security-misc/README.md

123 lines
5.7 KiB
Markdown
Raw Normal View History

2015-12-16 04:05:03 +07:00
# enhances misc security settings #
2016-11-22 00:42:55 +07:00
The following settings are changed:
deactivates previews in Dolphin;
deactivates previews in Nautilus;
deactivates TCP timestamps;
deactivates Netfilter's connection tracking helper;
2016-03-31 10:18:38 +07:00
TCP time stamps (rfc 1323) allow for tracking clock
information with millisecond resolution. This may or may not allow an
attacker to learn information about the system clock at such
a resolution, depending on various issues such as network lag.
This information is available to anyone who monitors the network
somewhere between the attacked system and the destination server.
It may allow an attacker to find out how long a given
system has been running, and to distinguish several
systems running behind NAT and using the same IP address. It might
2017-02-14 00:26:59 +07:00
also allow one to look for clocks that match an expected value to find the
2016-03-31 10:18:38 +07:00
public IP used by a user.
2016-11-22 00:42:55 +07:00
2016-03-31 10:18:38 +07:00
Hence, this package disables this feature by shipping the
/etc/sysctl.d/tcp_timestamps.conf configuration file.
2016-11-22 00:42:55 +07:00
2016-03-31 10:18:38 +07:00
Note that TCP time stamps normally have some usefulness. They are
needed for:
2016-11-22 00:42:55 +07:00
2016-03-31 10:18:38 +07:00
* the TCP protection against wrapped sequence numbers; however, to
2016-11-22 00:42:55 +07:00
trigger a wrap, one needs to send roughly 2^32 packets in one
minute: as said in rfc 1700, "The current recommended default
time to live (TTL) for the Internet Protocol (IP) [45,105] is 64".
So, this probably won't be a practical problem in the context
of Anonymity Distributions.
2016-03-31 10:18:38 +07:00
* "Round-Trip Time Measurement", which is only useful when the user
2016-11-22 00:42:55 +07:00
manages to saturate their connection. When using Anonymity Distributions,
probably the limiting factor for transmission speed is rarely the capacity
of the user connection.
Netfilter's connection tracking helper module increases kernel attack
surface by enabling superfluous functionality such as IRC parsing in
2016-03-31 10:18:38 +07:00
the kernel (!)
2016-11-22 00:42:55 +07:00
2016-03-31 10:18:38 +07:00
Hence, this package disables this feature by shipping the
/etc/sysctl.d/nf_conntrack_helper.conf configuration file.
2015-12-15 09:00:24 +07:00
(This package description has been [automatically](https://github.com/Whonix/whonix-developer-meta-files/blob/master/debug-steps/packaging-helper-script) extracted and mirrored from `debian/control`.)
# Generic Readme #
## Readme Version ##
[Generic Readme](https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md) Version 0.3
## Cooperating Anonymity Distributions ##
[Generic Readme](https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md) beings here. Have a look into the `man` sub folder (if available).
The functionality of this package was once exclusively available in the [Whonix](https://www.whonix.org) ([github](https://github.com/Whonix/Whonix)) anonymity distribution.
Because multiple projects and individuals stated interest in various of Whonix's functionality (examples: [Qubes OS](http://qubes-os.org/trac) ([discussion](https://groups.google.com/forum/#!topic/qubes-devel/jxr89--oGs0)); [piratelinux](https://github.com/piratelinux) ([discussion](https://github.com/adrelanos/VPN-Firewall/commit/6147f0e606377f5a801e98daf22e24ba2c750a21#commitcomment-6360713))), it's best to share as much source code as possible, it's best to share certain characteristics [(such as /etc/hostname etc.) among all anonymity distributions](https://mailman.boum.org/pipermail/tails-dev/2013-January/002457.html)) Whonix has been split into [multiple separate packages](https://github.com/Whonix).
## Generic Packaging ##
Files in `etc/...` in root source folder will be installed to `/etc/...`, files in `usr/...` will be installed to `/usr/...` and so forth. This should make renaming, moving files around, packaging, etc. very simple. Packaging of most packages looks very similar.
## How to use outside of Debian or derivatives ##
Although probably due to generic packaging not very hard. Still, this requires developer skills. [Ports](https://en.wikipedia.org/wiki/Porting) welcome!
## How to Build deb Package ##
See comments below and [instructions](https://www.whonix.org/wiki/Dev/Build_Documentation/apparmor-profile-torbrowser).
* Replace `apparmor-profile-torbrowser` with the actual name of this package (equals the root source folder name of this package after you git cloned it).
* You only need [config-package-dev](https://packages.debian.org/wheezy/config-package-dev), when it is listed in the `Build-Depends:` field in `debian/control`.
* Many packages do not have signed git tags yet. You may request them if desired.
* We might later use a [documentation template](https://www.whonix.org/wiki/Template:Build_Documentation_Build_Package).
## How to install in Debian using apt-get ##
Binary packages are available in Whonix's APT repository. By no means you are required to use the binary version of this package. This might be interesting for users of Debian and derivatives. **Note, that usage of this package outside of Whonix is untested and there is no maintainer that supports this use case.**
1\. Get [Whonix's Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key).
2\. Add Whonix's Signing Key to apt-key.
```
gpg --export 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA | sudo apt-key add -
```
3\. Add Whonix's APT repository.
```
2016-11-22 00:42:55 +07:00
echo "deb http://deb.whonix.org jessie main" > /etc/apt/sources.list.d/whonix.list
2015-12-15 09:00:24 +07:00
```
4\. Update your package lists.
```
sudo apt-get update
```
5\. Install this package. Replace `package-name` with the actual name of this package.
```
sudo apt-get install package-name
```
## Cooperation ##
Most welcome. [Ports](https://en.wikipedia.org/wiki/Porting), distribution maintainers, developers, patches, forks, testers, comments, etc. all welcome.
## Contact ##
* Professional Support: https://www.whonix.org/wiki/Support#Professional_Support
* Free Forum Support: https://www.whonix.org/forum
* Github Issues
* twitter: https://twitter.com/Whonix
## Donate ##
* [Donate](https://www.whonix.org/wiki/Donate)