Sorry - much not time at the moment. Should improve soon.
Any easy security wins that Whonix/KickSecure has missed in this list below? I know a bunch won’t apply at all. Apparently mil, guvvie, paranoid corporates etc. use these lists.
Table of Contents
Remediation functions used by the SCAP Security Guide Project System Settings Configure Syslog Network Configuration and Firewalls GRUB2 bootloader configuration SELinux Set Boot Loader Password Protect Random-Number Entropy Pool Account and Access Control File Permissions and Masks System Accounting with auditd Installing and Maintaining Software Services Obsolete Services APT service configuration FTP Server SNMP Server Cron and At Daemons X Window System Network Routing DNS Server LDAP DHCP Samba(SMB) Microsoft Windows File Sharing Server USBGuard daemon Web Server System Security Services Daemon Network Time Protocol Kerberos Hardware RNG Entropy Gatherer Daemon Application Whitelisting Daemon Base Services Proxy Server Mail Server Software IMAP and POP3 Server Deprecated services NFS and RPC Print Support Docker Service Avahi Server SSH Server Introduction General Principles How to Use This Guide
(BTW Another good reference for hardening Whonix is the DISA STIG guides - there is one for Debian Linux 10, but you have to give an email address to download the free PDF - so no dice unless you’re keen. Pity, because US Department of Defense systems utilise those guides and they are very thorough. The Debian 8 version can easily be found online though; probably still very relevant)
Great! It’s time to immortalize your stuff which is frankly, awesome.