Kicksecure - Security Focused Linux Distribution based on Debian - In Development - Feedback Wanted!

0brand · September 19, 2018, 1:53am

I believe this applies. (For now anyways).

jsmidt · September 19, 2018, 1:54am

PS. If there is a “sudo apt-get install hardened-debian” that does not depend on a specific desktop environment I will 100% test every test release you post. You are doing great work.

Patrick · September 19, 2018, 12:22pm

Thanks.

My only request is to not make what I believe is Whonix’s biggest mistake: making KDE packages as dependencies.

Maybe it’s just terminology. But. Whonix doesn’t depend on KDE. For now there is only non-qubes-whonix-(gateway|workstation)-kde meta package. It’s because Whonix for now is only available (released, build, maintained, supported) as KDE version. Whonix at the moment is a anonymity/security/privacy desktop operating system project focusing on VMs. The focus on anonymity/privacy (security to a lesser extend as well) doesn’t allow with such low resources (funding, core developers) to release/maintain/support multiple desktop desktop environments initially in the first versions (or ever). This might change in future. There will be:

non-qubes-whonix-(gateway|workstation)-cli
non-qubes-whonix-(gateway|workstation)-kde
non-qubes-whonix-(gateway|workstation)-xfce

Requests for gnome will still be custom (non-qubes-whonix-(gateway|workstation)-cli can help but up to user), and rejected by pointing at Other Desktop Environments - Whonix.

There is nothing about the fundamental concept of what Whonix is trying to accomplish that requires a specific GUI.

That’s true.

So why make Whonix depend on KDE packages?

If these dependencies did not exist people could use whatever desktop/debian distro they wanted then just “apt-get install whonix-gateway/workstation” and get all the benefit without all the baggage.

No. Parts of the desktop environment are directly related to the core functionalities for Whonix. For example it would be outrageous to release Whonix based on Ubuntu unity search lenses submitting search terms to amazon and others. That would be very much counter user expectations.

For example it required a ton to tame KDE for use with Whonix VMs with respect to privacy/security/RAM usage/CPU usage/usability - see partially also: anon-apps-config/usr/share/anon-apps-config at master · Whonix/anon-apps-config · GitHub

Said another way: how crazy would it be if the Tor maintainers made Gnome a dependency for the tor package? Or iptables depend on XFCE?

Not a valid comparison. Debian package tor is a console based local proxy interface connecting to the Tor network. Whonix is a graphical linux distribution focusing on VMs.

Anyway that was a long preface to say: This idea is awesome. Please do it. But given nothing about your list requires KDE, please do not make the same mistake of making unnecessary dependencies that drives a large fraction of users away.

Initially there will be most likely:

hardened-debian-cli (CLI only or desktop environment installation up to user but the desktop environment might do insecure things such as Ubuntu unity search lenses submitting search requests to amazon)
hardened-debian-kde

Likely later there will be also:

hardened-debian-xfce

Algernon · September 20, 2018, 9:49pm

Just in case you want to borrow some ideas:

https://www.ssi.gouv.fr/en/actualite/clip-os-open-source-secured-operating-system/
https://docs.clip-os.org/
https://docs.clip-os.org/clipos/security.html

HulaHoop · September 21, 2018, 12:11am

Nice find. Gives insight as to what an advanced intel agency’s COMSEC idea of a secure OS looks like. Though surprisingly they choose IPsec over OpenVPN and decide to go bare-backing SSH without something like Tor.

9jnc7 · September 21, 2018, 9:37am

Yes, I think it’s a good idea.

I don’t like the state of information available for hardening Debian. (Official) Resources are obsolete and blog articles are usually recipes with no background . Whonix wiki seems to be the only thing that’s relevant for general advice. Good job everyone!

More restrictive Umask settings
A metapackage to remove bloat and insecure packages [?]
Non-permissive iptables settings [?] :would probably be wonky since use cases would be juggled between vanilla debian and Whonix, though
More aggressive service disables in systemd[?]
Make new services disabled-by-default instead of enabled-on-install

mig5 · September 22, 2018, 8:47pm

A great idea - some of it might be of interest to Tails team too?

awsoo · September 30, 2018, 9:28am

Great project.
It will be good if it will use Pandora. Pandora automatically overwrites the RAM when the system is shutting down.

