Operating System Hardening
- 1 Debian
- 2 Vulnerabilities at Install Time
- 3 Footnotes
- 4 License
Debian Security Announcements
Since Whonix is based on Debian, it takes advantage of all the hard work done by the Debian security team: 
Debian takes security very seriously. We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe. Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs.
Experience has shown that "security through obscurity" does not work. Public disclosure allows for more rapid and better solutions to security problems. In that vein, this page addresses Debian's status with respect to various known security holes, which could potentially affect Debian.
Users should consider subscribing to the Debian security announcement mailing list to stay informed about the latest security advisories.
Most hardening steps cannot be easily added to Whonix by default. Any major changes require careful research and significant developer/tester effort, otherwise system errors or breakage may occur. This is an open topic and Whonix developers are amenable to suggestions, as improving operating system security is a primary design goal.
Before attempting additional hardening measures below, be sure to fully understood them and apply the steps carefully:
- Debian Hardening Walkthrough
- Debian Security Information
- Securing Debian Manual
Readers are welcome to add any additional hardening resources to this list.
The upstream Kernel Self Protection Project (KSPP)  was established in 2015 with the goal of introducing more hardening features into mainline Linux. This includes many features found in the Grsecurity patchset, which was publicly available until early 2017. One advantage of KSPP is that users will no longer need to compile and tweak settings to create a secure kernel, as many hardening features become the default over time in various distributions. Up-to-date information on available hardening features can be viewed here.
The Hardened Kernel Project is a collaborative effort between Arch and Gentoo developers who handled Grsecurity packaging in their respective distributions with the goal of accelerating mainlining of the patchset. 
While kernel hardening is important, it only addresses a subset of security risks. It cannot protect against backdoors or security issues related to design, policy or yet unknown exploit classes.
Harden Software Repositories
Many operating systems provide multiple repositories. Since the Whonix implementation is based on Debian, these resources provide a suitable introduction for interested readers:
In summary, these resources confirm the main repository receives the most developer attention and security updates. This suggests possible hardening might involve editing /etc/apt/sources.list to strictly limit software to the main repository, while only installing security fixes and no other updates.
Whonix has not implemented this design by default and it is an open research question whether this will actually improve security.
Vulnerabilities at Install Time
Various installation media expose users to vulnerabilities, and those affected include:
- Importable VM images: Whonix and other images.
- Installer DVDs: Debian and other major platforms.
- Live DVDs: Tails and similar platforms.
- VM Images built with frozen sources: Platforms without current sources.
The threat arises because the latest stable releases sometimes contain vulnerable, remotely exploitable applications. These applications are very likely to be used over untrusted networks  which are in a position to run man-in-the-middle attacks. One example of this vulnerability was [CVE-2014-6273], which affected apt-get in 2014.
Readers are welcome to help research this issue further, and document sane and effective solutions. 
Always Up-to-date Builds
If Whonix regularly released up-to-date builds, this would be an optimal solution for end users. However, the maintenance effort -- building, testing and uploading -- is resource-intensive and not currently feasible for the Whonix team.
Greater community support is needed for testing proposed Whonix package updates and major new releases, alongside an automated test suite for Whonix.
When using virtual machines, Whonix-Gateway could be configured to use the host apt-cache. Physically-isolated Whonix-Gateways could use an apt-cache running on a separate machine. apt-cacher-ng is an example implementation of such an apt-cache.
This configuration does not anonymize operating system updates by default, which is a big disadvantage.  It would be first necessary to determine how to configure apt-cacher-ng on the host to force downloads through Tor.
Eventually Whonix-Workstation could use an apt-cache that is running on Whonix-Gateway. Unfortunately, this would increase the Whonix-Gateway attack surface if/when Whonix-Workstation is compromised. On the other hand, it would decrease the Whonix-Workstation attack surface if/when a vulnerable apt-get is used for downloads over untrusted Tor exit relays.
Another possibility is somehow using apt-offline to complete the initial updates of both Whonix-Gateway and Whonix-Workstation.
Building from Source Code using Current Sources
Self-created Whonix builds from source code use current sources, thereby solving this problem. Although frozen sources have been deprecated for reasons outlined in Build documentation; using current sources comes with its own issues.
- Such as Tor exit relays.
- Forum discussion.
- This leaks a list of installed packages to ISP-level adversaries and update servers. For example, if a user installed a webserver that is likely to be used to host a hidden web service, then this information would leaked.
Whonix Operating System Hardening wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Operating System Hardening wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <firstname.lastname@example.org>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.