARK": "m",
"CONFIG_IP_SET_HASH_IPPORT": "m",
@@ -4961,97 +4967,99 @@
"CONFIG_NETFILTER": "y",
"CONFIG_NETFILTER_ADVANCED": "y",
"CONFIG_NETFILTER_BPF_LINK": "y",
"CONFIG_NETFILTER_CONNCOUNT": "m",
"CONFIG_NETFILTER_CONNCOUNT": "y",
"CONFIG_NETFILTER_EGRESS": "y",
"CONFIG_NETFILTER_FAMILY_ARP": "y",
"CONFIG_NETFILTER_FAMILY_BRIDGE": "y",
"CONFIG_NETFILTER_INGRESS": "y",
"CONFIG_NETFILTER_NETLINK": "m",
"CONFIG_NETFILTER_NETLINK_ACCT": "m",
"CONFIG_NETFILTER_NETLINK": "y",
"CONFIG_NETFILTER_NETLINK_ACCT": "y",
"CONFIG_NETFILTER_NETLINK_GLUE_CT": "y",
"CONFIG_NETFILTER_NETLINK_HOOK": "m",
"CONFIG_NETFILTER_NETLINK_LOG": "m",
"CONFIG_NETFILTER_NETLINK_OSF": "m",
"CONFIG_NETFILTER_NETLINK_QUEUE": "m",
"CONFIG_NETFILTER_NETLINK_HOOK": "y",
"CONFIG_NETFILTER_NETLINK_LOG": "y",
"CONFIG_NETFILTER_NETLINK_OSF": "y",
"CONFIG_NETFILTER_NETLINK_QUEUE": "y",
"CONFIG_NETFILTER_SKIP_EGRESS": "y",
"CONFIG_NETFILTER_SYNPROXY": "m",
"CONFIG_NETFILTER_XTABLES": "m",
"CONFIG_NETFILTER_SYNPROXY": "y",
"CONFIG_NETFILTER_XTABLES": "y",
"CONFIG_NETFILTER_XTABLES_COMPAT": "y",
"CONFIG_NETFILTER_XT_CONNMARK": "m",
"CONFIG_NETFILTER_XT_MARK": "m",
"CONFIG_NETFILTER_XT_MATCH_ADDRTYPE": "m",
"CONFIG_NETFILTER_XT_MATCH_BPF": "m",
"CONFIG_NETFILTER_XT_MATCH_CGROUP": "m",
"CONFIG_NETFILTER_XT_CONNMARK": "y",
"CONFIG_NETFILTER_XT_MARK": "y",
"CONFIG_NETFILTER_XT_MATCH_ADDRTYPE": "y",
"CONFIG_NETFILTER_XT_MATCH_BPF": "y",
"CONFIG_NETFILTER_XT_MATCH_CGROUP": "y",
"CONFIG_NETFILTER_XT_MATCH_CLUSTER": "m",
"CONFIG_NETFILTER_XT_MATCH_COMMENT": "m",
"CONFIG_NETFILTER_XT_MATCH_CONNBYTES": "m",
"CONFIG_NETFILTER_XT_MATCH_CONNLABEL": "m",
"CONFIG_NETFILTER_XT_MATCH_CONNLIMIT": "m",
"CONFIG_NETFILTER_XT_MATCH_CONNMARK": "m",
"CONFIG_NETFILTER_XT_MATCH_CONNTRACK": "m",
"CONFIG_NETFILTER_XT_MATCH_COMMENT": "y",
"CONFIG_NETFILTER_XT_MATCH_CONNBYTES": "y",
"CONFIG_NETFILTER_XT_MATCH_CONNLABEL": "y",
"CONFIG_NETFILTER_XT_MATCH_CONNLIMIT": "y",
"CONFIG_NETFILTER_XT_MATCH_CONNMARK": "y",
"CONFIG_NETFILTER_XT_MATCH_CONNTRACK": "y",
"CONFIG_NETFILTER_XT_MATCH_CPU": "m",
"CONFIG_NETFILTER_XT_MATCH_DCCP": "m",
"CONFIG_NETFILTER_XT_MATCH_DEVGROUP": "m",
"CONFIG_NETFILTER_XT_MATCH_DSCP": "m",
"CONFIG_NETFILTER_XT_MATCH_ECN": "m",
"CONFIG_NETFILTER_XT_MATCH_ESP": "m",
"CONFIG_NETFILTER_XT_MATCH_HASHLIMIT": "m",
"CONFIG_NETFILTER_XT_MATCH_HELPER": "m",
