[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Document Hardened Debian setup

Since hardened Debian is in the works its a good time to start thinking about what we want to accomplish when documenting setup. This OS will appeal to a larger subset of users (entry level - developers) so it would be a good idea to first document VirtualBox since it has some advantages over bare metal install or KVM for our first time linux users.

  • VirtaulBox is cross platform.
  • VirtualBox is easier to use than KVM for new linux user.
  • Does not require install on a USB, HDD or dual booting. For many users that only want to try linux out, this is a deal breaker.
  • Many (but not all) mistakes that are made in a VM do not have the consequences that they would on bare metal. This invites users to experiment and try out new things that they would have tried otherwise.
  • Anything else?

One of the possible problems that could come about is users thinking hardened Debian provides anonymity. For example, Whonix is known for anonymity but a new user that is not paying attention might setup the hardened debian think they are safe. Or someone that uses English as a second language might not notice the warnings. It might be a good idea to separate the two project as much as possible in the wiki.

Would it be a good idea or even feasible or to create a separate sub-forum for hardened debian?

If anyone has feedback on this project it would be great to hear.

1 Like

Just now written.

The hardened Debian Linux documentation could include Cli “Tips” all throughout the tutorials.

Example

When you want to cd down to the next lowest directory you can use a dash - instead of an absolute file path. For long paths/directory names, this is a big time saver.

Using an absolute path.

user@host:~/files/new_files$ cd ~/files/
user@host:~/files$

Using an dash -

user@host:~/files/new_files$ cd -
user@host:~/files$

Templates could be made for each Tip and used in other parts of the wiki. Maybe we could build the template so a user could hover their mouse pointer over “Tip” to see the content? That way the Template wouldn’t be intrusive. (We don’t want to force feed them info.)

We shouldn’t assume anything is common knowledge when it comes to Linux beginners. For example, maybe not everyone will know they can hit “Tab” for Cli autocomplete.

1 Like

The template could include a link to the learning area that corresponds to the command the tip was referencing. So, the tip example @sys_whonix showed us could have a link to the learning area that teaches users about the cd command.

1 Like

For the Hardened Debian documentation a decision would have to be made on the initial host to use; either Windows or Linux. Since new to Linux users are targeted (along with advanced users) it might be a good idea to start with Windows?

I fresh installed Whonix on a Windows host a short time ago to see what it was like. (Its been a while) The first thing i noticed was the verify the VMs in Windows tutorial was confusing. Keep in mind i intentionally followed only the instructions as they were written. There were a few reason for this confusion.

  • I had to keep jumping around to different 3rd party websites to get all the information I needed.
  • The 3rd party websites did not have good documentation like Whonix.org. We provide intuitive step by step tutorials for our community.
  • Had to keep jumping to different wiki pages to get all the keys, signatures etc.

If Hardended Debian is to target beginners we can do better than this. The great thing about new documentation is templates can be made, which can then be used to enhance other areas of our documentation. For example, if template variables were used for “Verify the Hardended Debian image in Windows” page. They could also be used to fix the “Verify Whonix in Windows” page. While Hardened Debian would be the focus, this is definitely doable.

Please note: The focus of this thread is Document Installation and Setup of the New Security-focused Hardened Debian Linux Distribution. In the context of:

Any feedback that a technical writer could use to move this project forward is very welcome.

1 Like

Yes.

(If we could just find someone taking over https://www.whonix.org/wiki/Dev/Building_the_Whonix-Installer_for_Windows [and modify for hardened debian] - then things would be even simpler.)

I keep wondering if that makes sense anyhow. Specifically for Windows users who are accustomed to download software from arbitrary google searches.

That’s great!

Can I give it a go? How difficult would it be to modify for Hardened Debian? If you could point me in the right direction. :slight_smile:

I’ll try the Windows Build first and let you know how it goes.

1 Like

Just now reworked Whonix Windows installer a bit. The repository seems in great shape. Please see Windows Installer.

If you want to skip building the Whonix.exe which is the user interface (start and stop Whonix buttons) then a dummy file (some exe or arbitrary file renamed to Whonix.exe should do.

(It’s not the job of the installer of vetting the Whonix.exe file. Therefore any file existing with that name satisfies it for testing purposes.)
(Dunno if your Windows version nowadays allows easily to change the file extension or if it is nowadays showing file extensions or not.)

In theory it looks easy. See my last two commits to https://github.com/Whonix/Whonix-Windows-Installer where I ported to unified ova and dropped x86 support.

