Definitive Manual

The Security Hardening Bible

Kernel-Level Protection: Hardening the Foundation of your OS.

The Science of Defense

Most "Security Software" is reactive: it waits for an attack and then tries to stop it. Tebian's security is **Proactive and Structural.** We don't just "run an antivirus"; we harden the kernel and the filesystem so that entire classes of exploits become impossible. This bible provides the technical procedures for military-grade OS hardening.

We focus on the three pillars of structural defense: Kernel Hardening, Mandatory Access Control (MAC), and Memory Isolation.

1. Kernel Hardening: The Sysctl Manual

The Linux kernel has hundreds of parameters that control networking, memory management, and process execution. By default, these are tuned for compatibility. Tebian's "Hardened Mode" tunes them for **Defense.**

The Sysctl Config

We provide a pre-configured 99-tebian-hardened.conf that applies the following C-level protections:

  • ASLR (Address Space Layout Randomization): We set kernel.randomize_va_space=2 to ensure that memory addresses are unpredictable, defeating "Buffer Overflow" exploits.
  • Network Stack Hardening: We disable ICMP redirects and source-routing to prevent "Man-in-the-Middle" attacks.
  • Unprivileged BPF: We set kernel.unprivileged_bpf_disabled=1 to prevent users from executing complex kernel-level scripts that could leak data.

2. AppArmor: Confining the Applications

Most exploits happen because an application (like a web browser) has too much access to the system. If your browser is compromised, the attacker can see your /home directory. Tebian uses AppArmor to prevent this.

The Profile Strategy

Every critical app in Tebian has an AppArmor profile. This profile is a set of rules that tells the kernel: "This browser is ONLY allowed to read its own config and write to the Downloads folder." It cannot see your SSH keys. It cannot see your banking files. Even if the browser is "Hacked," the attacker is trapped inside a tiny, digital room.

3. Memory Isolation: Defeating Rowhammer and Meltdown

Modern CPUs have hardware flaws that can leak data between processes. Tebian includes kernel patches and boot parameters (like pti=on and spectre_v2=on) to mitigate these risks. We prioritize Data Integrity over the 2-3% performance hit these mitigations might cause.

Conclusion: The Silent Guardian

True security isn't a pop-up window or a scan. It is a set of silent, mathematical rules enforced by the kernel. By following the Security Hardening Bible, you turn your Tebian machine into a vault. One ISO. One menu. Absolute protection.