"CONFIG_NETFILTER_XT_MATCH_HL": "m",
"CONFIG_NETFILTER_XT_MATCH_IPCOMP": "m",
"CONFIG_NETFILTER_XT_MATCH_IPRANGE": "m",
"CONFIG_NETFILTER_XT_MATCH_IPVS": "m",
"CONFIG_NETFILTER_XT_MATCH_L2TP": "m",
"CONFIG_NETFILTER_XT_MATCH_LENGTH": "m",
"CONFIG_NETFILTER_XT_MATCH_LIMIT": "m",
"CONFIG_NETFILTER_XT_MATCH_MAC": "m",
"CONFIG_NETFILTER_XT_MATCH_MARK": "m",
"CONFIG_NETFILTER_XT_MATCH_MULTIPORT": "m",
"CONFIG_NETFILTER_XT_MATCH_NFACCT": "m",
"CONFIG_NETFILTER_XT_MATCH_OSF": "m",
"CONFIG_NETFILTER_XT_MATCH_OWNER": "m",
"CONFIG_NETFILTER_XT_MATCH_PHYSDEV": "m",
"CONFIG_NETFILTER_XT_MATCH_PKTTYPE": "m",
"CONFIG_NETFILTER_XT_MATCH_POLICY": "m",
"CONFIG_NETFILTER_XT_MATCH_QUOTA": "m",
"CONFIG_NETFILTER_XT_MATCH_RATEEST": "m",
"CONFIG_NETFILTER_XT_MATCH_REALM": "m",
"CONFIG_NETFILTER_XT_MATCH_RECENT": "m",
"CONFIG_NETFILTER_XT_MATCH_SCTP": "m",
"CONFIG_NETFILTER_XT_MATCH_SOCKET": "m",
"CONFIG_NETFILTER_XT_MATCH_STATE": "m",
"CONFIG_NETFILTER_XT_MATCH_STATISTIC": "m",
"CONFIG_NETFILTER_XT_MATCH_STRING": "m",
"CONFIG_NETFILTER_XT_MATCH_TCPMSS": "m",
"CONFIG_NETFILTER_XT_MATCH_TIME": "m",
"CONFIG_NETFILTER_XT_MATCH_U32": "m",
"CONFIG_NETFILTER_XT_NAT": "m",
"CONFIG_NETFILTER_XT_SET": "m",
"CONFIG_NETFILTER_XT_TARGET_AUDIT": "m",
"CONFIG_NETFILTER_XT_TARGET_CHECKSUM": "m",
"CONFIG_NETFILTER_XT_TARGET_CLASSIFY": "m",
"CONFIG_NETFILTER_XT_TARGET_CONNMARK": "m",
"CONFIG_NETFILTER_XT_TARGET_CONNSECMARK": "m",
"CONFIG_NETFILTER_XT_TARGET_CT": "m",
"CONFIG_NETFILTER_XT_TARGET_DSCP": "m",
"CONFIG_NETFILTER_XT_TARGET_HL": "m",
"CONFIG_NETFILTER_XT_TARGET_HMARK": "m",
"CONFIG_NETFILTER_XT_TARGET_IDLETIMER": "m",
"CONFIG_NETFILTER_XT_TARGET_LED": "m",
"CONFIG_NETFILTER_XT_TARGET_LOG": "m",
"CONFIG_NETFILTER_XT_TARGET_MARK": "m",
"CONFIG_NETFILTER_XT_TARGET_MASQUERADE": "m",
"CONFIG_NETFILTER_XT_TARGET_NETMAP": "m",
"CONFIG_NETFILTER_XT_TARGET_NFLOG": "m",
"CONFIG_NETFILTER_XT_TARGET_NFQUEUE": "m",
"CONFIG_NETFILTER_XT_TARGET_RATEEST": "m",
"CONFIG_NETFILTER_XT_TARGET_REDIRECT": "m",
"CONFIG_NETFILTER_XT_TARGET_SECMARK": "m",
"CONFIG_NETFILTER_XT_TARGET_TCPMSS": "m",
"CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP": "m",
"CONFIG_NETFILTER_XT_TARGET_TEE": "m",
"CONFIG_NETFILTER_XT_TARGET_TPROXY": "m",
"CONFIG_NETFILTER_XT_TARGET_TRACE": "m",
"CONFIG_NETFILTER_XT_MATCH_DCCP": "y",
