Subgraph OS

Discussion in 'all things UNIX' started by driekus, Mar 5, 2016.

  1. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes, looks very cool :thumb:
     
  3. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    491
    Location:
    Earth .... occasionally
    I saw that too , and want to play with it , but can't find an ISO anywhere .

    from thehackernews

    " .... gets unveiled in Logan CIJ Symposium conference in Berlin on March 11-12 "
     
    Last edited: Mar 6, 2016
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    Great, particularly if it allows more users to do this kind of thing. I'm not clear - I guess they will be revealing all at the talk - how the sandboxing "Oz" compares with Firejail. It would be a shame if there were duplicate development there.

    What it doesn't seem to be addressing specifically is kernel hardening, of course Qubes doesn't do that specifically either.

    I really want a commercially supported hardened desktop Linux which includes grsec approaches plus application sandboxing or RBAC. I wouldn't mind $20/year per seat for something of that ilk.
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Afaik Linux VM's with GRSec kernel are still incompatible with Qubes, but this does use GRsecurity.

    Not much detail, but it is there:
    https://subgraph.com/sgos/hardening/index.en.html
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Yes, interesting indeed!

    Well, from the info on its github site it looks very similar to Firejail. Note that the Firejail development version 0.9.39 also supports X11 sandboxing with Xpra.
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    @summerheat - excellent, the Xpra approaches are really important to contain X11 better.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  10. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Can you install it in virtualbox?
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I don't see why not.
     
  12. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    55
    Location:
    Australia
    The first link in the original post for me now is tech support and not about Subgraph OS.
     
  13. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Played around with the Alpha. If you have troubles getting the link then go to the irc channel (look at their twitter feed).

    The alpha is still a little rough but I see it has very solid potential. It is essentially customized Debian. It even works on my new Skylake laptop.

    The only decision I consider questionable is their use of Gnome UI. KDE or XFCE would be a much better choice.
     
  14. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    118
    Looks awesome I love the fact that it comes with a built in sandbox. BTW does Subgraph use the LTS version GRsecurity?
     
    Last edited: Mar 15, 2016
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I'll have to give that a try!
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  17. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    118
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Do they use their own repos? It seems so because ...
    So you'll have a limited selection of applications. This is understandable considering the goal of that OS. But it remains to be seen if it satisfies the requirements of an average user.

    In principle, everything they offer is available elsewhere (Grsecurity, MAC, Firejail, ...). The advantage of Subgraph OS is that they provide everything ready-to-use. The question is if the disadvantages (limited choice of packages, probably incompatible with Virtualbox, no other DE?) are acceptable.
     
  19. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    491
    Location:
    Earth .... occasionally
    I have to disagree .....

    .... I reckon it's already pretty certain that it has nothing to offer the " average user" , and never will ( same thing with Qubes , TAILS etc ).

    And I , for one , am really looking forward to getting my hands on it ..... but I don't have enough spare time to spend on an alpha release .
     
  20. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    For more technical details, here's a comparison between Qubes and Subgraph by Joanna Rutkowska(from Qubes) and there is also a reply from David Mirza Ahmad(from Subgraph).
    https://secure-os.org/pipermail/desktops/2015-October/000002.html


    It looks like that to me, but I don't know.
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Perhaps "average user" was imprecise wording. What I meant: I am a security-oriented user who welcomes efforts like Subgraph OS. However, I'm hesitant to use it if it limits me in doing stuff which I consider normal features in a Linux distro. e.g. installing an alternative DE, using Virtualbox, or simply using alternative image processing programs other than the default one, etc. I don't want to boot another OS just to be safe when I'm doing, e.g., online banking. In other words, I want a hardened all-purpose OS. And I still think that's possible considering all the security features which are already available in Linux or are going to be available soon (like the application sandboxes in Gnome which can be used also in other DEs). They "only" need to be properly implemented.

    But to each his own. If you simply want a secure and privacy-oriented OS, Subgraph OS is surely worth considering.
     
  22. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    Most likely, Subgraph will be of interest to a small subset of business users - things like sys admins, corporate lawyers and so on. I would like to see more businesses adopt this kind of hardened Linux AND pay for it in terms of an annual maintenance fee.

    The prospect for a "hardened all-purpose OS" is small right now, though I do wonder about the additional possibilities that Wayland will provide in this respect - X being a disaster both for hardening and remoting. One could imagine a hardened terminal which connects a session to a variety of different hardened hosts depending on need. With the higher affordability of low-powered processors, you could have several such engines on the local network, reducing the risk by limiting how general purpose each one is supposed to be, and enforcing separate memory and IO spaces.
     
  23. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    They initially marketed this as "Subgraph OS — Secure Linux Operating System for Non-Technical Users"
     
  24. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    Has anyone tried this out? It looks like it's based on Debian or maybe Ubuntu. Grsecurity kernel is default.
    "Subgraph OS's application containment mechanism creates sandboxes around at-risk applications, such as the browser, email client, PDF viewer, and IM client."

    I have no interest in using TOR but this uses TOR by default. Seems pretty stable for an alpha release.

    New features:

    They released new alpha build two days ago.
    1. grsecurity RAP demo enabled
    2. AppArmor enabled by default in kernel config
    AppArmor profiles added for the following:
    • dhclient
    • NetworkManager
    • PulseAudio
    • Subgraph Firewall Daemon
    • Subgraph Metaproxy
     
  25. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    I sent them a message and they got back to me - the ability to use it without TOR is coming.

    It's a Gnome desktop. Seems its Debian. This will be the only general use distro that by default installs and upgrades with a grsec kernel as opposed to jumping through hoops to install and upgrade it.

    The sandbox is called OZ. https://github.com/subgraph/gnome-shell-extension-ozshell
     
Loading...