Part of a series on
Information security
Related security categories
Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electronic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management
Threats
Adware Advanced persistent threat Arbitrary code execution Backdoors Hardware backdoors Code injection Crimeware Cross-site scripting Cryptojacking malware Botnets Data breach Drive-by download Browser helper objects Viruses Data scraping Denial of service Eavesdropping Email fraud Email spoofing Exploits Keyloggers Logic bombs Time bombs Fork bombs Zip bombs Fraudulent dialers Malware Payload Phishing Polymorphic engine Privilege escalation Ransomware Rootkits Bootkits Scareware Shellcode Spamming Social engineering Screen scraping Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses
Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Code obfuscation Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Security information and event management (SIEM) Mobile secure gateway Runtime application self-protection
v t e

This is a list of operating systems specifically focused on security. Operating systems for general-purpose usage may be secure without having a specific focus on security.^[1]

Similar concepts include security-evaluated operating systems that have achieved certification from an auditing organization, and trusted operating systems that provide sufficient support for multilevel security and evidence of correctness to meet a particular set of requirements.

Linux

Android-based

• Android in general is very secure, having many security features such as taking advantage of SELinux and Verified Boot.
• CalyxOS is a free and open source privacy and security focused Android Custom ROM
• DivestOS is a free and open source privacy and security focused Android Custom ROM
• iodéOS is a free and open source privacy and security focused Android Custom ROM
• GrapheneOS is an open source privacy and security focused Android Custom ROM
• Kali NetHunter is a free and open source Kali Linux based Android Custom ROM for penetration testing

Debian-based

• Subgraph is a Linux-based operating system designed to be resistant to surveillance and interference by sophisticated adversaries over the Internet. Subgraph OS is designed with features that aim to reduce the attack surface of the operating system, and increase the difficulty required to carry out certain classes of attack. This is accomplished through system hardening and a proactive, ongoing focus on security and attack resistance. Subgraph OS also places emphasis on ensuring the integrity of installed software packages through deterministic compilation. Subgraph OS features a kernel hardened with the Grsecurity and PaX patchset, Linux namespaces, and Xpra for application containment, mandatory file system encryption using LUKS, resistance to cold boot attacks, and is configured by default to isolate network communications for installed applications to independent circuits on the Tor anonymity network.^{[citation needed]}
• Tails is a security-focused Linux distribution aimed at preserving privacy and anonymity. It is meant to be run as Live-CD or from a USB Drive and to not write any kind of data to a drive, unless specified or persistence is set. That way, it lives in RAM and everything is purged from the system whenever it is powered off. Tails is designed to do an emergency shutdown and erase its data from RAM if the medium where it resides is expelled.^[2]
• Whonix^[3][4] is an anonymous general purpose operating system based on VirtualBox, Debian Linux and Tor. By Whonix design, IP and DNS leaks are impossible. Not even Malware as Superuser can find out the user's real IP address/location. This is because Whonix consists of two (virtual) machines. One machine solely runs Tor and acts as a gateway, called Whonix-Gateway. The other machine, called Whonix-Workstation, is on a completely isolated network. It is also possible to use multiple Whonix Workstations simultaneously through one Gateway, that will provide stream isolation (though is not necessarily endorsed).^[5] All the connections are forced through Tor with the Whonix Gateway Virtual Machine, therefore IP and DNS leaks are impossible.^[6]

Xen-based

• Qubes OS is a desktop operating system based around the Xen hypervisor that allows grouping programs into a number of isolated sandboxes (virtual machines) to provide security. Windows for programs running within these sandboxes ("security domains") can be color coded for easy recognition. The security domains are configurable, they can be transient (changes to the file system will not be preserved), and their network connection can be routed through special virtual machines (for example one that only provides Tor networking). The operating system provides secure mechanisms for copy and paste and for copying files between the security domains^[7]

