systemcheck Hardening
Donate
systemcheck attack surface reduction.
Rationale[edit]
Although systemcheck already has AppArmor and systemd hardening, some marginal security benefits are gained by reducing: the number of network connections, the amount of code running, and unnecessary functionality. This is not the default configuration, since that would come at the cost of decreased usability for the entire Kicksecure population.
Hardening Steps[edit]
Prevent Autostart[edit]
To prevent systemcheck from automatically starting, run.
sudo systemctl mask systemcheck
Prevent Kicksecure Warrant Canary Check and User Census Counting[edit]
Refer to the following systemcheck chapters:
Prevent Polluting TransPort[edit]
This is applicable to Whonix only, which is a derivative of Kicksecure.
- This is only useful when running
systemcheck --leak-tests. However, running this command with the TorTransPorttest disabled makes little sense; in that case it would be useful as a TorSocksPortconnectivity test.
Deactivate the TransPort Test for better
Stream Isolation
.
Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit for better security and how to use it.
sudoedit /etc/systemcheck.d/50_user.conf
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/systemcheck.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/systemcheck.d/50_user.conf
Add the following content.
SYSTEMCHECK_DISABLE_TRANS_PORT_TEST="1"
Save.
Prevent Running APT[edit]
Complete these steps on both Kicksecure and Kicksecure.
This prevents the running of APT by systemcheck.
Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit for better security and how to use it.
sudoedit /etc/systemcheck.d/50_user.conf
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/systemcheck.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/systemcheck.d/50_user.conf
Add the following content.
systemcheck_skip_functions+=" check_operating_system "
Prevent torproject.org Connections[edit]
Connections to The Tor Project are prevented by default, therefore no action is required.
systemcheck only connects to torproject.org if the command systemcheck --leak-tests is manually run.
Footnotes[edit]
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!