Documentation

Slarpx Overview

Hardened Slarpx is an advanced, security-oriented Debian derivative engineered to withstand highly hostile network environments and persistent local threats. It abandons convenience in favor of absolute system integrity. Slarpx operates under the assumption that the system is constantly under attack, deploying stringent defense-in-depth methodologies across the kernel, network stack, package management, and runtime environments.

Critical Audience Warning & Legal Disclaimer

TARGET AUDIENCE: This distribution is strictly designed for security researchers, extreme threat-model environments, and isolated analytical workstations. It is fundamentally incompatible with daily consumer workloads, standard gaming, or casual browsing.

LIABILITY DISCLAIMER: Slarpx modifies low-level hardware interactions, flushes volatile memory forcefully, and actively self-sabotages user-space processes if it suspects intrusion. By deploying this system, the user waives Nixovena Labs of any liability regarding hardware degradation, catastrophic data loss, or network isolation failures.

Use exclusively at your own risk. Support is not guaranteed for packages outside the minimal core.

Post-Installation: Secure Boot Initialization

Following the graphical installation, it is absolutely critical that the system administrator manually configures and enables UEFI Secure Boot. The Slarpx kernel lock-down mechanisms (integrity/confidentiality modes) rely heavily on the hardware trust anchors provided by Secure Boot.

For comprehensive instructions on establishing Secure Boot keys and enrolling signatures, strictly adhere to the official Debian SecureBoot documentation.

Installation Process

Slarpx installation utilizes a variant of the Debian graphical installer environment.

Kernel Hardening Analysis

This section provides a comprehensive technical analysis of the Kernel-level security and networking hardening measures applied in the HardenedSlarpx distribution. The configurations reviewed orchestrate one of the most aggressive security baselines available for Linux, closely following the Kernel Self Protection Project (KSPP) guidelines. The settings span GRUB boot parameters and kernel sysctl configurations.

1. Microarchitectural Mitigation (CPU Vulnerabilities)

File: /etc/default/grub.d/40_cpu_mitigations.cfg

HardenedSlarpx adopts a "security over performance" philosophy. It forces all available hardware and software mitigations for side-channel physical vulnerabilities:

• Simultaneous Multithreading (SMT) Disabled: By setting nosmt=force, hyperthreading is completely disabled on the system. This drastically drops performance but fundamentally closes the attack vectors for severe cross-thread data leakage exploits (such as L1TF and MDS).
• Comprehensive Hardware Barriers: Strong mitigations are strictly enabled (spectre_v2=on, spectre_bhi=on). retbleed=ibpb forces hardware-level Indirect Branch Prediction Barriers instead of weaker software fallbacks.
• Microarchitectural Data Sampling (MDS & TAA): Forced cleared at borders via mds=full,nosmt and tsx_async_abort=full,nosmt. This ensures data processed cannot be skimmed by other malicious tenant processes.

2. Kernel Memory and Process Protections

Files: /etc/default/grub.d/40_kernel_hardening.cfg, /etc/sysctl.d/sysctl.conf

Exploit mitigation is drastically heightened by destroying predictability and restricting process interactions within kernel space:

• Zeroing Memory: init_on_alloc=1 and init_on_free=1 ensures memory is completely overwritten with zeros before being given to or taken back from an application. It significantly stalls "Use-After-Free" exploit primitives.
• ASLR and Memory Predictability: Address Space Layout Randomization is fully deployed (kernel.randomize_va_space=2). Furthermore, page_alloc.shuffle=1 randomizes physical page allocations, and randomize_kstack_offset=on randomizes stack offsets on every syscall, making ROP attacks incredibly difficult.
• Slab Integrity: Merging of slabs is prevented (slab_nomerge). This strictly silos cache allocations, meaning an attacker causing a heap overflow in one type of object cannot easily rewrite adjacent boundaries of another object type.
• Disabling Legacy Emulation: Vsyscalls and 32-bit compatibility (vsyscall=none, vdso32=0, ia32_emulation=0) are permanently disabled, shrinking the attack surface by discarding aging architecture wrappers heavily favored by exploit developers.
• CFI & KFENCE: Implements kernel Control Flow Integrity (cfi=kcfi) to structurally validate the destination of indirect branches. Additionally, the kernel electric-fence feature (kfence.sample_interval=100) catches out-of-bounds heap operations.
• /proc/PID/mem Blocking: Forces proc_mem.force_override=never which prevents an application (or an attacker) from exploiting the FOLL_FORCE flag to overwrite protected local memory through the procfs interface. BPF is also fundamentally disabled for unprivileged users (unprivileged_bpf_disabled=1).

