Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

Whonix Enterprise Software

Sorry - much not time at the moment. Should improve soon.

Security gurus @Patrick @madaidan @HulaHoop

Any easy security wins that Whonix/KickSecure has missed in this list below? I know a bunch won’t apply at all. Apparently mil, guvvie, paranoid corporates etc. use these lists.


Table of Contents

Remediation functions used by the SCAP Security Guide Project
System Settings
    Configure Syslog
    Network Configuration and Firewalls
    GRUB2 bootloader configuration
    Set Boot Loader Password
    Protect Random-Number Entropy Pool
    Account and Access Control
    File Permissions and Masks
    System Accounting with auditd
    Installing and Maintaining Software
    Obsolete Services
    APT service configuration
    FTP Server
    SNMP Server
    Cron and At Daemons
    X Window System
    Network Routing
    DNS Server
    Samba(SMB) Microsoft Windows File Sharing Server
    USBGuard daemon
    Web Server
    System Security Services Daemon
    Network Time Protocol
    Hardware RNG Entropy Gatherer Daemon
    Application Whitelisting Daemon
    Base Services
    Proxy Server
    Mail Server Software
    IMAP and POP3 Server
    Deprecated services
    NFS and RPC
    Print Support
    Docker Service
    Avahi Server
    SSH Server
    General Principles
    How to Use This Guide

(BTW Another good reference for hardening Whonix is the DISA STIG guides - there is one for Debian Linux 10, but you have to give an email address to download the free PDF - so no dice unless you’re keen. Pity, because US Department of Defense systems utilise those guides and they are very thorough. The Debian 8 version can easily be found online though; probably still very relevant)

Great! :slight_smile: It’s time to immortalize your stuff which is frankly, awesome.


It’s mostly just configuring certain services that aren’t used in Whonix (e.g. a mail server) so there’s not much there that applies to us.

1 Like


I was thinking about it was concluding that it’s not worth to spend time on working on enterprise issues.

Whonix / Kicksecure is not an enterprise operating system yet. Such a flavor might be possible in future if an enterprise pays for implementation of these features / such a flavor.

It would require a different projject focus and need work on things such as uploading logs to a log server. Any half-serious attempts such as implementing some things that enterprises want would be in vain as there are other projects which specialize in enterprise software.

Working on STIG though makes sense. Some recommendations might in theory be applicable for Whonix at its current state too. Hence my previous post.

1 Like