i only use live system to run whonix and i want to customize the liveiso to add grsecurity but i would like to know what is the best/most secure linux distribution to host whonix
I guess most secure and also most difficult [because it needs original research]: Qubes OS.
Current advice [not most secure, but for most users]:
Why Whonix isn’t based on X [eliminates common misconceptions such as about OpenBSD):
Older discussion:
thanks Patrick
i’m thinking about installing debian then installing grsecurity on it and finaly use Remastersys to make a liveiso of the system, what do you think about this ?
the goal here is to use a live and hardened version of debian which will run whonix
Debian / grsecurity won’t be easy to setup, but if you manage to, good luck. Sure, that would be a nice security improvement.
Remastersys has been deprecated. I don’t know if it would still work for this purpose. I also don’t know status of successor projects Black Lab Imager / Relinux. Worth to be researched. Please feel free.
I don’t know if/how virtualbox images will work from a Live DVD. If it works, I foresee no security issues other than, that live systems can not easily be updated. Not sure if one can have enough RAM to run unmodified Whonix images as live version. No idea if it would require to load the whole images into RAM or how this gets managed. Please find out and share your results. Many people will be interested in this.
I actually i use Whonix on a liveUSB of Ubuntu witout a single problem, virtualbox save the change made on whonix on the flash memory then when i restart ubuntu i simply import whonix files on VB then i reconfigure them
if you want more details just ask
actually it pretty easy to update you just have to change the iso with a new one
now the problem with installing grsecurity is the lack of guides, i noticed that most linux developper assume that every one who use linux is an expert so this result in a lack of documentions/step by step guides
but even if i manage to install grsecurity (which is just a matter of time) i don’t know if making it a live iso is feasible/usable
I foresee no security issues other than, that live systems can not easily be updatedim trying to reduce/prevent the chance of some 0day exploit breaking out of the virtualmachine this why i would like to add grsecurity
Can you please elaborate?
What do you think about VirtualBox?
troubadour may enjoy more testers. all links here (apparmor profile, troubadour, support topic, etc.):
[quote=“abby, post:5, topic:215”]I actually i use Whonix on a liveUSB of Ubuntu witout a single problem, virtualbox save the change made on whonix on the flash memory then when i restart ubuntu i simply import whonix files on VB then i reconfigure them
if you want more details just ask
actually it pretty easy to update you just have to change the iso with a new one[/quote]
So your Ubuntu is a liveUSB, but for Whonix you’re using full persistence?
That’s not really the definition of live, I think. Still, most interesting! I would be interested to create a Live DVD with Whonix. I am currently working on https://github.com/Whonix/Whonix/issues/40 to make this simpler. Still, it’s a long way to go and I think it can not happen until there are more devs.
[quote=“Occq, post:7, topic:215”][quote author=abby link=topic=228.msg1506#msg1506 date=1396808267]
now the problem with installing grsecurity is the lack of guides, i noticed that most linux developper assume that every one who use linux is an expert so this result in a lack of documentions/step by step guides
[/quote]
https://github.com/rickard2/grsecurity-Debian-Installer[/quote]
thx i will look into that script
Can you please elaborate?i mean i don't know if grsecurity will work after i install it (if it's possible) on a custom iso and run a live linux
What do you think about VirtualBox? troubadour may enjoy more testers. all links here (apparmor profile, troubadour, support topic, etc.): https://www.whonix.org/wiki/AppArmor/VirtualBoxi'm actually using virtualbox it's a good program but still not very secure againt exploit i think i will try the apparmor profile
So your Ubuntu is a liveUSB, but for Whonix you're using full persistence?That’s not really the definition of live, I think. Still, most interesting!
yes excatly, i use ubuntu liveusb and then i launch virtualbox and use my previous image of whonix,but if i don’t want persistance i just delete the whonix image and use a new one
I would be interested to create a Live DVD with Whonix. I am currently working on https://github.com/Whonix/Whonix/issues/40 to make this simpler. Still, it's a long way to go and I think it can not happen until there are more devs.
why don’t you use some small linux distro (like damn small linux) and integrate to it virtualbox and whonix, it would be the closest to a real whonix liveDVD, it shouldn’t consume more ressources than a regular OS that run whonix, the users would just need to boot the small distro then virtualbox then run whonix but maybe it’s not possible i don’t know i’m new to all of this, i will try when i have free time and report the result
i will check too how much my installation consume in ram and report back
[quote=“abby, post:11, topic:215”][quote]
Can you please elaborate?
