Lynis is a good tool for automating audits. It’s in the debian repos. We’ve applied most of the changes already but there may be some more useful stuff there.
sudo apt update sudo apt install lynis sudo lynis audit system
It would be best to test this with the testing Whonix versions so it detects all of the recent changes.
- Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [CUST-0280]
So let’s install https://packages.debian.org/buster/libpam-tmpdir by default?
- Install debsecan to generate lists of vulnerabilities which affect this installation. [CUST-0870]
I did not manage to gather any actionable / useful advice. If annyone has more luck on how to use this, please share.
I’m not entirely sure how that works or how it would help. Don’t most programs just use /tmp?
Doesn’t seem to install properly for me.
Most programs use
mktemp, I think, I hope? Or some sort of API around it? The are not supposed to have their own logic of creating a temp folder. That is supposed to be abstracted and secure.
As far as I understand libpam-tmpdir attempts to make this process more secure by adding per-user temp folder separation.
It sets environment variables
/tmp/user/<userid>. These will then be private temp folders.
Not sure that is really needed but might be since systemd also has an instance
Unfortunately it seems to be incompatible with some Debian packaging tools? Perhaps since this package is rather unpopular? Examples:
dpkg-deb: building package 'pbuilder-satisfydepends-dummy' in '/tmp/satisfydepends-aptitude/pbuilder-satisfydepends-dummy.deb'. dpkg-deb: error: failed to make temporary file (control member): No such file or directory E: pbuilder-satisfydepends failed.
Happening during 1100_prepare-build-machine cowbuilder --create. Perhaps since environment variables user vs root do not match in chroot. Unsetting the TMP / TEMP environment variables and/or installing libpam-tmpdir in chroot does not solve this issue either.
+ /usr/lib/security-misc/apt-get-wrapper -o Acquire::http::Proxy=http://127.0.0.1:3142 -o Acquire::https::Proxy=http://127.0.0.1:3142 -o Acquire::tor::Proxy=http://127.0.0.1:3142 -o Acquire::Languages=none -o Acquire::IndexTargets::deb::Contents-deb::DefaultEnabled=false -o Acquire::Retries=3 -o Acquire::BlockDotOnion=false update + set -e + set -o pipefail + set -o errtrace ++ mktemp --directory mktemp: failed to create directory via template '/tmp/user/0/tmp.XXXXXXXXXX': No such file or directory
Ohh. That makes sense. It would be good to install that by default then.
We should contact upstream about the errors.