It's based on Debian Stretch. Features as far as I know: -GrSec Kernel -AppArmor -Everything over Tor -Sandboxing system called Oz(uses Namespaces, seccomp and GUI isolation through Xpra(though they plan to move to Wayland in the future)) -Both Oz and Tor have a Gnome shell extension for ease of use. -Application Firewall based on Little Snitch -FDE Mandatory, memory wiped on shutdown -Randomized MAC adress -Parts written in memory safe language, also includes CoyIM(XMMP client with OTR, Tor and TLS support, https://coy.im/about/) -Working on reproducible builds So maybe a mod can move the posts from the other thread into this one?
This surprises me. Grsecurity is known to come with its own MAC implementation called Role Based Access Control (RBAC). Why did they choose AppArmor instead? Do they consider it superior? Interesting.
Beast mode. I anxiously look forward to when Tor isnt mandatory. I might even switch from Arch, though not sure. I have basically all this on Arch except randomized MAC (I change the MAC manually if im going to use public wifi), memory wipe (need to do), and oz. I have AppArmor for firefox and deluge, and firejail for firefox, deluge, and hexchat, but I need to create more profiles for both firejail and Apparmor. I have Tor through whonix, though I rarely need/use it. I wonder if by "mandatory disk encryption" they include /boot, which would invariably mean theyd be using Grub and one would become vulnerable to USB/PCI keyloggers (though immune to software evil maid attacks). If they mean all of root with a separate /boot, they could implement secure boot to secure the kernel against software evil maid while allowing keyfiles to be used for the FDE- thereby eliminating keyloggers as a means to get access to the system by logging the luks passphrase. Still, subgraph looks like an awesome effort. I will try it in a VM soon..
For what it's worth I've loaded the latest alpha build a few times and it seems pretty stable to me. I've seen posts from them on Reddit so they might grace us here to maybe answer some questions if we ask. This is my question to them via Twitter and their answer about TOR. I deleted the names on the accounts but the question was to subgraph's Twitter account. @TenaciousJim Jun 18 @subgraph Is it possible to change the network default so it doesn't use TOR? https://pbs.twimg.com/profile_images/482576837751480321/gwxOR5RK_bigger.jpeg@attractr @TenaciousJim @subgraph that is coming. Will be totally configurable.
SGOS Handbook is now viewable on their website: https://subgraph.com/sgos-handbook/sgos_handbook.shtml
@BoerenkoolMetWorst Thank you for posting that . I've been playing with Subgraph for about a year and mostly just fiddling ( stumbling ) around . The handbook will be a big bonus I have to say that I'm surprised that it's still only an alpha release . This thread doesn't get much attention and it seems the same on other forums I look at . A listing request was submitted to Distrowatch on September 30th , so perhaps things are moving along . The waiting list at Distrowatch is fairy long , and not in alphabetical order , which isn't very helpful . It seems to be in order of date submitted .
Interesting distro for sure. What I'd like to know more about is proprietary graphics cards and their respective drivers. In the past I've had a hard time using my proprietary graphics card (nvidia) with a grsecurity+pax kernel. When I use the native open-source drivers then everything is dandy, but as soon as I try to use proprietary drivers then I can't seem to get it to work. Or is the point in these kind of security distro's not to use proprietary drivers ? Does anyone have a opinion about using proprietary drivers with a grsecurity+pax kernel ? (my current setup is a dual boot (windows 10 and Manjaro xfce 16.10.3 generic kernel 4.4.33-1) and using firejail for my browser)
I'm just waiting for it to allow non Tor networking which they've said will be 1st Q 2017 the last time I inquired. There seems to be a somewhat thriving community of users though judging from their Github page. https://github.com/subgraph/subgraph-os-issues Also they have a Pax utility that has been accepted into Debian - paxrat so either I was wrong about AppAmor or that info is obsolete. https://secure-os.org/pipermail/desktops/2016-January/000089.html
I understand your concern about being forced to use Tor , and it's not just with Subgraph that it's an issue . The devs have legitimate reasons for making it a default , but at this early stage of developement we should be able to opt out of it , at least on a per-session basis . Many people might be keen to explore Subgraph but do not want to signal to their ISP that they are using Tor , and with very good reason . @Jan42 Hardly a day goes by when I don't read somewhere of another GNU/Linux head-ache that has the nvidia cards at it's root , and the associated driver problems . I regularly come across similar issues with some of the newer GNU/Linux operating systems . Having a choice of test rigs has made me very lazy ; the main one is high-spec but has nvidia graphics , the other has Intel HD. I'm not interested in games , so my only need from a graphics card is that it works with anything I throw at it , and nvidia simply does not do that . I know , I should have put in the effort to sort out the local nvidia issues at the time I encountered them , but I didn't The lower spec machine with the Intel HD graphics runs absolutely everything .... no exceptions . It may appear flippant , but if I were stuck with nvidia and all of these Linux issues , I would buy an alternative card rather than constantly trying to patch around the problems . That probably sounds drastic , but life is short ....
A new Subgraph OS Alpha ISO is available for download. https://subgraph.com/blog/subgraph-dec2016-iso-availability/
Seems that Subgraph OS is still alive despite Grsecurity going private: https://twitter.com/subgraph/status/877267593979187200
I'm happy to see the project is still alive, even if the PaX dispute with CopperheadOS really made me wonder what kind of weirdos are behind Subgraph. There are four people behind it according to their website but only two of them are active on social media. Twitter in this case. This seems to be the version of Grsec they are using now: https://github.com/minipli/linux-unofficial_grsec/releases
That is because average user has been taught how to use a computer by corporate america. Put all of your applications, private data, personal information and social contacts together on one machine. Now connect it to the internet, yaaay !
A new Subgraph OS Alpha ISO is available for download. https://subgraph.com/blog/subgraph-sep2017-iso-availability/
