Very interesting concept. http://techwarrior.us/subgraph-os-secure-linux-operating-system-for-non-technical-users/ https://subgraph.com/sgos/index.en.html It doesnt seem like it has been actually released as of yet but excited to get a look at it.
I saw that too , and want to play with it , but can't find an ISO anywhere . from thehackernews " .... gets unveiled in Logan CIJ Symposium conference in Berlin on March 11-12 "
Great, particularly if it allows more users to do this kind of thing. I'm not clear - I guess they will be revealing all at the talk - how the sandboxing "Oz" compares with Firejail. It would be a shame if there were duplicate development there. What it doesn't seem to be addressing specifically is kernel hardening, of course Qubes doesn't do that specifically either. I really want a commercially supported hardened desktop Linux which includes grsec approaches plus application sandboxing or RBAC. I wouldn't mind $20/year per seat for something of that ilk.
Afaik Linux VM's with GRSec kernel are still incompatible with Qubes, but this does use GRsecurity. Not much detail, but it is there: https://subgraph.com/sgos/hardening/index.en.html
Yes, interesting indeed! Well, from the info on its github site it looks very similar to Firejail. Note that the Firejail development version 0.9.39 also supports X11 sandboxing with Xpra.
Played around with the Alpha. If you have troubles getting the link then go to the irc channel (look at their twitter feed). The alpha is still a little rough but I see it has very solid potential. It is essentially customized Debian. It even works on my new Skylake laptop. The only decision I consider questionable is their use of Gnome UI. KDE or XFCE would be a much better choice.
Looks awesome I love the fact that it comes with a built in sandbox. BTW does Subgraph use the LTS version GRsecurity?
Interactive firewall, interesting, lot more user friendly than manually configuring rules: https://twitter.com/subgraph/status/681912428226048000
Do they use their own repos? It seems so because ... So you'll have a limited selection of applications. This is understandable considering the goal of that OS. But it remains to be seen if it satisfies the requirements of an average user. In principle, everything they offer is available elsewhere (Grsecurity, MAC, Firejail, ...). The advantage of Subgraph OS is that they provide everything ready-to-use. The question is if the disadvantages (limited choice of packages, probably incompatible with Virtualbox, no other DE?) are acceptable.
I have to disagree ..... .... I reckon it's already pretty certain that it has nothing to offer the " average user" , and never will ( same thing with Qubes , TAILS etc ). And I , for one , am really looking forward to getting my hands on it ..... but I don't have enough spare time to spend on an alpha release .
For more technical details, here's a comparison between Qubes and Subgraph by Joanna Rutkowska(from Qubes) and there is also a reply from David Mirza Ahmad(from Subgraph). https://secure-os.org/pipermail/desktops/2015-October/000002.html It looks like that to me, but I don't know.
Perhaps "average user" was imprecise wording. What I meant: I am a security-oriented user who welcomes efforts like Subgraph OS. However, I'm hesitant to use it if it limits me in doing stuff which I consider normal features in a Linux distro. e.g. installing an alternative DE, using Virtualbox, or simply using alternative image processing programs other than the default one, etc. I don't want to boot another OS just to be safe when I'm doing, e.g., online banking. In other words, I want a hardened all-purpose OS. And I still think that's possible considering all the security features which are already available in Linux or are going to be available soon (like the application sandboxes in Gnome which can be used also in other DEs). They "only" need to be properly implemented. But to each his own. If you simply want a secure and privacy-oriented OS, Subgraph OS is surely worth considering.
Most likely, Subgraph will be of interest to a small subset of business users - things like sys admins, corporate lawyers and so on. I would like to see more businesses adopt this kind of hardened Linux AND pay for it in terms of an annual maintenance fee. The prospect for a "hardened all-purpose OS" is small right now, though I do wonder about the additional possibilities that Wayland will provide in this respect - X being a disaster both for hardening and remoting. One could imagine a hardened terminal which connects a session to a variety of different hardened hosts depending on need. With the higher affordability of low-powered processors, you could have several such engines on the local network, reducing the risk by limiting how general purpose each one is supposed to be, and enforcing separate memory and IO spaces.
They initially marketed this as "Subgraph OS — Secure Linux Operating System for Non-Technical Users"
Has anyone tried this out? It looks like it's based on Debian or maybe Ubuntu. Grsecurity kernel is default. "Subgraph OS's application containment mechanism creates sandboxes around at-risk applications, such as the browser, email client, PDF viewer, and IM client." I have no interest in using TOR but this uses TOR by default. Seems pretty stable for an alpha release. New features: They released new alpha build two days ago. grsecurity RAP demo enabled AppArmor enabled by default in kernel config AppArmor profiles added for the following: dhclient NetworkManager PulseAudio Subgraph Firewall Daemon Subgraph Metaproxy
I sent them a message and they got back to me - the ability to use it without TOR is coming. It's a Gnome desktop. Seems its Debian. This will be the only general use distro that by default installs and upgrades with a grsec kernel as opposed to jumping through hoops to install and upgrade it. The sandbox is called OZ. https://github.com/subgraph/gnome-shell-extension-ozshell