Whonix-Host Operating System (OS) ISO

Amazing!

onion_knight via Whonix Forum:

I am sure we can remove the passwordless sudo rights in some config file somewhere, just didn’t find out how yet.

Likely some file in /etc/sudoers.d folder.

Possibly looking similar/same as this:

user ALL=(ALL) NOPASSWD: ALL

You are probably right:

user@host:~$ sudo cat /etc/sudoers.d/live 
user ALL=(ALL) NOPASSWD: ALL

It is still not clear to me what exact files/settings take care of the default Debian Live User environment and variables: live-boot packages? live-config (my guess)? Need to sort it out somehow.

OK, I have uploaded the scripts on GitHub:

Warning: they are merely raw bash scripts, basically chrooting into the Hardened VM and taking care of the necessary stuff in the simplest way. They are certainly not production-ready and must be integrated into the Whonix build scripts by an experienced developer. I am not capable of that yet.

Also uploaded a list of all the additional software installed in the Whonix-Desktop Installer ISO:

@Patrick Regarding copyright: is it necessary? After all, it is just some bash commands and external programs with specific options… If yes, do you have an example of what should be indicated? Thanks.

onion_knight via Whonix Forum:

It is still not clear to me what exact files/settings take care of the default Debian Live User environment and variables: live-boot packages? live-config (my guess)? Need to sort it out somehow.

Running apt-file list live-config might help understanding what the package does.

Also uploaded a list of all the additional software installed in the Whonix-Desktop Installer ISO:

whonix-stuff/Whonix-Desktop list of new packages at master · onions-knight/whonix-stuff · GitHub

That’s a bit much for listening in anon-meta-packages. That doesn’t mean it’s too much in an actually build iso. We’ll list only packages that we want and then their dependencies are implicitly added by those. I’ll see what I can do.

@Patrick Regarding copyright: is it necessary? After all, it is just some bash commands and external programs with specific options… If yes, do you have an example of what should be indicated? Thanks.
Better to have it consistently.

Most files in Whonix source code should have it, all bash scripts should have it. Here is an example: https://github.com/Whonix/Whonix/blob/master/whonix_build

Please review/merge:

OK, merged.

Regarding branding, actually very easy, all files live in /etc/calamares/branding/debian/ (with package calamares-settings-debian installed).

Just need to modify the .png files and the config file accordingly: /etc/calamares/branding/debian/branding.desc

user@host:/etc/calamares/branding/debian$ sudo apt-file list live-config
sudo: unable to resolve host host: Name or service not known
live-config: /bin/live-config             
live-config: /bin/live-config-update
live-config: /lib/live/config/0010-debconf
live-config: /lib/live/config/0020-hostname
live-config: /lib/live/config/0030-live-debconfig_passwd
live-config: /lib/live/config/0030-user-setup
live-config: /lib/live/config/0040-sudo
live-config: /lib/live/config/0050-locales
live-config: /lib/live/config/0070-tzdata
live-config: /lib/live/config/0080-gdm3
live-config: /lib/live/config/0085-sddm
live-config: /lib/live/config/0090-kdm
live-config: /lib/live/config/0100-lightdm
live-config: /lib/live/config/0110-lxdm
live-config: /lib/live/config/0120-nodm
live-config: /lib/live/config/0130-slim
live-config: /lib/live/config/0140-xinit
live-config: /lib/live/config/0150-keyboard-configuration
live-config: /lib/live/config/1020-gnome-panel-data
live-config: /lib/live/config/1030-gnome-power-manager
live-config: /lib/live/config/1040-gnome-screensaver
live-config: /lib/live/config/1050-kaboom
live-config: /lib/live/config/1060-kde-services
live-config: /lib/live/config/1080-policykit
live-config: /lib/live/config/1090-ssl-cert
live-config: /lib/live/config/1110-anacron
live-config: /lib/live/config/1120-util-linux
live-config: /lib/live/config/1130-login
live-config: /lib/live/config/1140-xserver-xorg
live-config: /lib/live/config/1160-openssh-server
live-config: /lib/live/config/1170-xfce4-panel
live-config: /lib/live/config/1180-xscreensaver
live-config: /lib/live/config/1190-broadcom-sta
live-config: /lib/live/config/9990-hooks
live-config: /lib/live/init-config.sh
live-config: /lib/live/setup-network.sh
live-config: /usr/share/bug/live-config/presubj
live-config: /usr/share/doc/live-config/changelog.gz
live-config: /usr/share/doc/live-config/copyright
live-config: /usr/share/live/config/VERSION
live-config: /usr/share/live/config/xserver-xorg/nvidia.conf
live-config: /usr/share/live/config/xserver-xorg/vboxvideo.conf

Please have a look:

If you like, please open a lot / most of these files in a text editor. Might give clues what these are doing.