Gentoo-based

• Pentoo is a Live CD and Live USB designed for penetration testing and security assessment.^{[8][9][10][11]} Based on Gentoo Linux, Pentoo is provided both as 32 and 64-bit installable live CD. It is built on Hardened Gentoo linux including a hardened kernel and a toolchain.
• Tin Hat Linux is derived from Hardened Gentoo Linux. It aims to provide a very secure, stable, and fast desktop environment that lives purely in RAM.^[12]

Other Linux distributions

• Alpine Linux is an actively maintained lightweight musl and BusyBox-based distribution. It uses PaX and grsecurity patches in the default kernel and compiles all packages with stack-smashing protection.
• Annvix was originally forked from Mandriva to provide a security-focused server distribution that employs ProPolice protection, hardened configuration, and a small footprint. There were plans to include full support for the RSBAC mandatory access control system. Annvix is dormant, however, with the last version being released on 30 December 2007.^[13]
• EnGarde Secure Linux is a secure platform designed for servers. It has had a browser-based tool for MAC using SELinux since 2003. Additionally, it can be accompanied with Web, DNS, and email enterprise applications, specifically focusing on security without any unnecessary software. The community platform of EnGarde Secure Linux is the bleeding-edge version freely available for download.^{[citation needed]}
• Immunix was a commercial distribution of Linux focused heavily on security. They supplied many systems of their own making, including StackGuard; cryptographic signing of executables; race condition patches; and format string exploit guarding code. Immunix traditionally releases older versions of their distribution free for non-commercial use. The Immunix distribution itself is licensed under two licenses: The Immunix commercial and non-commercial licenses. Many tools within are GPL, however, as is the kernel.^{[citation needed]}
• Solar Designer's Openwall Project (Owl) was the first distribution to have a non-executable userspace stack, /tmp race condition protection, and access control restrictions to /proc data, by way of a kernel patch. It also features a per-user tmp directory via the pam_mktemp PAM module, and supports Blowfish password encryption.
• Fedora Silverblue is an immutable desktop operating system. Every Silverblue installation is identical to every other installation of the same version, and it never changes as it is used. The immutable design is intended to make the operating system more stable, less prone to bugs, easier to test and develop, and create a platform for containerized applications as well as container-based software development. Applications and containers are kept separate from the host system. OS updates are fast and there is no installation stage. With Silverblue, it is also possible to roll back to the previous version of the operating system, if something goes wrong.^[14]

BSD-based

• TrustedBSD is a sub-project of FreeBSD designed to add trusted operating system extensions, targeting the Common Criteria for Information Technology Security Evaluation (see also Orange Book). Its main focuses are working on access control lists, event auditing, extended attributes, mandatory access controls, and fine-grained capabilities. Since access control lists are known to be confronted with the confused deputy problem, capabilities are a different way to avoid this issue. As part of the TrustedBSD project, there is also a port of NSA's FLASK/TE implementation to run on FreeBSD. Many of these trusted extensions have been integrated into the main FreeBSD branch starting at 5.x.
• OpenBSD is a research operating system for developing security mitigations.^[15]

SELinux module

Security-Enhanced Linux (SELinux) is a module that may be incorporated into a Linux distribution. SELinux gives administrators more control over access of the system. SELinux has been integrated with the Linux kernel by default since 2003.^[16]

Object-capability systems

These operating systems are all engineered around the object-capabilities security paradigm. Instead of the system deciding if an access request should be granted, the bundling authority and designation decides.

• CapROS
• EROS
• Genode
• Fiasco.OC
• KeyKOS
• seL4

Solaris-based

• Trusted Solaris was a security-focused version of the Solaris Unix operating system. Aimed primarily at the government computing sector, Trusted Solaris adds detailed auditing of all tasks, pluggable authentication, mandatory access control, additional physical authentication devices, and fine-grained access control. Trusted Solaris is Common Criteria certified.^[17][18] The most recent version, Trusted Solaris 8 (released 2000), received the EAL4 certification level augmented by a number of protection profiles. Telnet was vulnerable to buffer overflow exploits until patched in April 2001.^[19]