"CONFIG_NETFILTER_XT_MATCH_DEVGROUP": "y",
"CONFIG_NETFILTER_XT_MATCH_DSCP": "y",
"CONFIG_NETFILTER_XT_MATCH_ECN": "y",
"CONFIG_NETFILTER_XT_MATCH_ESP": "y",
"CONFIG_NETFILTER_XT_MATCH_HASHLIMIT": "y",
"CONFIG_NETFILTER_XT_MATCH_HELPER": "y",
"CONFIG_NETFILTER_XT_MATCH_HL": "y",
"CONFIG_NETFILTER_XT_MATCH_IPCOMP": "y",
"CONFIG_NETFILTER_XT_MATCH_IPRANGE": "y",
"CONFIG_NETFILTER_XT_MATCH_IPVS": "y",
"CONFIG_NETFILTER_XT_MATCH_L2TP": "y",
"CONFIG_NETFILTER_XT_MATCH_LENGTH": "y",
"CONFIG_NETFILTER_XT_MATCH_LIMIT": "y",
"CONFIG_NETFILTER_XT_MATCH_MAC": "y",
"CONFIG_NETFILTER_XT_MATCH_MARK": "y",
"CONFIG_NETFILTER_XT_MATCH_MULTIPORT": "y",
"CONFIG_NETFILTER_XT_MATCH_NFACCT": "y",
"CONFIG_NETFILTER_XT_MATCH_OSF": "y",
"CONFIG_NETFILTER_XT_MATCH_OWNER": "y",
"CONFIG_NETFILTER_XT_MATCH_PHYSDEV": "y",
"CONFIG_NETFILTER_XT_MATCH_PKTTYPE": "y",
"CONFIG_NETFILTER_XT_MATCH_POLICY": "y",
"CONFIG_NETFILTER_XT_MATCH_QUOTA": "y",
"CONFIG_NETFILTER_XT_MATCH_RATEEST": "y",
"CONFIG_NETFILTER_XT_MATCH_REALM": "y",
"CONFIG_NETFILTER_XT_MATCH_RECENT": "y",
"CONFIG_NETFILTER_XT_MATCH_SCTP": "y",
"CONFIG_NETFILTER_XT_MATCH_SOCKET": "y",
"CONFIG_NETFILTER_XT_MATCH_STATE": "y",
"CONFIG_NETFILTER_XT_MATCH_STATISTIC": "y",
"CONFIG_NETFILTER_XT_MATCH_STRING": "y",
"CONFIG_NETFILTER_XT_MATCH_TCPMSS": "y",
"CONFIG_NETFILTER_XT_MATCH_TIME": "y",
"CONFIG_NETFILTER_XT_MATCH_U32": "y",
"CONFIG_NETFILTER_XT_NAT": "y",
"CONFIG_NETFILTER_XT_SET": "y",
"CONFIG_NETFILTER_XT_TARGET_BPF": "y",
"CONFIG_NETFILTER_XT_TARGET_AUDIT": "y",
"CONFIG_NETFILTER_XT_TARGET_CHECKSUM": "y",
"CONFIG_NETFILTER_XT_TARGET_CLASSIFY": "y",
"CONFIG_NETFILTER_XT_TARGET_CONNMARK": "y",
"CONFIG_NETFILTER_XT_TARGET_CONNSECMARK": "y",
"CONFIG_NETFILTER_XT_TARGET_CT": "y",
"CONFIG_NETFILTER_XT_TARGET_DSCP": "y",
"CONFIG_NETFILTER_XT_TARGET_HL": "y",
"CONFIG_NETFILTER_XT_TARGET_HMARK": "y",
"CONFIG_NETFILTER_XT_TARGET_IDLETIMER": "y",
"CONFIG_NETFILTER_XT_TARGET_LED": "y",
"CONFIG_NETFILTER_XT_TARGET_LOG": "y",
"CONFIG_NETFILTER_XT_TARGET_MARK": "y",
"CONFIG_NETFILTER_XT_TARGET_MASQUERADE": "y",
"CONFIG_NETFILTER_XT_TARGET_NETMAP": "y",
"CONFIG_NETFILTER_XT_TARGET_NFLOG": "y",
"CONFIG_NETFILTER_XT_TARGET_NFQUEUE": "y",
"CONFIG_NETFILTER_XT_TARGET_NFQ": "y",
"CONFIG_NETFILTER_XT_TARGET_RATEEST": "y",
"CONFIG_NETFILTER_XT_TARGET_REDIRECT": "y",
