Port to openSUSE

Patrick · October 26, 2023, 2:12pm

Was not suggested by me. Just posting here for tracking purposes. Discussion here:

Proposing openSUSE as a security-focused base operating system for Kicksecure and by extension Whonix

opened 10:35AM - 26 Oct 23 UTC

I don't know if this is the right place for this, but I did not find any reposit…ory that is more suitable to open such an issue. First and foremost, I have read the whonix wiki and how you people evaluate operating systems and what do you expect from them. OpenSUSE is not on the list. I want it to be considered for the following grounds: * The openSUSE project is community driven and it is not for profit. * The project has been around for 20 years and is well established and recognized and has many eyeballs on itself. * I propose specifically openSUSE Tumbleweed. One of the most important points is: it rolls. And dare I say: it is also rock stable. It is fast to provide the newest microcode updates without any delay, unlike debian, so that users have the current protections. Everything is tested before release but no package freezing takes place. All the benefits of having a rolling distro + all the benefits of being stable. Need I say more? * Zypper, the package manager used in openSUSE uses gpg verification for everything by default. All openSUSE packages are also [reproducable](https://github.com/openSUSE/open-build-service). * SUSE is one of the rare distros that make security a priority. [Built from latest kernel releases, compiled with the latest Spectre / Meltdown mitigation patches, with firewall and strong security policies turned on by default, your security is covered out-of-the-box.](https://get.opensuse.org/tumbleweed/) * openSUSE uses YaST. The most powerful installation and configuration tool ever. Kicksecure maintaining a secure installation configuration is way easier. Most anything can be maintained by just maintaining a file. See next point. * Hardening file permissions is a piece of cake. Just add a custom file under ```/etc/permissions.d/``` and apply changes. Zypper makes sure these permissions are applied at each package upgrade/install, no configuration needed, just put the file. SUSE even comes with various [profiles](https://github.com/openSUSE/permissions/tree/master/profiles) to choose from, which would be helpful for Kicksecure to derive its own secure profile. * SUID/GUID hardening is by extension also a piece of cake. But wait: they already ship the least amount of SUID's in the first place. > [SUSE only sets the SUID/SGID bit on binary if it is really necessary](https://doc.opensuse.org/documentation/leap/security/single-html/book-security/index.html#sec-sec-prot-general-s-bit). * Anything and everything installation: that is partitions and their mounting options and their hardening settings. What repositories we set or services or anything firewall or anything ever really. We can export the installation configuration to a single file. Importing this file results in the very same installation in all aspects. * One of the few distros that actually comes with a firewall active and preconfigured for security. We can further lock this down, of course. * The security team actively works to harden systemd services and lock them down. See [here](https://bugzilla.suse.com/show_bug.cgi?id=1181400). * Comes with AppArmor pre-enabled and several profiles enforcing. Adding profiles is easy. This provides easy compatibility for Whonix's own profiles. * openSUSE allows easily defining privileges in a more fine-grained way. See [here](https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-security-polkit.html#sec-security-polkit-change-modify-config-implicit). * [Plasma Desktop](http://www.kde.org/workspaces/plasmadesktop/) from KDE is the default workspace on openSUSE. SUSE's team actively fix bugs on KDE and the two projects have a good relationship. Having KDE means having wayland and pipewire. This means an infinetely more secure system. * Creating a fork can be done via KIWI, the openSUSE Build Service or via your own build process. * They provide helpful documentation as to how to create a fork and a [trademark guideline](https://en.opensuse.org/openSUSE:Trademark_guidelines).

Patrick · November 7, 2023, 6:19pm

github.com/Kicksecure/security-misc

Serious Question - Porting to new distro - Procedure

opened 03:03PM - 07 Nov 23 UTC

monsieuremre

Since I have previously made the suggestion to base kicksecure to Tumbleweed, I …can't unsee all the benefits everywhere. Our suid disabler is one of them. The Qubes vulnurability ticket. The package that causes the vulnurability to escelate privileges to root, is whitelisted in our hand written service. On Tumbleweed, we would just do suid whitelisting on the default shipped secure file permissions configuration. See [here](https://github.com/openSUSE/permissions/blob/master/profiles/permissions.secure). I also can't unsee the fact that we maintain our service that is not as efficient and we also have to play along with dpkg seperately so that our secure permissions don't get overridden. These are all automatically managed in Tumbleweed. In most cases, a Tumbleweed base would reduce the complexity of Kicksecure from maintaining a lot of services to maintaining a lot of mere configuration files. What is the procedure to switch to Tumbleweed? It seems kicksecure is tied too much to debian. What packages need to be ported, very specifically. Which ones. Tell me. Even if you don't want to port at all, you do you, I still want to try for myself to port. I want to try to create a Kicksecure SUSE edition, or whatever I'm allowed call it while respecting all the trademarks. Someone has to do this to prove it possible. I did research. Even tho challenging in the beginning, I sincerely believe Tumbleweed will make development and maintaining easier in the long run, not to mention all the security benefits already in place in openSUSE Tumbleweed.

neo0xff · November 11, 2023, 8:21am

Why opensuse? If we are porting to a new distro we might as well port to Gentoo.

Patrick · November 11, 2023, 12:02pm

Argued for in the ticket. My forum posts (that contain mostly links) make little sense without following the links.

Note: It wasn’t me who suggested that. I am just attempting to keep all the discussions linked together so others can comment too.

This was:

explored in greater detail a few years ago Gentoo / Hardened Gentoo
would need a contributor working on it. There are many topics should port to this and usually it goes nowhere.

Patrick · January 4, 2024, 7:58pm

openSUSE as recently added to base operating system comparison table by a wiki editor without account:
Security-Focused Operating System Comparison as Base for Whonix chapter Comparison Table in Whonix wiki

homicidalwombat · January 9, 2024, 8:20pm

Don’t think Gentoo makes sense for Whonix, but kicksecure is very good consideration. Personally have been using most kicksecure features and recommendations on top of Gentoo manually with no issues (at least in my configuration).

I believe kicksecure “port” for Gentoo is already done as it just needs overlay repo to reflect changes for automatic deployment (in systemd version case).

Patrick · January 19, 2024, 5:12pm

I compared a few packages and these were not as up-to-date as upstream. Apparently even openSUSE Tumbleweed lags behind upstream in many cases.

Worse, even if considering openSUSE Leap (seems similar to Debian stable), some packages are fully missing.

Therefore, I am not convinced it is worth porting to openSUSE.

Here are my notes: