Hi everyone! Only a question: apparmor is sufficient t confine the services as openvpn or tor? What if I implement systemd to add another layer of security. As example:

This service is actually a systemd target,

but we are using a service since targets cannot be reloaded.

[Unit]
Description=OpenVPN service
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
WorkingDirectory=/etc/openvpn
########################
ProtectSystem=strict
ProtectKernelTunables=true

ProtectKernelModules=true

ProtectControlGroups=true
ProtectKernelLogs=true
ProtectHostname=true
ProtectClock=true
ProtectProc=invisible
ProcSubset=pid
PrivateTmp=true
PrivateUsers=true
PrivateIPC=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
LockPersonality=true
RestrictRealtime=true
#RestrictSUIDSGID=true
#RestrictAddressFamilies=AF_INET
RestrictNamespaces=true
#SystemCallFilter=read openat close brk fstat lseek mmap mprotect munmap rt_sigaction rt_sigprocmask ioctl nanosleep select access execve getuid arch_prctl set>
SystemCallArchitectures=native
UMask=0077

[Install]
WantedBy=multi-user.target

Using both, AppArmor and (systemd) sandboxing is better. But:

Thanks! I’m new using kicksecure and I exposed to continuous attacks. But in any form, the attacker unload the network modules and then reload this modules. I don’t know how did. But next to harden Network Manager and openvpn was impossible unload modules. Do you know what is the common method used to hack debian and unload modules. Because always is the same, the wifi module or internet is loss. I think maybe send commands to the browser using beef or any other.I can send logs if you need.

Unlikely. See:

• Detecting Malware Infections
• Finding Vulnerabilities
• Valid Compromise Indicators versus Invalid Compromise Indicators
• Proofing an Actual Security Vulnerability

I am not aware of any such common attack, nor would that make sense for an attacker to do.

This can have a ton of reasons of which many are not malicious. Software bugs exist.

Off-topic for Whonix.

And even for Kicksecure, this needs to be resolved as per:

Kicksecure does not touch that stuff. Hence, generic bug reproduction required as per:

Bug Reports, Software Development, and Feature Requests chapter Generic Bug Reproduction in Kicksecure wiki