Testers Wanted!
Download the Testers-Only version of Whonix for VirtualBox:
Alternatively, in-place release upgrade is possible upgrade using Whonix testers repository.
Notable Changes:
- Stronger Linux User Account Isolation:
- Non-Qubes-Whonix only for now: Lock and expire root account in new Whonix builds. Existing users who upgraded are advised to lock their root account. (Qubes issue)
- Disable root login in virtual console by default.
- This is a purposeful security feature. No user freedom restrictions. Read more here: Safely Use Root Commands
-
Kernel Hardening - security-misc - #140 by madaidan and other security hardening (numerous enhancements to security-misc)
- Enabling kernel panic on kernel oops after boot. (set oops=panic kernel parameter or kernel.panic_on_oops=1 sysctl for better security)
-
change default umask to
006
. - Enable pam_umask.so usergroups so group permissions are same as user permissions. Debian by default uses User Private Groups (UPG). UserPrivateGroups - Debian Wiki /usr/share/pam-configs/usergroups-security-misc
- Removes read, write and execute access for others for all users who have home folders under folder /home by running for example “chmod o-rwx /home/user” during package installation or upgrade. This will be done only once per folder in folder /home so users who wish to relax file permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package.
- group sudo membership required to use su
- passwordless recovery / emergency mode
- lock user accounts after 5 failed authentication attempts using pam_tally2 (instructions how to unlock) to allow users to use short, easy,
"weak
" passwords for their useruser
account while preventing compromised non-root users from bruteforcing their useruser
account. - The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks.
- Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. /etc/modprobe.d/uncommon-network-protocols.conf
- Enable IOMMU
- The SysRq key is restricted to only allow shutdowns/reboots.
- A systemd service mounts /proc with hidepid=2 at boot to prevent users from seeing each other’s processes.
- A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. (ongoing discussion)
- The kernel logs are restricted to root only.
- The BPF JIT compiler is restricted to the root user and is hardened.
- The ptrace system call is restricted to the root user only.
- Add user
root
to groupsudo
. This is required to make above work so login as a user in a virtual console is still possible. debian/security-misc.postinst - Kernel symbols in /proc/kallsyms are hidden to prevent malware from reading them and using them to learn more about what to attack on your system.
- Kexec is disabled as it can be used for live patching of the running kernel.
- See GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc for a full list.
- add Tor Browser first startup popup to ask whether security slider should be set to safest
- documented how to use recovery mode
- enable sdwdate-gui in Qubes by default
- Qubes-Whonix who use multiple Whonix-Gateway should note updated instructions for multiple Whonix-Workstation due introduction of sdwdate-gui
- disable whonixcheck “Connecting to Tor…”, “Connected to Tor.” messages [1]
- Anonymize /etc/machine-id
- fix anon-connection-wizard truncated text
- anon-gpg-tweaks: disable keyservers (gpg --recv-keys fails / no longer use keyservers for anything)
- add support for OnionShare “bundled Tor”
- apparmor-profile-torbrowser updates (Why does the Tor Browser AppArmor profile have sys_admin, sys_chroot and ptrace capabilities?)
- Enable APT seccomp sandboxing.
- package str_replace - literal search and replace
- msgcollector security hardening
- systemd unit file hardening of services maintained by Whonix
- Non-Qubes-Whonix: show pulseaudio plugin by default
- Non-Qubes-Whonix: add arc-theme, gnome-themes-extra, gnome-themes-extra-data, gtk2-engines-murrine
-
SUDO_EDITOR="mousepad"
only if mousepad is installed and only if environment variable SUDO_EDITOR is not already set - Qubes-Whonix: speed up start of Tor Browser in DispVM (reference)
- Tor Browser Updater (by Whonix developers): reduce old versions being kept to 0 in /var/cache/tb-binary
- Tor Browser Starter (tb-starter) (by Whonix developers) hardening: implement optional
--hardening
/tb_hardening="true"
(using firejail and/or hardened-malloc) see documentation - install Hardened Malloc - Hardened Memory Allocator by default to ease usage but not use it by default to avoid breakage
Interesting for developers:
- add anon-base-files to whonix-host-xfce-kvm-freedom
- add hardened-malloc to hardened-packages-dependencies-cli
- remove unneeded dependency live-config-systemd
- anon-base-files:
- do not create home folder during postinst
- Leave user ‘user’ creation to Qubes.
- fix, actually use --no-create-home
[1] In favor of sdwdate-gui. whonixcheck connectivity check code checks Tor as well as sdwdate. Due to Tor/onion slowness it often times out. Since improving that code is difficult, sdwdate-gui is used instead as a solution that provides better visual feedback to users.
This release would not have been possible without the numerous supporters of Whonix!
Please Donate!