security-misc & other Kicksecure packages on Arch

59mpci2GJ5xlHhY · June 21, 2020, 12:48am

I was wondering if security-misc and the other hardened configurations for Kicksecure were possible to build on arch, are there any serious incompatibilities or things that would be need to be remade?

If it’s not possible to apply these to arch, is there an equivalent setup that exists for arch?

Other than older packages/stability and probably easier to maintain, are there any security reasons to use debian over arch for a base?

Not sure if this is the right category feel free to move if it isn’t.

Patrick · June 21, 2020, 11:39am

59mpci2GJ5xlHhY via Whonix Forum:

I was wondering if security-misc and the other hardened configurations for Kicksecure were possible to build on arch, are there any serious incompatibilities or things that would be need to be remade?

Theoretically possible to use on arch, yes. But nobody working on that
as far as I know.

is there an equivalent setup that exists for arch?

Not that I know.

Other than older packages/stability and probably easier to maintain, are there any security reasons to use debian over arch for a base?

All notes, considerations here:

59mpci2GJ5xlHhY · June 21, 2020, 9:36pm

Interesting read, the reasons for Debian are definitely understandable.

Arch Linux

TODO: Check its package manager security. (See above.)

It was very easy to configure pacman to get updates via tor & https, however I could not find any mirrors that use .onion, this is an advantage for Debian.

Arch based distributions do seem to have a large userbase, great wiki and pacman is very convenient to use, but I’m unaware how secure it is, I’m gonna have to do some research on that when I have time.

Debian does seem to be a good choice as a base, I won’t contend that but I’m definitely curious about the possibility of sharing some packages with Arch since Arch seems to be very morphable and might not take much to be ‘kicksecured’.

HulaHoop · June 22, 2020, 12:36pm

Please go ahead . The more use and attention our work gets, the better for the whole ecosystem.

madaidan · September 4, 2020, 6:17pm

I’ve tried this a few times but found it too tedious and the packaging system really doesn’t help. Most of the files can be applied fine but some can’t. For example, /etc/default/grub.d, /etc/kernel/postinst.d, /etc/initramfs-tools, etc. don’t exist on Arch so you’d have to mess with some Arch alternative.

If you want to try this though, GitHub - helixarch/debtap: A script for converting .deb packages into Arch Linux packages, focused on accuracy may help.

Patrick · June 20, 2022, 11:33am

github.com/Kicksecure/security-misc

Unable to disable dccp , ticp , rds and other blacklisted modules in Arch Linux

opened 04:41PM - 19 Jun 22 UTC

closed 11:33AM - 20 Jun 22 UTC

evil-user

i added rules to disable them in a security.conf inside /etc/modprobe.d/ folder …and in /etc/mkinitcpio.conf added line FILES=(/etc/modprobe.d/security.conf) and ran sudo mkinitcpio -P and then rebooted system and verified output using lynis which showed rds , dccp , sctp , ticp not disabled. the contents of security.conf was copied from https://github.com/Kicksecure/security-misc/blob/master/etc/modprobe.d/30_security-misc.conf

redex · June 22, 2022, 6:14pm

There is the hardened malloc in the AUR
also you could run the hardened kernel, and switch to wayland.
I tried these but arch was just to unstable for me.