"CONFIG_NETFILTER_XT_TARGET_SECMARK": "y",
"CONFIG_NETFILTER_XT_TARGET_TCPMSS": "y",
"CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP": "y",
"CONFIG_NETFILTER_XT_TARGET_TEE": "y",
"CONFIG_NETFILTER_XT_TARGET_TPROXY": "y",
"CONFIG_NETFILTER_XT_TARGET_TRACE": "y",
"CONFIG_NETFS_DEBUG": "y",
"CONFIG_NETFS_STATS": "y",
"CONFIG_NETFS_SUPPORT": "m",
@@ -5418,17 +5426,18 @@
"CONFIG_NFT_QUEUE": "m",
"CONFIG_NFT_QUOTA": "m",
"CONFIG_NFT_REDIR": "m",
"CONFIG_NFT_REJECT": "m",
"CONFIG_NFT_REJECT_INET": "m",
"CONFIG_NFT_REJECT_IPV4": "m",
"CONFIG_NFT_REJECT_IPV6": "m",
"CONFIG_NFT_REJECT_NETDEV": "m",
"CONFIG_NFT_REJECT": "y",
"CONFIG_NFT_REJECT_INET": "y",
"CONFIG_NFT_REJECT_IPV4": "y",
"CONFIG_NFT_REJECT_IPV6": "y",
"CONFIG_NFT_REJECT_NETDEV": "y",
"CONFIG_NFT_SOCKET": "m",
"CONFIG_NFT_SYNPROXY": "m",
"CONFIG_NFT_TPROXY": "m",
"CONFIG_NFT_TUNNEL": "m",
"CONFIG_NFT_XFRM": "m",
"CONFIG_NF_CONNTRACK": "m",
"CONFIG_NFQ": "y",
"CONFIG_NF_CONNTRACK": "y",
"CONFIG_NF_CONNTRACK_AMANDA": "m",
"CONFIG_NF_CONNTRACK_BRIDGE": "m",
"CONFIG_NF_CONNTRACK_BROADCAST": "m",
@@ -5467,7 +5476,7 @@
"CONFIG_NF_LOG_IPV4": "m",
"CONFIG_NF_LOG_IPV6": "m",
"CONFIG_NF_LOG_SYSLOG": "m",
"CONFIG_NF_NAT": "m",
"CONFIG_NF_NAT": "y",
"CONFIG_NF_NAT_AMANDA": "m",
"CONFIG_NF_NAT_FTP": "m",
"CONFIG_NF_NAT_H323": "m",
@@ -5479,19 +5488,20 @@
"CONFIG_NF_NAT_SIP": "m",
"CONFIG_NF_NAT_SNMP_BASIC": "m",
"CONFIG_NF_NAT_TFTP": "m",
"CONFIG_NF_REJECT_IPV4": "m",
"CONFIG_NF_REJECT_IPV6": "m",
"CONFIG_NF_SOCKET_IPV4": "m",
"CONFIG_NF_SOCKET_IPV6": "m",
"CONFIG_NF_TABLES": "m",
"CONFIG_NF_TABLES_SET": "y",
"CONFIG_NF_REJECT_IPV4": "y",
"CONFIG_NF_REJECT_IPV6": "y",
"CONFIG_NF_SOCKET_IPV4": "y",
"CONFIG_NF_SOCKET_IPV6": "y",
"CONFIG_NF_TABLES": "y",
"CONFIG_NF_TABLES_ARP": "y",
"CONFIG_NF_TABLES_BRIDGE": "m",
"CONFIG_NF_TABLES_BRIDGE": "y",
"CONFIG_NF_TABLES_INET": "y",
"CONFIG_NF_TABLES_IPV4": "y",
"CONFIG_NF_TABLES_IPV6": "y",
"CONFIG_NF_TABLES_NETDEV": "y",
"CONFIG_NF_TPROXY_IPV4": "m",
"CONFIG_NF_TPROXY_IPV6": "m",
"CONFIG_NF_TPROXY_IPV4": "y",
"CONFIG_NF_TPROXY_IPV6": "y",
"CONFIG_NGBE": "m",
"CONFIG_NI903X_WDT": "m",
"CONFIG_NIC7018_WDT": "m",
@@ -9677,4 +9687,4 @@
"CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZO": "y",
"CONFIG_ZSWAP_SHRINKER_DEFAULT_ON": "y",
"CONFIG_ZSWAP_ZPOOL_DEFAULT_ZBUD": "y"
}
}

