user@host:~$ sudo cat /etc/sudoers.d/live
user ALL=(ALL) NOPASSWD: ALL
It is still not clear to me what exact files/settings take care of the default Debian Live User environment and variables: live-boot packages? live-config (my guess)? Need to sort it out somehow.
OK, I have uploaded the scripts on GitHub:
Warning: they are merely raw bash scripts, basically chrooting into the Hardened VM and taking care of the necessary stuff in the simplest way. They are certainly not production-ready and must be integrated into the Whonix build scripts by an experienced developer. I am not capable of that yet.
Also uploaded a list of all the additional software installed in the Whonix-Desktop Installer ISO:
@Patrick Regarding copyright: is it necessary? After all, it is just some bash commands and external programs with specific options… If yes, do you have an example of what should be indicated? Thanks.
It is still not clear to me what exact files/settings take care of the default Debian Live User environment and variables: live-boot packages? live-config (my guess)? Need to sort it out somehow.
Running apt-file list live-config might help understanding what the package does.
Also uploaded a list of all the additional software installed in the Whonix-Desktop Installer ISO:
That’s a bit much for listening in anon-meta-packages. That doesn’t mean it’s too much in an actually build iso. We’ll list only packages that we want and then their dependencies are implicitly added by those. I’ll see what I can do.
@Patrick Regarding copyright: is it necessary? After all, it is just some bash commands and external programs with specific options… If yes, do you have an example of what should be indicated? Thanks.
Better to have it consistently.
We now have the initial packages and can add more dependencies as required.
whonix-host-xfce-kvm-freedom
whonix-host-xfce-kvm-nonfreedom
Most dependencies (such as live-config perhaps etc) should be added to whonix-host-xfce-kvm-freedom. This is because whonix-host-xfce-kvm-nonfreedom has Depends: on whonix-host-xfce-kvm-freedom.
to the xml file.
But as you said it needs to be changed to readwrite afterwards when using the installed host OS.
iirc just using the correct settings for the xml file should be sufficient i.e. you maybe don’t need to change the permissions of the file.
In this case one could maybe come up with some script which checks if we boot from an iso and accordingly sets the read only tag.
Another way would maybe be using virt-install instead of importing the VMs via the xml.
Could be because systemd time daemon is conflicting with what sdwdate is setting. @Patrick can we switch the time daemon on every Debian derivative we make to sdwdate exclusively?
Would this be part of the whonix libvirt host package? If so it would depend on detecting live mode is enabled and then it would edit the VM configs with somehting like sed. Since exiting amnesic mode would revert it, no need for code to undo.
install anon-connection-wizaard on the host too. (And then have user duplicate that work inside Whonix-Gateway.) [In theory, OneVM where Tor runs on the host would make more sense to avoid duplicate Tor config and duplicate Tor connections but OneVM may also be harder to get right in terms of leak protection, never thought that through.]
drop “give user option to not connect to the public Tor network”.
Would this be part of the whonix libvirt host package? If so it would depend on detecting live mode is enabled and then it would edit the VM configs with somehting like sed. Since exiting amnesic mode would revert it, no need for code to undo.
Something like this.
What’s the config that has to be changed?
Or what’s the command line command to be run to change that?
I notice several parameters that escaped me when reading the host hardening guide. Will the installation scripts be designed such that they can be applied to an existing Debian host? If not, would it be possible to document them Arch Wiki style in order to easily replicate the config?
I notice several parameters that escaped me when reading the host hardening guide. Will the installation scripts be designed such that they can be applied to an existing Debian host?
Yes, more or less as a byproduct we’ll get sudo apt-get install whonix. Will be documented when time has come, not ready yet.
(Developers can already do it if that was to help with debugging.) Not
sure yet if sudo apt-get install whonix will be supported for users
since more can go wrong compared to a ISO installer build where all
default installed packages can be defined by developers.
If not, would it be possible to document them Arch Wiki style in order to easily replicate the config?
Both product Hardened Debian and product Whonix Host (temporary
names) won’t apply all steps from host hardening guide. Only what’s
doable / realistic / etc. Some are too specific like router settings to
be done by a host operating system.
I am not sure whonix-libvirt is the ideal place for detection of live mode and the adjustment of image write options. Perhaps the grub-live package is a better place.
However wouldn’t doing this break VM usage since ro-mode-init is not our first choice for using it?