What security mechanisms have been added to PureOS relative to the Debian distro?

Software PureOS
1

Hi everyone :wave:,

I would like to understand PureOS better and my today’s question is about hardening technics used in PureOS.

I know that PureOS 9 is based on Debian stable, which in itself is a high security standard (lower CVEs risk at the expense of having older packages).

It seems to me that Debian usually offers quite a “default configuration” for its packages. My understanding is that PureOS has adjusted some things (relative to Debian) to make the operating system more secure by default. I am curious what these things are. I have already searched for the answer to this question and I know that it is the default browser configuration, but I’m sure there are more things (I also found information about AppArmor).

In order not to dilute the topic, I would like to focus on the operating system (I know that the bios is also safer, etc. but let’s focus on the OS).

Would someone be able to explain me what security mechanisms I get by default in PureOS that are not configured in Debian by default ?

I do not expect an explanation of the details of these mechanisms/configurations, but I guess I would like to know what their list is, if possible.

Thank you very much,
Maro

2 Likes
2

I can see that I probably won’t get the answer :slight_smile:

I’m wondering - did I framed the question in too generic way (or it does not make sense, etc.)? Or the answer is not simple. :thinking:

Best,
Maro

3

I think the main advantage of PureOS over Debian comes from their Pureboot bundle on the Librem laptops. I’m not sure if there are that many security tweaks compared to regular Debian.

I am by no means any sort of expert, though. @jeremiah is perhaps most equipped to answer, or @Richard or @joao.azevedo

1 Like
4

Or @Kyle_Rankin

5

I have often wondered what is the difference between PureOS and Debian main.

One obvious difference is Purebrower, which was a forked version of Firefox ESR with extra privacy setting by default. The only source code that I can find for Purebrowser is from 5 years ago:

Now Purebrowser is based on Epiphany, and the only source code that I can find is the version for the Librem 5:

6

in PureBrowser in PureOS you still have to :

  1. Type about:config in the address bar of Firefox and hit Enter.
  2. When you see the void warranty warning message, accept it.
  3. Search for ‘geo.enabled’ in the search bar.
  4. Change ‘geo.enabled’ from ‘True’ to ‘False’

which means the location services have been disabled.

that doesn’t however mean that you can’t be located by IP …

7

No one should be running PureBrowser. It is quite out dated with known security vulnerabilities due to being based on older version of Firefox ESR. Folks should go into Tilix/Terminal and run sudo apt update && sudo apt full-upgrade to make sure their OS and apps are up to date with all security patches.

8

Partial answer: https://puri.sm/posts/what-is-mobile-pureos/.

Additional point is that PureOS is endorsed by the Free Software Foundation, which some people could count as additional security due to the lack of proprietary blobs (or easy ways to get them).

9

Thank you for the answers!

By the way, I checked AppArmor on the PureOS live image on VirtualBox:

pureos@pureos:~$ cat /sys/module/apparmor/parameters/enabled
Y
pureos@pureos:~$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfied but have a profile defined.

Debian GNU/Linux by default does not have proprietary blobs as well (but there is an easy way to get them).

So, maybe the difference on the OS default configuration level is small between Debian and PureOS from the security perspective (and it is fine).

2 Likes
10

in short AppArmor is loaded and enabled but UNDEFINED out-of-the-box …