37
config/settings/opensnitch/default-config.json Executable file
View File

@@ -0,0 +1,37 @@
{
"Server": {
"Address": "unix:///tmp/osui.sock",
"LogFile": "/var/log/opensnitchd.log",
"Authentication": {
"Type": "simple",
"TLSOptions": {
"CACert": "",
"ServerCert": "",
"ClientCert": "",
"ClientKey": "",
"SkipVerify": false,
"ClientAuthType": "no-client-cert"
}
}
},
"DefaultAction": "deny",
"DefaultDuration": "once",
"InterceptUnknown": false,
"ProcMonitorMethod": "ebpf",
"LogLevel": 2,
"LogUTC": true,
"LogMicro": false,
"Firewall": "nftables",
"Rules": {
"Path": "/etc/opensnitchd/rules/"
},
"Stats": {
"MaxEvents": 150,
"MaxStats": 25,
"Workers": 6
},
"Internal": {
"GCPercent": 100,
"FlushConnsOnStart": false
}
}

26
config/settings/opensnitch/rules/allow-always-list-usr-changelog.json Executable file
View File

@@ -0,0 +1,26 @@
{
"created": "2026-01-28T11:11:49-07:00",
"updated": "2026-01-28T11:11:49-07:00",
"name": "allow-always-list-usr-changelog",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "changelogs.ubuntu.com",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

33
config/settings/opensnitch/rules/allow-always-list-usr-dot.json Executable file
View File

@@ -0,0 +1,33 @@
{
"created": "2026-01-28T11:10:32-07:00",
"updated": "2026-01-28T11:10:32-07:00",
"name": "allow-always-list-usr-lib-systemd-systemd-resolved-853",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.port",
"data": "853",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/systemd/systemd-resolved",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:12:09-07:00",
"updated": "2026-01-28T11:12:09-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "brave-browser-apt-release.s3.brave.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:12:05-07:00",
"updated": "2026-01-28T11:12:05-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "brave-browser-apt-release.s3.brave.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:13:04-07:00",
"updated": "2026-01-28T11:13:04-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "_https._tcp.brave-browser-apt-release.s3.brave.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:11:49-07:00",
"updated": "2026-01-28T11:11:49-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:11:57-07:00",
"updated": "2026-01-28T11:11:57-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "80",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:20-07:00",
"updated": "2026-02-07T11:02:20-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "api.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:01:46-07:00",
"updated": "2026-02-07T11:01:46-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "api.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:56-07:00",
"updated": "2026-02-07T11:02:56-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "dashboard.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:48-07:00",
"updated": "2026-02-07T11:02:48-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "dashboard.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:38-07:00",
"updated": "2026-02-07T11:02:38-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)snapcraftcontent\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:28-07:00",
"updated": "2026-02-07T11:02:28-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)snapcraftcontent\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-28T11:09:37-07:00",
"updated": "2026-01-28T11:09:37-07:00",
"name": "allow-always-list-usr-sbin-chronyd-123",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.port",
"data": "123",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "102",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-31T00:30:23-07:00",
"updated": "2026-01-31T00:30:23-07:00",
"name": "allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

33
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json Executable file
View File

