JefeLinux

Security-focused Linux distribution built on Alpine Linux 3.19

v0.1.0 "Sentinel" · x86_64 · UEFI + Legacy BIOS

~230
Packages
6
Security Layers
381 MB
ISO Size
6.6 LTS
Linux Kernel
x86_64
Architecture

Overall Progress

75%
Core system operational · 6 security layers active 4 major features planned

Feature Status

Core System Complete
Alpine Linux 3.19 base (~5 MB)
Linux 6.6 LTS hardened kernel
musl libc (900 KB footprint)
BusyBox utilities (400+ in 1 MB)
OpenRC init system
GRUB bootloader (UEFI + BIOS)
Kernel Security Complete
Full ASLR (randomize_va_space=2)
SMAP/SMEP enforcement
Kernel lockdown mode
Kernel pointer restriction
dmesg restriction (non-root)
TCP SYN cookies (flood protection)
Access Control & Monitoring Complete
AppArmor mandatory access control
Profile: dockerd containment
Profile: sshd containment
Profile: python3 / node containment
auditd syscall monitoring
fail2ban (3 retries, 1hr ban)
Network Security Complete
nftables firewall (default DROP)
SSH rate limiting (3/min)
Key-only SSH authentication
Root login disabled
ChaCha20-Poly1305 / AES256-GCM
Ed25519 host keys
Application Runtimes Complete
Python 3.12 + pip + venv
Node.js 20 LTS + npm
Docker 24 + Docker Compose
containerd runtime
Build tools (gcc, cmake, make)
Build System & CI/CD Complete
5-stage build pipeline (5-8 min)
Docker-based reproducible builds
Jenkins CI/CD integration
Hyper-V VM deployment
GRUB + squashfs + initramfs ISO
Cross-platform (Linux + Windows)
Future Plans Planned
UEFI Secure Boot chain
Full Disk Encryption (LUKS)
Immutable root filesystem
Yocto/OpenEmbedded migration

Architecture Overview

Full Technical Breakdown →

JefeLinux implements a defense-in-depth security model across six layers, from kernel hardening to application-level confinement. Every component was chosen for minimal attack surface and maximum auditability.

Layer 1
Kernel Hardening
ASLR, SMAP/SMEP, lockdown mode, pointer restriction, dmesg restriction
Layer 2
Mandatory Access Control
AppArmor profiles confining dockerd, containerd, sshd, python3, node
Layer 3
Network Perimeter
nftables default-DROP policy, SSH rate limiting at 3 connections/minute
Layer 4
Authentication
Key-only SSH, root login disabled, fail2ban brute-force protection
Layer 5
Audit & Monitoring
auditd syscall tracking, file integrity monitoring on /etc/shadow, /etc/passwd
Layer 6
Container Isolation
Docker 24 with AppArmor-confined containerd, no privileged containers
Build Pipeline
5-Stage Build
Bootstrap → Packages → Security → Overlay → ISO (5-8 minutes)
Base System
Alpine + musl
5 MB base image, 900 KB libc, 400+ BusyBox utilities in a single binary

Development Milestones

February 2026
v0.1.0 "Sentinel" Release
First public release with full security stack and web dashboard
January 2026
Build Pipeline & CI/CD
5-stage pipeline with Jenkins integration and Hyper-V deployment
January 2026
AppArmor & auditd Integration
Mandatory access control profiles for all services, syscall monitoring
December 2025
Kernel Hardening & nftables
Defense-in-depth kernel parameters and default-DROP firewall policy
November 2025
Alpine Base Selection & Runtime Setup
Chose Alpine 3.19 + musl + OpenRC foundation, configured Python/Node/Docker