I guess you could use something like those new immutable distros to move away from state and related vulnerabilities. TBH there are plenty of hardening guides for Debian.

Or you could use any hardened version of Fedora which gets security fixes quicker, and then harden it some more yourself. The good part about Debian is that you are free to use SysVInit, I do not know if you could do that on Fedora. I do not think Systemd is a massive risk (if they have reached Systemd you have many other, bigger problems to think of).

I think I should study some more about Fedora. I run k3s on top and will go through their CISA hardening guide at some point to round things out.

Please tell me you’re using Oracle /s

I need to try this, thanks

Setting SELinux to permissive is not a good security practice

Such a beautiful distribution. Very happy that it keeps going!

Why not port knocking over TOR?

Hmm, not bad. I care more about WLB than money so this is fine.

Thanks for the tips

Exactly

What’s the pay like for system admins in Europe on an average? Asking for mid-level (5-7 years of experience)

I have definitely read this answer before. I think we’ve probably already spoken on the matter. Indeed, Lemmy has a serious dearth of users interested and using secure distros over the averages. Thanks for your efforts; I do not know how to follow users on Lemmy but if I did I’d follow you. Do you have a blog/any other forum you’re more active on?

Personally, I find it difficult to justify the time to learn Secureblue (especially the immutable part) or NixOS on Qubes because custom DispVMs with curated salt states work so well already. I’m interested in use-cases that will improve my security but I haven’t found any dialogue on this yet. If you do have opinions on this and know where I can look, I would greatly appreciate it!

I would be really interested in a comparison of Kicksecure and secureblue. I’m interested in running one of them myself

Well the Star64 from Pine is pretty good, just doesn’t have enough processing power and IO for my liking.

Framework has a laptop in progress if you’re interested

Yeah that’s your situation. Some people are fine with it

Ah, you mean they put the cert in a transparent proxy which logs all traffic? Neat idea, I should try it at home

Private CA is the only way for domains which cannot be resolved on the Internet

Now look here chap, Quadlet admittedly works fine. I personally just k3s anyway but .pod files work too.

Isn’t being obedient to SELinux a good thing? You could set it to permissive if you want, but MAC systems are essential for security and I personally wouldn’t go without them

Are these VNC?

How? I’m interested