@@ -0,0 +1,33 @@
{
"created": "2026-01-28T11:13:38-07:00",
"updated": "2026-01-28T11:13:38-07:00",
"name": "allow-always-list-usr-sbin-chronyd-4460",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.port",
"data": "4460",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-31T00:30:27-07:00",
"updated": "2026-01-31T00:30:27-07:00",
"name": "allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "ntp-bootstrap.ubuntu.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:12:41-07:00",
"updated": "2026-01-28T11:12:41-07:00",
"name": "allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "connectivity-check.ubuntu.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "80",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "0",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/NetworkManager",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-02-01T16:52:56-07:00",
"updated": "2026-02-01T16:52:56-07:00",
"name": "deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "224.0.0.251",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "5353",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "1000",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/opt/brave.com/brave/brave",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-28T18:26:38-07:00",
"updated": "2026-01-28T18:26:38-07:00",
"name": "deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "239.255.255.250",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "1900",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/opt/brave.com/brave/brave",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

33
config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json Executable file
View File

@@ -0,0 +1,33 @@
{
"created": "2026-01-28T11:12:27-07:00",
"updated": "2026-01-28T11:12:27-07:00",
"name": "deny-always-list-usr-bin-python3-13-239-255-255-250",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "239.255.255.250",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/bin/python3.13",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:31:29-07:00",
"updated": "2026-01-28T11:31:29-07:00",
"name": "deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "239.255.255.250",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "3702",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "118",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/libexec/colord-sane",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

26
config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json Executable file
View File

@@ -0,0 +1,26 @@
{
"created": "2026-01-28T11:08:56-07:00",
"updated": "2026-01-28T11:08:56-07:00",
"name": "deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "process.path",
"data": "/usr/sbin/avahi-daemon",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-28T11:33:02-07:00",
"updated": "2026-01-28T11:33:02-07:00",
"name": "deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

18
config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json Executable file
View File

@@ -0,0 +1,18 @@
{
"created": "2026-01-28T14:32:45-07:00",
"updated": "2026-01-28T14:32:45-07:00",
"name": "deny-always-simple-usr-geoclue",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "process.path",
"data": "/usr/libexec/geoclue",
"type": "simple",
"list": [],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

18
config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json Executable file
View File

@@ -0,0 +1,18 @@
{
"created": "2026-01-28T14:32:45-07:00",
"updated": "2026-01-28T14:32:45-07:00",
"name": "deny-always-simple-usr-sbin-cups-browsed",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "process.path",
"data": "/usr/sbin/cups-browsed",
"type": "simple",
"list": [],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

46
config/settings/opensnitch/settings.conf Executable file
View File

@@ -0,0 +1,46 @@
[General]
statsDialog=1
[database]
file=:memory:
max_days=1
purge_interval=5
purge_oldest=true
type=0
[global]
default_action=0
default_duration=6
default_ignore_rules=false
default_ignore_temporary_rules=0
default_popup_advanced=true
default_popup_advanced_dstip=true
default_popup_advanced_dstport=true
default_popup_advanced_uid=false
default_popup_position=0
default_target=0
default_timeout=30
disable_popups=false
[notifications]
enabled=true
type=0
[promptDialog]
geometry=@ByteArray(\x1\xd9\xd0\xcb\0\x3\0\0\0\0\x6\x93\0\0\x3\x86\0\0\b\x9a\0\0\x4\xde\0\0\x6\x93\0\0\x3\xab\0\0\b\x9a\0\0\x4\xde\0\0\0\0\0\0\0\0\xf\0\0\0\x6\x93\0\0\x3\xab\0\0\b\x9a\0\0\x4\xde)
[statsDialog]
general_columns_state=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4o\0\0\0\a\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\a\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x1\x1\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xf5\0\0\0\x1\0\0\0\0\0\0\0\xe9\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
general_filter_text=
general_limit_results=0
geometry=@ByteArray(\x1\xd9\xd0\xcb\0\x3\0\0\0\0\a\x84\0\0\x4&\0\0\f\b\0\0\a\xf7\0\0\a\x84\0\0\x4K\0\0\f\b\0\0\a\xf7\0\0\0\0\0\0\0\0\xf\0\0\0\a\x84\0\0\x4K\0\0\f\b\0\0\a\xf7)
last_tab=0
nodes_columns_state=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x5\x88\0\0\0\n\0\x1\x1\x1\0\0\0\0\0\0\0\0\x1\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\n\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0>\0\0\0\x1\0\0\0\x3\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x2*\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
rules_columns_state=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\xff\xff\xff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4\x46\0\0\0\n\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\n\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xc2\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
rules_tree_0_expanded=false
rules_tree_1_expanded=false
show_columns=0, 1, 2, 3, 4, 5, 6
view_columns_state2=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\xff\xff\xff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4\xaa\0\0\0\v\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\v\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xc2\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
view_columns_state4=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x3\xe2\0\0\0\x2\0\x1\x1\x1\0\0\0\0\0\0\0\0\x1\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\x2\0\0\x1\x64\0\0\0\x1\0\0\0\x3\0\0\x2~\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
view_details_columns_state0=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xc8\0\0\0\x2\0\x1\x1\x1\0\0\0\0\0\0\0\0\x1\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\x2\0\0\0\x64\0\0\0\x1\0\0\0\x3\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
view_details_columns_state2=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\xff\xff\xff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4\x46\0\0\0\n\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\n\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xc2\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)