I guess I could easily create the hardened debian windows installer (presupposes new builds of hardened debian and new name which should also be very doable). Rather than unregistervm gateway and workstation, just hardened debian. And whenever a file of string contains Whonix rename that too. Perhaps no UI for hardened debian since just a single VM for now?

Not sure if it builds. Chances are good. Instructions look very doable but kinda daunting to set up a build environment and actually sit down to do it.

1 Like

Hi everyone,

I wanted to let everyone know of my intentions to an apply for GSoD 2019 as an technical writer. As you I’m sure you already know, I’m very interested in Hardened Debian for first time Linux users. The first thing I want to do is dispel a few incorrect assumptions that seem to be circulating about this project.

  • This project is not a watered down version of Hardened Debian. While this documentation is focused on first time Linux users I plan on keeping the educational areas on pages separate from the core documentation. In essence, Hardened Debian can be thought of as two separate projects rolled into one. Keep in mind this documentation must be kept separate from the current Whonix docs. Why? Confusing Hardened Debian for Whonix could be a distaste for someone who requires anonymity.

The first thing that must be completed is the Core documentation. For the most part, this will be like the Whonix core documentation. There will be a few differences.

  • Documentation will be formated using a book like structure like Tails OS. See https://tails.boum.org/doc/index.en.html

  • Documentation will be more user friendly. Take a look at both https://www.qubes-os.org/getting-started and https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ . What do you notice right from the start? This was written as though the writer was talking directly to you. While both Andrew David Wong (the person who wrote and maintains much of the Qubes docs) and Joanna Rrutkowska (Qubes founder) are capable of writing very high level tech documentation, they chose to use simple terminology and give the documentation more humanistic qualities.

    Why write documentation like this? Think about this for now, and I’ll be creating a few polls in the coming days to get some feedback on how you (the community) would like the docs for this project written. For more on this subject; see Aral Balkan: Superheroes & Villains in Design https://vimeo.com/70030549)

Core documentation will include:

Note: there will be no learning areas in the core documentation! There will only be navigation aids to learning areas along with the required knowledge for the specific tutorial. Oh, and a few small “tip” templates here and there.)

  • Overview for first time users
  • Hardware requirements
  • Design and goals
  • Features and advantages
  • FAQs
  • Download, verify, and installation
  • First steps
  • Troubleshooting (known issues)
  • What core documentation do would you like to see included for this GSoD project?

Next is documentation for educating new Linux users so they can stand on their own two feet when using Linux:

Teaching new Linux users is not about writing a few man pages and calling it an educational area. The only way users will learn is by immersing them in ClI right from the start. However, @onion_knight night was right when he/she said this has been done thousands and thousands of time before. So lets do something different. (Something that will actually work).

  • man pages: Why should we have a man page section in our documentation? New users know absolutely nothing about terminals/Cli. If the information they need isn’t easy to find or accessible they will end up opening a support request without even trying to find an solution.

    This section will document commonly used commands and practical command syntax. Each man will give a brief outline of the command, how to use it along with practical examples. It takes a while for users to remember the commands they have to use for different tasks. Through repetition they will remember how to use each one over time.

  • Problem solving: Capable/experienced Linux users have good problem solving skills that they acquire over time. When a problem arises they automatically start searching for a solution, and keep searching until they find an answer or all possible resources have been exhausted. When a new Linux user encounters a problem they automatically open a support request. So, its vital that we encourage – through well written documentation and forum policy – good practices from the very beginning.

    • Practical problem solving: This will be a tutorial based on troubleshooting best practices. Similar to the Free support principle but this is detailed step by step instructions.

    • Monitoring log files: Location of system logs (what each one is used for) and commands needed to narrow down the Cli output. (journalctl, dmesg etc…)

    • systemd: status, starting and stopping services.

    • Troubleshooting: Connection issues, broken software packages etc.

    • Creating backups

    • What would you like to see included in the educational section?

Very detailed guidelines will be written for bug and/or issues reporting. Keep in mind this will be different from https://whonix.org/wiki/FAQ#Reporting_Guidelines. This will be similar to https://www.qubes-os.org/doc/reporting-bugs/ (Simple human friendly language but very detailed).

To make it easier for the community members providing forum support, templates will be made which can be used when community members do not follow forum best practices.

  • Duplicate topic: Please follow the guidelines before creating new threads. (with link to forum best practices)
  • Off topic: Please follow the guidleines when when contributing to forum discussions. (with link to forum best practices)
  • etc…

Bear in mind that my commitment to the Hardened Debian doc does not end at the completion of GSoD. I plan on maintaining/enhancing the documentation afterwards. So we can afford to try some experimenting with in areas such as formatting and writing style. If the docs need to be changes after the project ends, I’m more than happy to do that. :slight_smile:

Feedback is very much appreciated!

1 Like

I’ve been researching ideas on best uses cases of screenshots. (when to use them and when not to). For Hardened Debian we are going to limit them to areas that are difficult to explain and or understand. I going to use Thunderbird tutorial as an example.

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Encrypted_Email_with_Thunderbird_and_Enigmail

This tutorial is very long and could be extremely confusing. The use of screen shots decreases difficulty and confusion in the areas that most users would struggle. tempest only uses them in places where they are really needed.

On the other hand, looking at Tor Browser without Tor tutorial

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tor_Browser_without_Tor

0brand used 3 screenshots but only 1 really added any value to the tutorial. Step 2, Disable socks network DNS ; could be a little confusing to users so this would be good use of a screenshot. All of the other ones could be removed (don’t really help the user)

Didn’t end up working out.

0brand via Whonix Forum:

Didn’t end up working out.

What about the regular Whonix Windows Installer? If that is working,
would be doable for me to modify Whonix Windows Installer for Hardened
Debian most likely.

If you want to skip building the Whonix.exe which is the user interface (start and stop Whonix buttons) then a dummy file (some exe or arbitrary file renamed to Whonix.exe should do.

(Dunno if your Windows version nowadays allows easily to change the file extension or if it is nowadays showing file extensions or not.)

No problesm with this on Windows 10

“7za.exe” which you may obtain under “7-Zip 16.04 Extra”

I’ve been using this file: 7z1604.exe but the installer throws an file not recognized error. I tried the other .exe file under 7-Zip 16.04 Extra and was getting the same error.

The Windows installer build finishes, but obviously it won’t execute.

//cc @Patrick

1 Like

0brand via Whonix Forum:

“7za.exe” which you may obtain under “7-Zip 16.04 Extra”

I’ve been using this file: 7z1604.exe but the installer throws an file not recognized error. I tried the other .exe file under 7-Zip 16.04 Extra and was getting the same error.

7z1604.exe is probably an exe based installer. Instead we probably
need 7za.exe

Could you please try to download 7z1900-extra.7z (or earlier version
if it does not work but I guess it will work), extract it, which
contains 7za.exe and try that?

7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager

[ Btw 7z920_extra.7z ("7-Zip Extra: 7z Library, SFXs for installers, Plugin for Fare Manager") might include 7zSD.sfx after extraction. ]

Building the Whonix installer went off without a hitch.

After building, I ran Install Whonix.exe and everything went well up until the end when I clicked on “Finish” and I received the following error:

Unable to execute file:
C:\Program Files\Whonix\Whonix.exe

CreateProcesses failed; code 193.
1% is not a valid Win32 application

I haven’t dug into it, but it looks like an easy issue to fix.(likely a local issue). Should have this finished up tomorrow.

https://support.microsoft.com/en-us/help/812486/event-id-7000-and-1-is-not-a-valid-win32-application-error-message-whe

1 Like

Awesome progress! That’s a big step!

How did you get Whonix.exe? Did you create it as per?

No, used a dummy Whonix.exe file. That should have finished even with using a dummy file. Or maybe not?

1 Like

Looks like at the end of the installer it starts Whonix.exe and if that’s just a dummy it would fail in that way. If you replaced dummy Whonix.exe with a “better dummy” (any standalone exe) then likely this issue wouldn’t happen, I speculate.

1 Like

I went ahead and created the Whonix.exe as per: https://whonix.org/wiki/Dev/Building_Whonix-UI_for_Windows. It was fairly easy.

1>------ Build started: Project: Whonix-UI, Configuration: Debug Any CPU ------
1>  Whonix-UI -> C:\Users\admin\Downloads\For-trash\Whonix-Windows-UI-master\Whonix-UI\bin\Debug\Whonix.exe
========== Build: 1 succeeded, 0 failed, 0 up-to-date, 0 skipped ==========

Building the Whonix installer went well as expected.