3. Direct Memory Access (DMA) Defense

File: /etc/default/grub.d/40_kernel_hardening.cfg

To neutralize external hardware exploits (e.g. plugging a malicious Thunderbolt/PCIe device to suck keys directly out of RAM):

• Universal IOMMU Translation: Forces IOMMU isolation (intel_iommu=on, amd_iommu=force_isolation). Ensures that device memory mappings are strictly verified.
• Synchronous TLB Denial: iommu.strict=1 disables lazy flushing. While demanding on performance, it ensures old DMA mappings are purged synchronously, meaning physical devices cannot fetch "stale" data from memory.
• Pre-Kernel EFI Restriction: efi=disable_early_pci_dma severs the busmaster bit on PCI bridges before the kernel even initializes the IOMMU, closing the temporary boot-time window vulnerability.

4. Drastic System Integrity & Panic Policies

Files: /etc/default/grub.d/40_kernel_hardening.cfg, /etc/default/grub.d/41_recovery_restrict.cfg, /etc/sysctl.d/sysctl.conf

Once compromised, it is better for the machine to stop than to serve the attacker:

• Aggressive Panic Protocol: Using parameters like oops=panic, panic_on_warn=1, and panic_on_oops=1, the kernel will instantly panic and shutdown if it detects a serious internal error or an execution path warning—classic indicators of memory corruption exploits in progress.
• Tainted Kernel Rejection: The panic_on_taint=0xC0924 parameter forces the machine to halt if out-of-scope hardware, firmware bugs, or debug mutating events are loaded.
• No Recovery Console: Standard recovery options like the grub "single-user" mode or the Dracut emergency shell are disabled. Instead of dropping into a root shell upon boot failure, the system halts, frustrating an attacker attempting to exploit physical access without credentials.
• Lockdown Mode: Kicks the kernel into lockdown=integrity mode, stripping root's ability to modify kernel space memory or execute raw port operations, preventing lateral movement from userland root to ring-0.

5. Network Stack Hardening (TCP/IP)

File: /etc/sysctl.d/sysctl.conf

An exhaustive networking clampdown designed to deter Man-in-the-Middle (MitM), Spoofing, and Denial of Service (DoS) attacks:

• Routing & Redirects Blocked: IP forwarding is disabled. It rejects all ICMP routing redirects and Source Routing (preventing attackers from determining the network path).
• Anti-Spoofing: Strict Reverse Path Filtering (rp_filter=1) validates that the source IP comes from the logical corresponding interface. ARP gratuitous updates and ignores are tuned to block MAC-address spoofing and poisoning.
• DDoS/Flood Mitigation: SYN cookies are enabled to fend off SYN floods. ICMP is constrained by rate limits, and broadcast echo requests are completely ignored, eliminating participating in Smurf amplifier attacks.
• Cryptography & Entropy: Disables trusting the proprietary and closed-source CPU (random.trust_cpu=off) and bootloader Random Number Generators, insisting the Linux kernel mixes its own cryptographic entropy.
• IPv6 Disabled: ipv6.disable=1 is injected into GRUB to reduce the vast attack surface of the IPv6 networking stack if it is not strictly required.

Network Hardening Analysis

The network hardening architecture in HardenedSlarpx utilizes a dual approach: a highly restrictive ingress/egress firewall (nftables) and an immutable, enforced DNS management system. This strategy is designed to protect against internal data exfiltration, thwart local network attacks, and deter broad-spectrum Internet reconnaissance.

1. Nftables Firewall (Ingress & Egress Filtering)

File: /etc/nftables.conf

Unlike typical desktop firewalls that only block incoming traffic, HardenedSlarpx dictates a strict "Default Drop" policy on both incoming (input) and outgoing (output) chains. This serves as a significant hurdle for malware looking to communicate outside the local machine.

Key Ingress (Incoming) Protections:

• Anti-Spoofing & Network Layer Validation: Network packets claiming to originate from loopback addresses that arrive via external physical interfaces are immediately dropped. Invalid connection states are proactively blocked.
• Port Scan Detection: The firewall scrutinizes TCP flags heavily. Packets carrying illegal or suspicious combinations indicative of port scanning are silently discarded.
• DDoS/SYN Flood Resilience: A soft cap on new TCP connection requests (SYN packets) limits the flow to 30 requests per second. The ICMP ping limits are set to 20/second, neutralizing "Ping of Death" or standard network saturation attempts.
• SSH Brute-Force Tracking: SSH requests are dynamically rate-limited. If an external IP attempts more than 3 connections per minute, the firewall dynamically injects that IP address into a penalty set and automatically drops subsequent connection attempts for 10 minutes.