13
config/settings/services/mem-alloc.service Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=build and install memory hardened allocator
DefaultDependencies=no
After=sysinit.target local-fs.target
Before=basic.target
[Service]
Type=oneshot
ExecStart=/usr/mem_alloc.sh
RemainAfterExit=yes
[Install]
WantedBy=basic.target

11
config/settings/services/mem_alloc.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/usr/bin/env bash
set -e
set -x
if [ -f '/usr/src/hardened_malloc/Makefile' ]; then
cd /usr/src/hardened_malloc/
make -s VARIANT=default CONFIG_NATIVE=false
fi
if [ -f '/usr/src/hardened_malloc/out/libhardened_malloc.so' ]; then
echo '/usr/src/hardened_malloc/out/libhardened_malloc.so' | tee /etc/ld.so.preload
fi

6
config/settings/skel/autorun.desktop Normal file
View File

@@ -0,0 +1,6 @@
[Desktop Entry]
Name=Enable GNOME Extensions
Exec=/usr/gnome_settings.sh
Type=Application
Hidden=false
X-GNOME-Autostart-enabled=true

5
config/settings/skel/bash_profile Normal file
View File

@@ -0,0 +1,5 @@
# ~/.bash_profile
chsh -s /bin/bash
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

8
config/settings/skel/bashrc Normal file
View File

@@ -0,0 +1,8 @@
# ~/.bashrc
# Custom aliases
alias la='ls -la'
# Set a custom prompt
PS1="[\u@\h \W]\$ "

3
config/settings/skel/gnome_settings.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
gnome-extensions enable ubuntu-appindicators@ubuntu.com
gsettings set org.gnome.desktop.interface color-scheme prefer-dark

14
config/settings/skel/profile Normal file
View File

@@ -0,0 +1,14 @@
# ~/.profile
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
if [ ! -f $HOME/.config/opensnitch/firstrun]; then
mkdir -p $HOME/.config/opensnitch/
cp /etc/opensnitchd/settings.conf $HOME/.config/opensnitch/settings.conf
touch $HOME/.config/opensnitch/firstrun
fi

2
scripts/boot_image.sh
View File

@@ -4,5 +4,5 @@ cd ..
disk="./outputs/boot_image.img"
qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=pc-q35-3.1,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56
qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=q35,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56
#--display gtk,gl=off --device virtio-gpu

19
scripts/bootstrap_filesystem.sh Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root"
exec sudo "$0" "$@"
fi
set -e
cd "$(dirname "$0")"
DIR="$(dirname "$0")"
cd ..
echo $PWD
rm -rf './outputs/root'
if [ ! -d ./outputs/root/bin ]; then
rm -rf './outputs/root'
mkdir -p ./outputs/root/
debootstrap questing ./outputs/root https://us.archive.ubuntu.com/ubuntu
fi