C:\Users\user\Documents\whonix-installer-zips>MakeInstaller.bat
C:\Users\user\Documents\whonix-installer-zips>where /f /r c:\ iscc.exe  1>location.txt
Inno Setup Command-Line Compiler
Copyright (C) 1997-2019 Jordan Russell. All rights reserved.
Portions Copyright (C) 2000-2019 Martijn Laan
Inno Setup Preprocessor
Copyright (C) 2001-2004 Alex Yackimoff. All rights reserved.
Compiler engine version: Inno Setup 6.0.2 (u)
[ISPP] Preprocessing.
[ISPP] Preprocessed.
Parsing [Setup] section, line 6
Parsing [Setup] section, line 7
Parsing [Setup] section, line 8
Parsing [Setup] section, line 9
Parsing [Setup] section, line 10
Parsing [Setup] section, line 11
Parsing [Setup] section, line 12
Parsing [Setup] section, line 13
Parsing [Setup] section, line 14
Parsing [Setup] section, line 15
Parsing [Setup] section, line 16
Parsing [Setup] section, line 17
Parsing [Setup] section, line 18
Reading file (LicenseFile)
Reading file (WizardImageFile)
   File: c:\Program Files (x86)\Inno Setup 6\WIZMODERNIMAGE.BMP
Reading file (WizardSmallImageFile)
   File: c:\Program Files (x86)\Inno Setup 6\WIZMODERNSMALLIMAGE.BMP
Preparing Setup program executable
   Updating icons (SETUP.E32)
Determining language code pages
   File: c:\Program Files (x86)\Inno Setup 6\Default.isl
   Messages in script file
Reading default messages from Default.isl
Parsing [LangOptions], [Messages], and [CustomMessages] sections
   File: c:\Program Files (x86)\Inno Setup 6\Default.isl
   Messages in script file
Reading [Code] section
Parsing [Icons] section, line 36
Parsing [Icons] section, line 38
Parsing [Icons] section, line 40
Parsing [UninstallDelete] section, line 51
Parsing [UninstallDelete] section, line 53
Parsing [UninstallDelete] section, line 55
Parsing [Run] section, line 27
Parsing [Run] section, line 29
Parsing [Run] section, line 31
Parsing [Run] section, line 33
Parsing [UninstallRun] section, line 44
Parsing [UninstallRun] section, line 46
Parsing [UninstallRun] section, line 48
Parsing [Files] section, line 21
   Reading version info: C:\Users\user\Documents\whonix-installer-zips\virtualbox_x64.msi
Parsing [Files] section, line 22
   Reading version info: C:\Users\user\Documents\whonix-installer-zips\common.cab
Parsing [Files] section, line 23
   Reading version info: C:\Users\user\Documents\whonix-installer-zips\Whonix.exe
Parsing [Files] section, line 24
   Reading version info: C:\Users\user\Documents\whonix-installer-zips\whonix.ova
Deleting InstallWhonix.exe from output directory
Deleting InstallWhonix-1.bin from output directory
Creating setup files
   Updating icons (SETUP.EXE)
   Compressing Setup program executable
   Compressing: C:\Users\user\Documents\whonix-installer-zips\virtualbox_x64.msi
   Compressing: C:\Users\user\Documents\whonix-installer-zips\common.cab
   Compressing: C:\Users\user\Documents\whonix-installer-zips\Whonix.exe   (1.0.0.0)
   Compressing: C:\Users\user\Documents\whonix-installer-zips\whonix.ova
   Updating version info
Warning: Constant "pf" has been renamed. Use "commonpf" instead or consider using its "auto" form.
Successful compile (290.469 sec). Resulting Setup program filename is:
C:\Users\user\Documents\whonix-installer-zips\Output\InstallWhonix.exe
7-Zip (a) [32] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04
Open archive: Installer.7z
--
Path = Installer.7z
Type = 7z
Physical Size = 1749901497
Headers Size = 233
Method = LZMA2:24 BCJ
Solid = -
Blocks = 2
Scanning the drive:
1 folder, 2 files, 1757503469 bytes (1677 MiB)
Updating archive: Installer.7z
Items to compress: 3

Files read from disk: 2
Archive size: 1749898598 bytes (1669 MiB)
Everything is Ok
7zSD.sfx
config.txt
Installer.7z
        1 file(s) copied.

I executed Install Whonix.exe from the terminal but don’t have any output. It was executed from the GUI for some reason. Regardless, there were zero problems. Everything extracted as it should and the Whonix VMs started right away. :slight_smile:

C:\Users\user\Documents\whonix-installer-zips>"Install Whonix.exe"

Actually there was one very minor issue. When extracting the files the GUI shows 13.0.0.1.4 as the Whonix version. (I’m not referring to the Whonix.ova images though) I believe this can be fixed by updating the source files?

1 Like

Very likely yes.

Merged.