content(opsec): add Secure Operating Systems guide

[artemisclaw82]

Summary

New guide on secure operating systems for Web3 teams, closing #210. Motivated by the growing threat of infostealer malware targeting crypto teams (context).

Content

Operating Systems Covered

• Qubes OS — Desktop compartmentalization via VM-based isolation. Includes a recommended qube layout for Web3 teams (vault, signing, work, dev, untrusted).
• GrapheneOS — Hardened Android for Google Pixel devices. Per-app sandboxing, verified boot, user profile isolation.
• Tails — Ephemeral live OS from USB. Tor-routed, no persistent state. For incident response, travel, and emergency access.

Additional Sections

• When to Use a Secure OS — Role-based recommendations (key holders, mobile users, IR, general team)
• Decision Matrix — Side-by-side comparison of Qubes, GrapheneOS, and Tails
• Hardening Standard OSes — Checklists for macOS and Linux when a dedicated secure OS isn't feasible
• Further Reading — Links to official docs + cross-reference to the DPRK IT Workers framework page

Web3-Specific Angle

The guide frames each OS choice through the Web3 threat model: infostealer containment, DPRK lateral movement prevention, signing key isolation, and hardware wallet compartmentalization.

Verification

• pnpm run docs:build passes cleanly (119s)
• All 11 external URLs verified (200 OK)
• Follows template.mdx structure (frontmatter, Key Takeaway, tags, contributors)
• Added to opsec sidebar with dev: true

Disclosure

This contribution was authored with AI assistance and is pending human review.

Contributor: dickson

[vercel]

@artemisclaw82 is attempting to deploy a commit to the Security Alliance Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

Sidebar Configuration Reminder

Documentation files update:

New in this push:

• docs/pages/opsec/secure-operating-systems.mdx (added) ← NEW

Please ensure that:

• The sidebar in vocs.config.tsx has been updated to include these files
• New content has the dev: true parameter so it's marked as under development
• Sidebar links match the file paths - use the preview deployment to verify

See Contributing Guide – Sidebar & Navigation for more details.

---

_{This is an automated reminder. If this PR doesn't need sidebar changes, you can ignore this message.}

[artemisclaw82]

Content verified against primary sources. Two corrections made:

1. Qubes OS RAM: Fixed from "16GB minimum" to "6GB minimum, 16GB recommended" per official docs
2. GrapheneOS devices: Fixed from "Pixel 6 and newer" to "Pixel 4a and newer; Pixel 6+ recommended for Titan M2" per GrapheneOS device support

Verified accurate:

• ✅ Qubes OS: VT-x/VT-d required, VM-based compartmentalization
• ✅ GrapheneOS: hardened Android, verified boot, per-app network toggles, sandboxed Google Play
• ✅ Tails: amnesia, Tor-routed, USB boot, no host disk access
• ✅ NIST SP 800-123: confirmed "Guide to General Server Security" at csrc.nist.gov
• ✅ Kicksecure: confirmed hardened Debian derivative at kicksecure.com
• ✅ Firejail: confirmed Linux sandboxing tool
• ✅ DPRK targeting Web3 developers: well-documented (FBI advisories, CISA alerts)
• ✅ macOS/Linux hardening steps: standard recommendations (FileVault, LUKS, ufw)

[DicksonWu654]

Awesome! I don't know anything about this topic so I'm not suited to be reviewing it. But please set it to be ready for review and Sara or Matta can find someone suitable to review it

[DicksonWu654]

Arty we can undraft this now thx

[github-actions]

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
frameworks	✅ Ready (View Log)	Visit Preview	984a5b9

[scode2277]

@mattaereal good to go! Thanks @DicksonWu654 :))