Subgraph OS pre-Alpha for Testers

Where to download?

Linux (Debian Stretch) based OS
grsecurity hardened kernel
Application sandboxing with Oz: brower, mail client, IM client, PDF viewer, image viewer, LibreOffice..
Network egress over Tor
seccomp bpf whitelisting and blacklisting as part of Oz
Application firewall
MAC spoofing with Macouflage
Curated packages, such as CoyIM as alternative for GUI XMPP
...

Subgraph OS is pre-alpha. It has not been security audited, not even by us. There will be bugs, including likely security bugs, and it is unfit for 'real' use.
While the release is signed (by an informal developer key), the packages are not yet signed. We are still finalizing our workflow for building and releasing packages, including the key management around this.
The repo we have created for our packages is temporary and will change in the near future.
The captive portal detector and authentication tool is still not complete and is not in the current ISO.
We are also working on something to indicate the status of Tor, this is not present in the ISO yet (or exist at all). Check /var/log/tor/log for information about the state of tor.
Subgraph OS is still relying on the Debian vanilla installer, there is no Tor egress during installation. Any connections (e.g. to retrieve update metadata or updates) made during install time are identifiable. You can skip the network setup to avoid this.

Tor bootstrap may be slow at first boot or in live mode.
Tor Browser Launcher writes Tor Browser into the user's home directory, and it is writeable inside the sandbox. We will replace Tor Browser Launcher with Tor Browser package. Issue here.
CoyIM is not yet stable, please report crashes or bugs to the development team here.
Tor will not be able to egress at boot due to firewall rules when running in live mode on VMWare Fusion. Issue here.
Seccomp whitelists are currently DISABLED for most Oz sandboxed apps (except Coy) because we haven't tested them in about a month and need to retrain them. Instead most applications are running with the generic seccomp blacklist in /etc/oz/blacklist-generic.seccomp.

If Tor Browser does not start, it may be because Pax flags were not set. Run the following command: sudo paxrat -c /etc/paxrat/paxrat_tbl.conf to set them manually for Tor Browser.
If Tor does not successfully bootstrap, it may be because the system time was not set to GMT. Please set it to the current time GMT to unblock Tor. You can do it by issuing this command (as root): date --set="X FEB 2016 XX:XX:XX"
To restart Oz daemon at any time (if apps won't start..) issue this command: sudo systemctl restart oz-daemon

Please report all bugs using Github issues.

Make sure to search to ensure that the issue you are reporting is not already known to us.

While testing keep a window open running the following command: sudo journalctl -f
Tor logs to /var/log/tor/log
Oz logs to /var/log/daemon.log
dmesg is useful for diagnosing grsecurity/PaX problems and seccomp bpf hits

We recommend contacting us through the following, in order of preference:

For now documentation is minimal, but we are actively improving it. Start here.