[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Hardened Debian - Security Focused Linux Distribution based on Debian - In Development - Feedback Wanted!

hardened-debian

#1

scope:

  • will be initially released for VMs (VirtualBox, Qubes, maybe KVM)
  • “sudo apt-get install hardened-debian-cli” will be possible on bare metal Debian hosts, in other words installations of Debian can be easily converted into Hardened Debian by installing the hardened-debian-cli or other hardened debian package
  • maybe later available as ISO for installation on hardware depending on community interest and support

hardening by default in Hardened Debian version 1:

  • install haveged by default for better entropy
  • sdwdate rather than insecure NTP
  • security-misc (deactivates previews in Dolphin; deactivates previews in Nautilus; deactivates TCP timestamps; deactivates Netfilter’s connection tracking helper;)
  • open-link-confirmation
  • enable apparmor by default
  • available apparmor profiles
  • hopefully spectre / meltdown resistant by default

hardening by default in Hardened Debian version 2:

hardening by default in Hardened Debian version 3:

usability by default:

desktop environment:

initially will be available most likely for:

  • CLI only (console only, no desktop environment)
  • KDE

Later on likely for:

  • XFCE

vision:

  • computer security community is larger than computer anonymity community - we can work on a shared interest that is security
  • we apply as many security settings by default
  • we apply as much as default from System Hardening Checklist
  • Hardened Debian will be the base for Whonix (Whonix is applying most of above already anyhow)

development status of version 1:

temporary homepage:

About me:
I am the founder and a maintainer of the Debian Linux and Tor based Whonix - Anonymous Operating System.

Questions:

Are you interested in Hardened Debian? What do you think? What would you like to see? Any suggestions?


#2

Very interesting. Please consider Gnome instead or in addition to KDE.


#3

I think this is a great idea. Please do it.

My only request is to not make what I believe is Whonix’s biggest mistake: making KDE packages as dependencies. There is nothing about the fundamental concept of what Whonix is trying to accomplish that requires a specific GUI. So why make Whonix depend on KDE packages? If these dependencies did not exist people could use whatever desktop/debian distro they wanted then just “apt-get install whonix-gateway/workstation” and get all the benefit without all the baggage.

Said another way: how crazy would it be if the Tor maintainers made Gnome a dependency for the tor package? Or iptables depend on XFCE? Nothing about their concepts require such dependencies and so people of all desktops can enjoy them. Unfortunately Whonix does require such dependencies and so it’s impossible to use unless you adopt a very specific and unnecessary setup.

Anyway that was a long preface to say: This idea is awesome. Please do it. But given nothing about your list requires KDE, please do not make the same mistake of making unnecessary dependencies that drives a large fraction of users away.


#4

I believe this applies. (For now anyways).


#5

PS. If there is a “sudo apt-get install hardened-debian” that does not depend on a specific desktop environment I will 100% test every test release you post. You are doing great work.


#6

Thanks.

My only request is to not make what I believe is Whonix’s biggest mistake: making KDE packages as dependencies.

Maybe it’s just terminology. But. Whonix doesn’t depend on KDE. For now there is only non-qubes-whonix-(gateway|workstation)-kde meta package. It’s because Whonix for now is only available (released, build, maintained, supported) as KDE version. Whonix at the moment is a anonymity/security/privacy desktop operating system project focusing on VMs. The focus on anonymity/privacy (security to a lesser extend as well) doesn’t allow with such low resources (funding, core developers) to release/maintain/support multiple desktop desktop environments initially in the first versions (or ever). This might change in future. There will be:

  • non-qubes-whonix-(gateway|workstation)-cli
  • non-qubes-whonix-(gateway|workstation)-kde
  • non-qubes-whonix-(gateway|workstation)-xfce

Requests for gnome will still be custom (non-qubes-whonix-(gateway|workstation)-cli can help but up to user), and rejected by pointing at https://www.whonix.org/wiki/Other_Desktop_Environments.

There is nothing about the fundamental concept of what Whonix is trying to accomplish that requires a specific GUI.

That’s true.

So why make Whonix depend on KDE packages?

If these dependencies did not exist people could use whatever desktop/debian distro they wanted then just “apt-get install whonix-gateway/workstation” and get all the benefit without all the baggage.

No. Parts of the desktop environment are directly related to the core functionalities for Whonix. For example it would be outrageous to release Whonix based on Ubuntu unity search lenses submitting search terms to amazon and others. That would be very much counter user expectations.

For example it required a ton to tame KDE for use with Whonix VMs with respect to privacy/security/RAM usage/CPU usage/usability - see partially also: https://github.com/Whonix/anon-apps-config/tree/master/usr/share/anon-apps-config

Said another way: how crazy would it be if the Tor maintainers made Gnome a dependency for the tor package? Or iptables depend on XFCE?

Not a valid comparison. Debian package tor is a console based local proxy interface connecting to the Tor network. Whonix is a graphical linux distribution focusing on VMs.

Anyway that was a long preface to say: This idea is awesome. Please do it. But given nothing about your list requires KDE, please do not make the same mistake of making unnecessary dependencies that drives a large fraction of users away.

Initially there will be most likely:

  • hardened-debian-cli (CLI only or desktop environment installation up to user but the desktop environment might do insecure things such as Ubuntu unity search lenses submitting search requests to amazon)
  • hardened-debian-kde

Likely later there will be also:

  • hardened-debian-xfce

#7

Just in case you want to borrow some ideas:


https://docs.clip-os.org/
https://docs.clip-os.org/clipos/security.html


#8

Nice find. Gives insight as to what an advanced intel agency’s COMSEC idea of a secure OS looks like. Though surprisingly they choose IPsec over OpenVPN and decide to go bare-backing SSH without something like Tor.


#9

Yes, I think it’s a good idea.

I don’t like the state of information available for hardening Debian. (Official) Resources are obsolete and blog articles are usually recipes with no background . Whonix wiki seems to be the only thing that’s relevant for general advice. Good job everyone!

  • More restrictive Umask settings
  • A metapackage to remove bloat and insecure packages [?]
  • Non-permissive iptables settings [?] :would probably be wonky since use cases would be juggled between vanilla debian and Whonix, though
  • More aggressive service disables in systemd[?]
  • Make new services disabled-by-default instead of enabled-on-install

#10

A great idea - some of it might be of interest to Tails team too?


#11

Great project.
It will be good if it will use Pandora. Pandora automatically overwrites the RAM when the system is shutting down.

Also a good idea is to onionize souces.list and use Tor for updates. Maybe to use Anon Connection Wizard in case someone need to use proxy before Tor


#12

Speaking of keeping dependencies down, if you could limit the dependencies to only what is necessary I will help you port the packages to Ubuntu. I started doing this for Whonix packages a couple years ago but there was enough differences in the Ubuntu/Debian KDE versions and dependancies that it became impossible so I dropped it. But I think if you stuck to minimal dependancies this will be much easier.

That would open up a whole new user base.


#13

Dependencies for individual packages are minimal. Necessary stuff only.
Could you please have a look at some packages and let me know if
dependencies are non-minimal?

Many years ago (maybe up to Whonix 7 or so) there were no separate
packages but only packages like whonix-shared, whonix-gateway and
whonix-workstation with all files but that has long been deprecated in
favor of separate packages.