59
scripts/build_filesystem.sh
View File

@@ -1,21 +1,26 @@
#!/bin/bash
set -e
set -x
#downloading graphene malloc
if [ ! -f ./dependencies/hardened_malloc/Makefile ]; then
cd "$(dirname "$0")"
DIR="$(dirname "$0")"
cd ..
cd ./dependencies/
git clone https://github.com/GrapheneOS/hardened_malloc.git
fi
#switching to root to perform chroot
if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root"
exec sudo "$0" "$@"
fi
set -e
cd "$(dirname "$0")"
DIR="$(dirname "$0")"
cd ..
echo $PWD
rm -rf './outputs/root'
if [ ! -d ./outputs/root/bin ]; then
rm -rf './outputs/root'
mkdir -p ./outputs/root/
debootstrap questing ./outputs/root https://us.archive.ubuntu.com/ubuntu
fi
if mountpoint -q "./outputs/chroot/proc/"; then
umount -lf "./outputs/chroot/proc/"
fi
@@ -26,10 +31,48 @@ if mountpoint -q "./outputs/root/proc/"; then
fi
rsync -a ./outputs/root/ ./outputs/chroot/
mkdir -p ./outputs/chroot/proc
mount --bind /proc ./outputs/chroot/proc
cp ./config/filesystem_chroot_install.sh ./outputs/chroot/filesystem_chroot_install.sh
cp ./config/apply_initial_host_configuration.sh ./outputs/chroot/apply_initial_host_configuration.sh
cp ./config/config.json ./outputs/chroot/config.json
#copy opensnitch rules.
echo "copying firewall rules"
rsync -a ./config/settings/opensnitch/ ./outputs/chroot/usr/src/opensnitchd/
#setup user skeleton
sudo mkdir -p ./outputs/chroot/etc/skel/.config
printf "yes" | tee ./outputs/chroot/etc/skel/.config/gnome-initial-setup-done
cp ./config/settings/skel/bash_profile ./outputs/chroot/etc/skel/.bash_profile
cp ./config/settings/skel/bashrc ./outputs/chroot/etc/skel/.bashrc
cp ./config/settings/skel/profile ./outputs/chroot/etc/skel/.profile
cp ./config/settings/skel/gnome_settings.sh ./outputs/chroot/usr/gnome_settings.sh
chmod +x ./outputs/chroot/usr/gnome_settings.sh
#installing hardened memory allocator if built
if [ -f ./dependencies/hardened_malloc/Makefile ]; then
rsync -a ./dependencies/hardened_malloc/ ./outputs/chroot/usr/src/hardened_malloc/
fi
cp ./config/settings/services/*.service ./outputs/chroot/etc/systemd/system/
find ./config/settings/services/ -type f -name '*.sh' -exec chmod +x {} \;
cp ./config/settings/services/*.sh ./outputs/chroot/usr/
echo "installing system from within chroot"
chmod +x ./outputs/chroot/filesystem_chroot_install.sh
chmod +x ./outputs/chroot/apply_initial_host_configuration.sh
mkdir -p ./outputs/chroot/lib/modules/
echo "installing kernel modules"
rsync -a ./dependencies/linux/modules/lib/modules/ ./outputs/chroot/lib/modules/
echo "installing filesystem"
chroot ./outputs/chroot /bin/bash -c "/filesystem_chroot_install.sh"
chroot ./outputs/chroot /bin/bash -c "/apply_initial_host_configuration.sh"
cp ./config/settings/skel/autorun.desktop ./outputs/chroot/etc/xdg/autostart/autorun.desktop
cd $DIR
cd ..

2
scripts/build_image.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash
if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root"
exec sudo "$0" "$@"
exec sudo ionice -c 3 "$0" "$@"
fi
set -e
cd "$(dirname "$0")"

2
scripts/build_kernel.sh
View File

@@ -6,7 +6,7 @@ mkdir -p ./dependencies
rootdir=$(dirname "$0")
dir=./$(dirname "$0")
cd dependencies
[[ -d ./linux ]] || git clone --depth 5 https://github.com/gregkh/linux.git ./linux
[[ -d ./linux ]] || git clone --depth 1 https://github.com/torvalds/linux.git ./linux
cd "$(dirname "$0")"
cd ..
echo $PWD

2
scripts/install_dependencies.sh
View File

@@ -4,7 +4,7 @@ if [ "$(id -u)" -ne 0 ]; then
exec sudo "$0" "$@"
fi
set -e
list="kpartx podman debootstrap "
list="kpartx podman debootstrap qemu-system"
apt update
for item in $list; do
apt install -y $item