Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc
Go to file
Patrick Schleizer 6195450eb2
No longer ignore duplicate apt sources in apt-get-wrapper.
No longer acceptable because these generate lots of noise in the terminal.
2017-02-27 23:57:04 +00:00
debian use python rather than unbuffer 2017-02-27 23:16:32 +00:00
etc Whonix 14 KDE plasma 5 fixes 2017-02-21 19:54:41 +00:00
usr No longer ignore duplicate apt sources in apt-get-wrapper. 2017-02-27 23:57:04 +00:00
changelog.upstream bumped changelog version 2017-02-27 02:04:00 +00:00
CONTRIBUTING.md initial commit 2015-12-15 02:00:24 +00:00
COPYING initial commit 2015-12-15 02:00:24 +00:00
GPLv3 initial commit 2015-12-15 02:00:24 +00:00
Makefile initial commit 2015-12-15 02:00:24 +00:00
README.md readme 2017-02-13 17:26:59 +00:00

enhances misc security settings

The following settings are changed:

deactivates previews in Dolphin; deactivates previews in Nautilus; deactivates TCP timestamps; deactivates Netfilter's connection tracking helper;

TCP time stamps (rfc 1323) allow for tracking clock information with millisecond resolution. This may or may not allow an attacker to learn information about the system clock at such a resolution, depending on various issues such as network lag. This information is available to anyone who monitors the network somewhere between the attacked system and the destination server. It may allow an attacker to find out how long a given system has been running, and to distinguish several systems running behind NAT and using the same IP address. It might also allow one to look for clocks that match an expected value to find the public IP used by a user.

Hence, this package disables this feature by shipping the /etc/sysctl.d/tcp_timestamps.conf configuration file.

Note that TCP time stamps normally have some usefulness. They are needed for:

  • the TCP protection against wrapped sequence numbers; however, to trigger a wrap, one needs to send roughly 2^32 packets in one minute: as said in rfc 1700, "The current recommended default time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". So, this probably won't be a practical problem in the context of Anonymity Distributions.

  • "Round-Trip Time Measurement", which is only useful when the user manages to saturate their connection. When using Anonymity Distributions, probably the limiting factor for transmission speed is rarely the capacity of the user connection.

Netfilter's connection tracking helper module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel (!)

Hence, this package disables this feature by shipping the /etc/sysctl.d/nf_conntrack_helper.conf configuration file.

(This package description has been automatically extracted and mirrored from debian/control.)

Generic Readme

Readme Version

Generic Readme Version 0.3

Cooperating Anonymity Distributions

Generic Readme beings here. Have a look into the man sub folder (if available).

The functionality of this package was once exclusively available in the Whonix (github) anonymity distribution.

Because multiple projects and individuals stated interest in various of Whonix's functionality (examples: Qubes OS (discussion); piratelinux (discussion)), it's best to share as much source code as possible, it's best to share certain characteristics (such as /etc/hostname etc.) among all anonymity distributions) Whonix has been split into multiple separate packages.

Generic Packaging

Files in etc/... in root source folder will be installed to /etc/..., files in usr/... will be installed to /usr/... and so forth. This should make renaming, moving files around, packaging, etc. very simple. Packaging of most packages looks very similar.

How to use outside of Debian or derivatives

Although probably due to generic packaging not very hard. Still, this requires developer skills. Ports welcome!

How to Build deb Package

See comments below and instructions.

  • Replace apparmor-profile-torbrowser with the actual name of this package (equals the root source folder name of this package after you git cloned it).
  • You only need config-package-dev, when it is listed in the Build-Depends: field in debian/control.
  • Many packages do not have signed git tags yet. You may request them if desired.
  • We might later use a documentation template.

How to install in Debian using apt-get

Binary packages are available in Whonix's APT repository. By no means you are required to use the binary version of this package. This might be interesting for users of Debian and derivatives. Note, that usage of this package outside of Whonix is untested and there is no maintainer that supports this use case.

1. Get Whonix's Signing Key.

2. Add Whonix's Signing Key to apt-key.

gpg --export 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA | sudo apt-key add -

3. Add Whonix's APT repository.

echo "deb http://deb.whonix.org jessie main" > /etc/apt/sources.list.d/whonix.list

4. Update your package lists.

sudo apt-get update

5. Install this package. Replace package-name with the actual name of this package.

sudo apt-get install package-name

Cooperation

Most welcome. Ports, distribution maintainers, developers, patches, forks, testers, comments, etc. all welcome.

Contact

Donate