To get right to it, I distro-morphed a bare metal Debian Buster, using XFCE. It is an Intel computer. I purged libreoffice, Firefox, and their leftover dependencies. No other packages were removed.
Installed kicksecure packages and metapackages (not hardened kernel or standalone additions like tirdad)
Networking broke after installing kicksecure-packages-dependencies-pre and kicksecure-network-conf. Was met with “no route” errors and NetworkManager could not recognize a connection. Recovered easily after rollback and restart.
apparmor-profile-everything broke lightdm.service and I could not boot into XFCE. The problem is caused by apparmor profile user.lib.xorg.Xorg. I had to remove it from the apparmor.d directory, beacause aa-disable and aa-complain gave errors when I tried to use them. Those errors mentioned init-systemd in /etc/apparmor.d/
Another issue was when I tried to remove the apparmor-profile-everything package, I found that it needs a file it just deleted to finish uninstalling. “problem executing scripts dpkg::Post-Invoke '/usr/lib/apparmor-profile-everything/grub-cfg: not found Sub-process returned an error code”
Otherwise, everything seems good. I’m not done yet and I can probably follow up later as I make more progress.
Thank you for this project! Very good work!
apparmor-profile-everything is still in development. It shouldn’t actually be used yet.
Those aren’t meant to be allowed. If the attacker can just unload the MAC policy, it’d be useless.
There are boot parameters you can use to disable it properly.
Thanks for the reply. It’s hard for me to know the status of different packages. Information is not very centralized here.
distro-morphing might become unsupported after a Kicksecure ISO gets available. There’s too much state on a user system that can lead to issues.
GitHub - Kicksecure/apparmor-profile-everything: AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening. readme indeed doesn’t make it clear that it’s not stable yet. stay tuned
Until that improves, here’s the general rule:
- Packages that are installed by default are considered to cause as little trouble as possible.
- Packages that require manual installation are more likely to cause issues.
- The more ready a package gets, the more documentation will be added to the wiki and we’ll be posting a testers-wanted blog post.
Good idea. I changed some things before adding the repository on a previous attempt, and it led to conflicts.
Thanks for tip, but I installed this knowing Kicksecure isn’t ready for production. That’s why I reported my experience.
We had to include dhcpcanon and revert static IPs for networking o work. Not sure you have this package in your install.