Key Egress (Outgoing) Protections:

• Anti-Exfiltration Policy: The firewall blocks all outbound Internet traffic by default. It relies on an explicit "Allowlist" configuration.
• Restricted Output Types: Only highly standard end-user protocols are permitted outbound (e.g., HTTP/80, HTTPS/TCP 443, QUIC/UDP 443, SSH, Mail ports, and essential local multicast).
• DNS Server Whitelisting: Standard port 53 outbound traffic is heavily inspected. The firewall only allows DNS traffic designated for a hardcoded set of Trusted DNS Providers (such as Cloudflare 1.1.1.1 and Quad9 9.9.9.9).

2. DNS Guard (Immutable Static DNS Enforcement)

File: /etc/systemd/system/slarpx-dns.service

Purpose: It is a common vulnerability on modern operating systems that DHCP assignments, local routers, or Network Management daemons will automatically overwrite /etc/resolv.conf, effectively intercepting the user's DNS queries. HardenedSlarpx resolves this via a dedicated systemd service.

• Absolute Enforcement (chattr +i): The slarpx-dns service runs at boot up, immediately enforcing a static DNS configuration by completely overriding the local resolver. It then relies on the CAP_LINUX_IMMUTABLE capability to run the chattr +i shell command, applying an immutable file tag to /etc/resolv.conf.
• Daemon Sandboxing: Even though this service requires high privileges to wipe and restrict /etc/resolv.conf, the daemon executing it is strongly sandboxed contextually by systemd. It drops access using NoNewPrivileges=yes, PrivateDevices=yes, and MemoryDenyWriteExecute=yes to ensure the script itself cannot be co-opted.

Security Engines Detailed Analysis

The HardenedSlarpx distribution utilizes three powerful, custom backend security engines (daemons) designed to protect the operating system's security and integrity. These engines ensure the system is protected against various threat vectors: Poison (Timing Disruption), Silencer (Information Leak Prevention), and Xennytsu (Advanced Behavioral Analysis & EDR).

1. POISON (Timing Disruption Engine)

Purpose: Instead of completely blocking malicious or suspicious process attempts, this engine actively disrupts them by dynamically slowing them down. This approach is generally used to sabotage buffer-overflow or race conditions that exploits rely on.

• Kernel-Level Monitoring with Fanotify: Uses the fanotify infrastructure to monitor file operations across critical paths and temporary working directories.
• Smart Threat Scoring: Whenever a new process starts, it is stored in a hash table. The process's threat score increases if it tampers with privileged files, is launched directly from a tmpfs root, or if its parent is a suspicious scripting language.
• Adaptive Micro-Delay (Jittering): If a suspicious process is targeted, the system adds a dynamically calculated, random microsecond-level usleep() pause right before a file read operation takes place. These tiny slowdowns do not crash the system, but they cause suspicious payloads to hit timeouts or break the connection.
• Immunity (Whitelist): Core operating system services (systemd, dbus) and common user applications are exempt from this delay process, ensuring day-to-day performance is not degraded.

2. SILENCER (Kernel Info Leak Prevention Engine)

Purpose: Limits privilege escalation vulnerabilities in the system environment and prevents reconnaissance operations where an attacker or malicious application tries to gather information about the system.

• Process Isolation (Hidepid): Mounts the /proc directory with the hidepid=invisible option. When any unprivileged user runs tools like ps or top, they cannot see the processes belonging to other users.
• Tamper-Guard: Enforces strict regimes on the most sensitive kernel security (sysctl) settings under /proc/sys/kernel/, such as yama/ptrace_scope, kptr_restrict, and dmesg_restrict. It continuously checks these settings in a loop. If an attempt is made to alter them, it immediately reverts them back to their secure states.
• Filesystem Hardening: Locks down the /boot directory and kernel module build paths from ordinary users. It also revokes world-readable status from logs inside /var/log.
• Blocking Independent Analysis Modules: Restricts the permission chains of tools like gcc, gdb, strace, nmap, and tcpdump which an attacker could use for lateral movement within the system.

3. XENNYTSU (Behavioral Execution Guard)

Purpose: Acts as an ultra-low-footprint, modern EDR mechanism. By analyzing the operating system, process trees, and memory in real-time, it instantly detects malicious activities and ruthlessly kills the process with a hardware SIGKILL.

