systemcheck attack surface reduction.

url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Although systemcheck already has AppArmor and systemd hardening, some marginal security benefits are gained by reducing: the number of network connections, the amount of code running, and unnecessary functionality. This is not the default configuration, since that would come at the cost of decreased usability for the entire Kicksecure population.

Hardening Steps[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Hardening_Steps Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Systemcheck_Hardening#Hardening_Steps|Hardening Steps]]
Copy as Wikitext Click = Copy Copied to clipboard! [Hardening Steps](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Hardening_Steps)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Hardening Steps](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Hardening_Steps)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Hardening_Steps]Hardening Steps[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Prevent Autostart[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Autostart Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Systemcheck_Hardening#Prevent_Autostart|Prevent Autostart]]
Copy as Wikitext Click = Copy Copied to clipboard! [Prevent Autostart](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Autostart)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Prevent Autostart](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Autostart)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Autostart]Prevent Autostart[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

To prevent systemcheck from automatically starting, run.

Click = Copy Copied to clipboard! sudo systemctl mask systemcheck

Prevent Kicksecure Warrant Canary Check and User Census Counting[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Kicksecure_Warrant_Canary_Check_and_User_Census_Counting Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Systemcheck_Hardening#Prevent_Kicksecure_Warrant_Canary_Check_and_User_Census_Counting|Prevent Kicksecure Warrant Canary Check and User Census Counting]]
Copy as Wikitext Click = Copy Copied to clipboard! [Prevent Kicksecure Warrant Canary Check and User Census Counting](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Kicksecure_Warrant_Canary_Check_and_User_Census_Counting)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Prevent Kicksecure Warrant Canary Check and User Census Counting](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Kicksecure_Warrant_Canary_Check_and_User_Census_Counting)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Kicksecure_Warrant_Canary_Check_and_User_Census_Counting]Prevent Kicksecure Warrant Canary Check and User Census Counting[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Refer to the following systemcheck chapters:

Prevent Polluting TransPort[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Polluting_TransPort Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Systemcheck_Hardening#Prevent_Polluting_TransPort|Prevent Polluting TransPort]]
Copy as Wikitext Click = Copy Copied to clipboard! [Prevent Polluting TransPort](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Polluting_TransPort)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Prevent Polluting TransPort](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Polluting_TransPort)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Polluting_TransPort]Prevent Polluting TransPort[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

This is applicable to Whonix only, which is a derivative of Kicksecure.

This is only useful when running systemcheck --leak-tests. However, running this command with the Tor TransPort test disabled makes little sense; in that case it would be useful as a Tor SocksPort connectivity test.

Deactivate the TransPort Test for better Stream Isolation.

Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.

See Open File with Root Rights for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

Click = Copy Copied to clipboard! sudoedit /etc/systemcheck.d/50_user.conf

NOTES:

When using Kicksecure-Qubes, this needs to be done inside the Template.

Click = Copy Copied to clipboard! sudoedit /etc/systemcheck.d/50_user.conf

After applying this change, shutdown the Template.
All App Qubes based on the Template need to be restarted if they were already running.
This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

This is just an example. Other tools could achieve the same goal.
If this example does not work for you or if you are not using Kicksecure, please refer to this link.

Click = Copy Copied to clipboard! sudoedit /etc/systemcheck.d/50_user.conf

Add the following content.

Click = Copy Copied to clipboard! SYSTEMCHECK_DISABLE_TRANS_PORT_TEST="1"

Save.

Prevent Running APT[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Running_APT Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Systemcheck_Hardening#Prevent_Running_APT|Prevent Running APT]]
Copy as Wikitext Click = Copy Copied to clipboard! [Prevent Running APT](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Running_APT)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Prevent Running APT](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Running_APT)
Copy as Markdown [url=https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_Running_APT]Prevent Running APT[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Complete these steps on both Kicksecure and Kicksecure.

This prevents the running of APT by systemcheck.

Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.

See Open File with Root Rights for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

Click = Copy Copied to clipboard! sudoedit /etc/systemcheck.d/50_user.conf

NOTES:

When using Kicksecure-Qubes, this needs to be done inside the Template.

Click = Copy Copied to clipboard! sudoedit /etc/systemcheck.d/50_user.conf

After applying this change, shutdown the Template.
All App Qubes based on the Template need to be restarted if they were already running.
This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

This is just an example. Other tools could achieve the same goal.
If this example does not work for you or if you are not using Kicksecure, please refer to this link.

Click = Copy Copied to clipboard! sudoedit /etc/systemcheck.d/50_user.conf

Add the following content.

Click = Copy Copied to clipboard! systemcheck_skip_functions+=" check_operating_system "

Prevent torproject.org Connections[edit] Copy or share this direct link! https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_torproject.org_Connections Click below ↴ = Copy to Clipboard [[Systemcheck_Hardening#Prevent_torproject.org_Connections|Prevent torproject.org Connections]]
Copy as Wikitext [Prevent torproject.org Connections](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_torproject.org_Connections)
for Discourse, reddit, GitHub [Prevent torproject.org Connections](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_torproject.org_Connections)
Copy as Markdown [url=https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Prevent_torproject.org_Connections]Prevent torproject.org Connections[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Connections to The Tor Project are prevented by default, therefore no action is required.

systemcheck only connects to torproject.org if the command systemcheck --leak-tests is manually run.

Footnotes[edit] Copy or share this direct link! https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Footnotes Click below ↴ = Copy to Clipboard [[Systemcheck_Hardening#Footnotes|Footnotes]]
Copy as Wikitext [Footnotes](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Footnotes)
for Discourse, reddit, GitHub [Footnotes](https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Footnotes)
Copy as Markdown [url=https://www.kicksecure.com/wiki/Systemcheck_Hardening?stableid=88084#Footnotes]Footnotes[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

systemcheck Hardening

Contents

Kicksecure

Kicksecure for Qubes

Others and Alternatives

Kicksecure

Kicksecure for Qubes

Others and Alternatives

Navigation menu

systemcheck Hardening

Kicksecure

Kicksecure for Qubes

Others and Alternatives

Kicksecure

Kicksecure for Qubes

Others and Alternatives

Navigation menu

Search

Disable server cache for this browser

Debug vis URL