We now have the initial packages and can add more dependencies as required.

• whonix-host-xfce-kvm-freedom
• whonix-host-xfce-kvm-nonfreedom

Most dependencies (such as live-config perhaps etc) should be added to whonix-host-xfce-kvm-freedom. This is because whonix-host-xfce-kvm-nonfreedom has Depends: on whonix-host-xfce-kvm-freedom.

Ah, I did not see whonix-stuff/2900_configure_desktop_sketch at master · onions-knight/whonix-stuff · GitHub earlier. This will help me with dependencies.

You would need to add something like:

<source file='/var/lib/libvirt/images/VM.img'/>
  <target dev='vda' bus='virtio'/>
  <readonly/>

to the xml file.
But as you said it needs to be changed to readwrite afterwards when using the installed host OS.
iirc just using the correct settings for the xml file should be sufficient i.e. you maybe don’t need to change the permissions of the file.
In this case one could maybe come up with some script which checks if we boot from an iso and accordingly sets the read only tag.
Another way would maybe be using virt-install instead of importing the VMs via the xml.

That’s great The only caveat is it will need to be disabled temporarily to create snapshots when the host is booted in a persistent mode to update.

Could be because systemd time daemon is conflicting with what sdwdate is setting. @Patrick can we switch the time daemon on every Debian derivative we make to sdwdate exclusively?

sdwdate sets time, not timezone.

This is what timezone-utc package is doing essentially:
https://github.com/Whonix/timezone-utc/blob/master/debian/timezone-utc.postinst

Might give some clues on how to change timezone.

Already done.

Yes, we need to set this somehow in when Whonix host was booted into live mode only. This is not implemented yet?

Done this way:

Would this be part of the whonix libvirt host package? If so it would depend on detecting live mode is enabled and then it would edit the VM configs with somehting like sed. Since exiting amnesic mode would revert it, no need for code to undo.

Does this work in Whonix?

Disadvantage being that we have to,

• install anon-connection-wizaard on the host too. (And then have user duplicate that work inside Whonix-Gateway.) [In theory, OneVM where Tor runs on the host would make more sense to avoid duplicate Tor config and duplicate Tor connections but OneVM may also be harder to get right in terms of leak protection, never thought that through.]
• drop “give user option to not connect to the public Tor network”.

Would this be part of the whonix libvirt host package? If so it would depend on detecting live mode is enabled and then it would edit the VM configs with somehting like sed. Since exiting amnesic mode would revert it, no need for code to undo.

Something like this.

What’s the config that has to be changed?

Or what’s the command line command to be run to change that?

It could be implemented as a systemd unit file. Similar to: https://github.com/Whonix/shared-folder-help/blob/master/lib/systemd/system/mnt-shared-kvm.service

Probably no need for ConditionVirtualization=.

Should probably use ConditionKernelCommandLine=boot=live to then call a script.

Could you please add a /lib/systemd/system/live-libvirt.service (or so) to whonix-libvirt package?

I notice several parameters that escaped me when reading the host hardening guide. Will the installation scripts be designed such that they can be applied to an existing Debian host? If not, would it be possible to document them Arch Wiki style in order to easily replicate the config?

jpearson via Whonix Forum:

I notice several parameters that escaped me when reading the host hardening guide. Will the installation scripts be designed such that they can be applied to an existing Debian host?

Yes, more or less as a byproduct we’ll get sudo apt-get install whonix. Will be documented when time has come, not ready yet.
(Developers can already do it if that was to help with debugging.) Not
sure yet if sudo apt-get install whonix will be supported for users
since more can go wrong compared to a ISO installer build where all
default installed packages can be defined by developers.

If not, would it be possible to document them Arch Wiki style in order to easily replicate the config?

Both product Hardened Debian and product Whonix Host (temporary
names) won’t apply all steps from host hardening guide. Only what’s
doable / realistic / etc. Some are too specific like router settings to
be done by a host operating system.

Dug around on how to modify XML settings on the fly via cli. Other options were too messy or required manual editing which are useless for scripting.

sudo virt-xml Whonix-Workstation --edit --disk readonly=on

readonly takes values on/off

I am not sure whonix-libvirt is the ideal place for detection of live mode and the adjustment of image write options. Perhaps the grub-live package is a better place.

However wouldn’t doing this break VM usage since ro-mode-init is not our first choice for using it?