[/quote]
i mean i don’t know if grsecurity will work after i install it (if it’s possible) on a custom iso and run a live linux[/quote]
I don’t think grsecurity will care whether it’s run from live iso or not. Configuring it could be the more difficult part.
why don't you use some small linux distro (like damn small linux) and integrate to it virtualbox and whonix, it would be the closest to a real whonix liveDVD, it shouldn't consume more ressources than a regular OS that run whonix, the users would just need to boot the small distro then virtualbox then run whonix but maybe it's not possible i don't know i'm new to all of this, i will try when i have free time and report the result i will check too how much my installation consume in ram and report back
- Choosing a host operating system (or any operating system as base for Whonix) is a difficult task, not sure if damn small linux is suited:
Security-Focused Operating System Comparison as Base for Whonix
Custom minimal Debian might not be much bigger, if at all, and work better.
-
When providing a Live DVD, questions about hardware support will start. This isn’t a strong skill of mine.
-
Whonix’s source code should probably be restructured beforehand (https://github.com/Whonix/Whonix/issues/40)
-
Whonix’s build script… Not sure how to implement this best. One way would be using debian-live. Another way creating a host raw image and then somehow converting it to iso.
Long way to go.
Once you have your debian system tailored to your liking (grsecurity in place, etc) you can create a bootable pendrive version of it using
refractasnapshot, perhaps in conjunction with refracta2usb
refractasnapshot is available from debian sid repo. I don’t think refracta2usb is available from debian repo though.
The developer of these tools is attentive & provides prompt support at
http:refracta.freeforums.org
[quote] So your Ubuntu is a liveUSB, but for Whonix you're using full persistence?[/quote] [quote] That's not really the definition of live, I think. Still, most interesting![/quote] yes excatly, i use ubuntu liveusb and then i launch virtualbox and use my previous image of whonix,but if i don't want persistance i just delete the whonix image and use a new oneWith the refracta approach (or nearly identical scripts used in antix Linux), each boot session you can choose whether or not to activate the persistence and you can opt to setup persistence as save-on-demand only (vs forced autosave at end of each session, ala Puppy Linux) Your base image stays clean (mounted ro, from squashfs to an aufs layer) and you can (even from live session) further remaster your system onto another pendrive. When you remaster, persistence+base is merged into a new base image.
FYI: I’m a noob to virtualbox and whonix and haven’t tested whether or not a remastering approach is feasible here.
what is the most secure linux distribution for hosting whonix?
according to adrelanos it would be debian wheezy the 64 bit he told me is slightly more secure then the 32 bit
but I believe hardened Gentoo is more secure,by hardened I mean Gentoo with grsecurity/pax
According to wikipedia grsecurity is a set of patches for the Linux kernel which emphasizes security enhancements.
[quote=“Joshua, post:14, topic:215”]what is the most secure linux distribution for hosting whonix?
according to adrelanos it would be debian wheezy the 64 bit he told me is slightly more secure then the 32 bit[/quote]
I wrote (Computer Security Education - Whonix) “Briefly: Debian GNU/Linux is a reasonable compromise of security and usability (popularity, documentation).”, doesn’t say “most secure”.
Ah sorry didn’t mean to put words in your mouth,at times I solely rely on memory and don’t look back into your documentation due to pure laziness.
Sorry for bumping this older thread but, as a retired UNIX Sys. Admin and CISSP (10+ years), I find this topic interesting as our privacy and anonymity is disappearing from the world, not just our individual countries.
I haven’t really touched Linux or *BSD since my retirement when it also used to be a hobby. I’ve recently returned to experimenting with current versions and this is how I discovered Whonix. In a few months, I will be living on the road for a few years and have been researching laptops capable of VT-x and VT-d as well as full hardware capability, and TPM, for Linux. I believe I have found the laptop that will work best for me and it has re-moveable hard drives which will make experimentation easy.
My day to day platform will likely be Debian but I am extremely interested in Qubes OS and really want to learn it inside out. Since my retirement, it’s the first new OS to come along that has excited me this much to dive back into all of this as a hobby. I’d love to start playing with it now, I just will not have the hardware to fully support it until I buy my new laptop.
Is anyone else experimenting with Qubes at the moment?
I advice to make a separate forum post for this.