Hardenwing OS

About Hardenwing OS

A Debian-based distribution designed with a minimalist approach and strict security policies.

Hardenwing OS is a Debian-based Linux distribution focused on security. It adopts a multi-layered defense architecture against cyber attacks, incorporating aggressive mitigation techniques alongside kernel, system, and network hardening configurations.

The distribution offers comprehensive security measures including BadUSB protection, permission hardening services, package manager hardening, module blacklisting, PAM and sudoers hardening. Due to its strict firewall policy, anonymization tools are not supported; the system enforces Quad9 DNS and allows only basic internet access.

Hardenwing is Secure Boot compatible and ships with it enabled by default. It uses GNOME (Wayland) as its desktop environment. During the build phase, a hook called Cerrah automatically removes unnecessary Debian and GNOME services that would otherwise expand the attack surface.

Release Notes

Version 3.0 Latest

Current Release

Project Evolution: Name changed from Hardened Slarpx to Hardenwing OS. Project logo, website domain, and SourceForge page updated. Slarpx archived.
Desktop & Usability: GNOME Wayland is now the default environment. System theme beautifully updated. Xennytsu, Silencer, and Poison modules were removed to make the distribution highly accessible for general use.
System Core: Removed kernel panic settings in grub.d that rendered the system unusable. Removed settings that could break system updates. The Cerrah hook now provides improved system cleanup by automatically removing unnecessary services during build.
Security & Hardening:
- Secure Boot enabled by default.
- Added USBGuard protection against BadUSB and similar hardware attacks.
- Hardened Flatpak privilege rules.
- Critical fixes applied to permission hardening.
- Firewall improvements and new security layer additions.
- Added proc hidepid functionality.
- Sudoers hardening improvements; added Defaults !fqdn.
- Added PAM login protection.
- Ported new sysctl.d hardenings from Kicksecure and updated network settings.
Applications: Firefox now comes with uBlock Origin by default and strict hardened policies applied.

Version 2.1

Hardening and System Maintenance

Fixed sysctl.conf initramfs error.
Disabled sysctl.conf IPv6 settings (Note: This may report an error as IPv6 is already disabled at the kernel level).

Version 2.0

Major Security and Stability Updates

Xennytsu and Poison security modules heavily improved.
False positive execution block rates in Xennytsu and Poison significantly reduced.
Fixed multiple security vulnerabilities and broken execution mechanics in Xennytsu and Poison.
New security engine introduced: Silencer. Focuses exclusively on preventing kernel information and memory leaks.
grub.d core settings updated to resolve system hardening conflicts.
General framework logic bugs fixed.
Critical sudo bug in the Debian installer framework fixed to ensure robust root staging.

Version 1.0

Initial System Release

Hardened Slarpx core image released.
Initial integration of the Poison security layer.