Also a good idea is to onionize souces.list and use Tor for updates. Maybe to use Anon Connection Wizard in case someone need to use proxy before Tor

jsmidt · October 4, 2018, 10:48pm

Speaking of keeping dependencies down, if you could limit the dependencies to only what is necessary I will help you port the packages to Ubuntu. I started doing this for Whonix packages a couple years ago but there was enough differences in the Ubuntu/Debian KDE versions and dependancies that it became impossible so I dropped it. But I think if you stuck to minimal dependancies this will be much easier.

That would open up a whole new user base.

Patrick · October 5, 2018, 8:53am

Dependencies for individual packages are minimal. Necessary stuff only.
Could you please have a look at some packages and let me know if
dependencies are non-minimal?

Many years ago (maybe up to Whonix 7 or so) there were no separate
packages but only packages like whonix-shared, whonix-gateway and
whonix-workstation with all files but that has long been deprecated in
favor of separate packages.

GitHub - Kicksecure/sdwdate: Secure Distributed Web Date; privacy, anonymity and Tor friendly; console time fetcher and daemon; optional graphical user interface etc. Website: https://www.kicksecure.com/wiki/sdwdate
GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

0brand · March 25, 2019, 12:52am

Hardened Debian would make a great introduction to Linux for Windows users who might want to try Linux out for the first time. Much of the documentation from the proposed "whonix-can-become-a-distribution-targeting-first-time-linux-users" project could be used for this. Maybe even combine the two projects for maximum usefulness? I think that would be very reasonable with some community contributions.

Patrick · March 31, 2019, 10:41am

We can’t call it Hardened Debian.
As per Debian -- Debian Trademarks a new name as to be found.

Use the Debian trademarks in their exact form, neither abbreviated or hyphenated, nor combined with any other word or words.

A new project name has to be found.

It shouldn’t imply anonymity anything.
We shouldn’t be watering down the Whonix brand by calling it WhonixClearnet or something. (That name would be a contradiction too.)

Suggestions?

2-unglaubig · April 1, 2019, 5:08am

Very true indeed no diluting the hard (pun unintended) earned recogniztion allowed.

There is always that pre-existing notion in many users mind when they encounter the term “hardened” . Clearly the efforts often stray towards the notion with a “kernel” centric focus.

I am pretty sure Whonix efforts continue to encompass more.
The first word or English adjective that came to mind was “enhanced”

Perhaps to add to the consideration, the other words include
terms such as fortified, or reinforced.

Would you smile if I think out aloud with Whonix Steel / Whonix Stahl or even Whonix Stalo (in Esperanto)

Cheers !

0brand · April 1, 2019, 10:22am

I like that. Maybe someone could come up with a good acronym. For example:

SecLix

Security Enhanced Linux Distribution

(Brought to you by the developers of Whonix)

I’m smiling

One possible issue is that might imply a “Steel anonymity distribution” . I think Whonix should be mentioned but maybe not in the actual name.

Patrick · April 3, 2019, 6:49am

That’s a good idea. However both examples have google results already.

2-unglaubig · April 4, 2019, 12:00pm

@0brand Wow SecLix that name when said real quick sounds cheeky LOL
@Patrick - WOW… indeed its high time we make SEO work to our benefit

BTW… I was wondering if you and your entourage have already ideas on this effort become a darling template in Qubes as well. (No No but not as a HVM puhleese) Am I dreaming…? pinch me

0brand · April 4, 2019, 9:24pm

How about HaLos. Hardened Linux Operating System

Pronounce Hay-Low. The “s” is silent.

Patrick · April 5, 2019, 11:07am

The thing is, can we get to google rank 1 after a while? I see halos already being used for other things.

tempest · April 5, 2019, 11:34am

VigorOS? as in Vigorous Definition & Meaning | Dictionary.com

nurmagoz · April 22, 2019, 3:42am

Thats just wont happen for new comers to GNU/Linux. its self contradictory statement because Windows is for noobs when they come to Debian needs alot of changes and when there is “Hardened Debian” thats requires even more.

But if hardened debian going to be so idiotic one based on newbies configurations just like Ubuntu then no need the headache , freshly minimized Debian way much better in this case. (and most likely wont be considered hardened anyway…)