• Malicious Command and Reverse Shell Detection: Xennytsu monitors command arguments (cmdline) to instantly detect if a command is attempting to open a reverse shell. Furthermore, it is capable of identifying the execution of base64 encoded payloads by format.
• Memory Manipulation Detection (Memory Maps): Inspects the file descriptors (FDs) and memory maps (/proc/pid/maps) of running processes. It spots anonymous executable regions or fileless rootkit/shellcode traces loaded into memory, scoring them highly for immediate destruction.
• Environment Variable Scanning (Env Guards): Blocks dangerous shell variable manipulations or entries like LD_PRELOAD and LD_LIBRARY_PATH.
• Malicious Parent-Child Compatibility Detection: In a rational system hierarchy, an execution like /bin/bash suddenly spawning from under nginx is highly suspicious. Xennytsu utilizes a hierarchical inspection mechanism that terminates the process the moment a threat score exceeds 70.

System Hardening Analysis

The HardenedSlarpx distribution implements a robust, multi-layered "Defense in Depth" strategy by hardening various aspects of the operating system configuration. The hardening configurations are deeply embedded within the system's package management, hardware modules, user environments, physical access vectors, and boot/shutdown processes.

1. Package Management Security (APT Hardening)

• Strict Cryptographic Verification: Enforces strict TLS/HTTPS peer and host verification for all repositories. It explicitly blocks unauthenticated packages and insecure downgrade operations.
• Sandboxing & Privilege Drop: APT execution is placed securely inside a seccomp-bpf sandbox, which limits the system calls the process can make. Moreover, the download operations are executed by the unprivileged _apt user rather than root.
• Integrity over Bandwidth: PDiffs are disabled, forcing full index downloads to guarantee checksum integrity. Local package caches (.deb files) are automatically cleaned after installation to save space and reduce local tampering risks.

2. Hardware and Kernel Module Restrictions

• DMA & Physical Attacks: Firewire and Thunderbolt modules are explicitly disabled to mitigate Direct Memory Access (DMA) attacks where an attacker could theoretically read system memory directly via a connected hardware device.
• Privacy & Telemetry Blockers: GPS hardware modules and Intel's Platform Monitoring Technology are blocked to prevent location tracking and hardware-level data collection.
• Filesystem & Network Attack Surface: Old/legacy network file systems (NFS, CIFS, GFS2) and obsolete network protocols are blocked. Rare filesystems and obsolete framebuffer graphics drivers are also disabled.
• Entropy Generation: The jitterentropy_rng module is forcefully loaded on boot, guaranteeing a strong, non-deterministic source of random numbers (entropy) which is critical for early-boot cryptographic operations.

3. Bluetooth Security

• Time Limits: The Discoverable and Pairable modes are strictly limited to an aggressive timeout of 30 seconds.
• Maximum Controllers: Only 1 Bluetooth controller is allowed, and any subsequently plugged-in adapters are ignored.
• Privacy (RPA): The Bluetooth stack uses Randomized Private Addresses (RPA) (Privacy=network/on), making it exceptionally difficult to track the device based on its Bluetooth MAC address.

4. Shell and User Environment Hardening

• Anti-Forensics & Session Timeouts: Shell command history is completely disabled (HISTFILE=/dev/null and wiped at exit) preventing local attackers from uncovering sensitive commands. Idle sessions are automatically terminated after 15 minutes of inactivity.
• Strict File Permissions: A global umask 077 is enforced, meaning any new file or directory created by a user is strictly private (readable/writable only by the owner).
• Resource Constraints: Core dumps are completely disabled at both the shell and system level (core 0), ensuring application crashes don't leak physical memory/passwords to the disk. Stack sizes are limited to help mitigate buffer overflow attacks.
• Compiler Restrictions: By checking the UID, non-root users are explicitly denied access to compiler tools (gcc, make, cc), stopping local attackers from compiling rootkits or local exploits on the machine.
• Brute-Force Protection: Leveraging PAM faillock, user accounts are temporary locked for 5 minutes after 5 consecutive failed authentication attempts.

5. Execution Privileges (Sudo Security)

• A very strict umask=0077 applies to files created via sudo.
• Commands run via sudo are executed in a dedicated pseudo-terminal (use_pty), neutralizing terminal hijacking exploits. It also requires an actual TTY context (requiretty).
• The security timeout for cached sudo passwords is significantly shortened to 2 minutes. All environmental variables are fully stripped, maintaining only a secure binary executable path.

6. Systemd Hardening and Anti-Cold Boot Measures

• Permission Hardening: This is a boot-time service designed to correct system permissions. Systemd itself encapsulates this service tightly using deep sandboxing and only assigns the direct privileges needed for file ownership and immutable tag modification capabilities.
• Protection Against Cold Boot Attacks: Cold boot attacks act by suddenly cutting power to the machine and stripping out the RAM sticks to extract encryption keys. This service explicitly runs precisely before system halts or reboots, overwriting swap memory and flushing critical buffers, rendering the data extraction useless.