Features

Exploit mitigation

Installing and enabling hardened_malloc globally, including for flatpaks. ^{Thanks to rusty-snake’s spec}
Installing Trivalent, which is inspired by Vanadium. ^{Why chromium?} ^{Why not flatpak chromium?}
Setting numerous hardened sysctl values ^details
Sets numerous hardening kernel arguments (Inspired by Madaidan’s Hardening Guide) ^details
Configure chronyd to use Network Time Security (NTS) ^{using chrony config from GrapheneOS}
Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
Installing usbguard and providing ujust commands to automatically configure it

Remove SUID-root from numerous binaries, replacing functionality using capabilities, and remove sudo, su, and pkexec entirely in favor of run0 ^why?
Disable Xwayland by default (for GNOME, Plasma, and Sway images)
Mitigation of LD_PRELOAD attacks via ujust toggle-bash-environment-lockdown
Require wheel user authentication via polkit for rpm-ostree install ^why?
Disable install & usage of GNOME user extensions by default
Disable KDE GHNS by default ^why?
Removal of the unmaintained and suid-root fuse2 by default
Disabling unprivileged user namespaces by default for the unconfined domain and the container domain ^why?

Blacklisting numerous unused kernel modules to reduce attack surface ^details
Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
Disable and mask a variety of services by default (including cups, geoclue, passim, and others)

Installing bubblejail for additional sandboxing tooling
Tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives
Tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives
Toggles for controlling access to unprivileged user namespaces via SELinux
Toggles for a variety of the hardening set by default, for user convenience (ujust --choose)