Actions

security-misc - Enhances Miscellaneous Security Settings

From Whonix



Securitymisc.jpg

Stable Features[edit]

Described here [archive].

Testing Features[edit]

Reduce Kernel Information Leaks[edit]

  • Security Impact: There are many of hardware, kernel, debug information, etc. in /sys, which is especially problematic and has been the cause of many infoleaks such as kernel pointer leaks.
  • Privacy/Anonymity Impact: Details about your hardware can be used for identification.
  • Threat: This information is per Debian (and probably most popular Linux distributions) available to attackers with local code execution privileges which includes,
    • malicious applications collecting such information and submitting it to data collectors,
    • as well as both, compromised non-privileged users and the privileged root user.
  • Non-Threat: This information does not randomly leak to third parties on clean (non-compromised) machines through use of legitimate applications such as the APT package manager.
  • Goal: This information should by default be unavailable to non-privileged users and untrusted root.
  • Solution: Therefore security-misc includes the hide-hardware-info.service systemd unit.
    • Restricts access to /sys, /proc/cpuinfo, /proc/bus, and /proc/scsi to the root user only.
    • This also hides most hardware identifiers.
  • Status: This setting is disabled by default because it might break many applications. Testers-only! Call for testers and forum discussion: Restrict Hardware Information to Root - Testers Wanted! [archive]
  • Enable: It can optionally be enabled by running the following command.
    • sudo systemctl enable hide-hardware-info.service

    • Reboot required.
    • A whitelist that allows specific applications to access /sys and /proc/cpuinfo is enabled by default to maintain basic functionality. [1] For example, this allows the launching of applications like XFCE.
  • Limitations of Solution:
    • Attackers which gained root compromise and/or malicious/compromised whitelisted applications have access to this information.
    • Cannot hide CPUID [archive]. [2]
  • Possible Future Enhancements: untrusted root

Whitelisting Applications[edit]

To whitelist applications, they must be run under the sysfs group (if allowing access to /sys) and/or the cpuinfo group (if allowing access to /proc/cpuinfo).

Remember that any whitelisted applications add to the attack surface. An attacker can attempt to exploit a vulnerability in the whitelisted application(s) to gain access to hardware information.

addgroup method[edit]

For example, to add user user to group cpuinfo, run the following command. (Note, this is weakening protections.)

sudo addgroup user cpuinfo

For example, to add user user to group sysfs, run the following command. (Note, this is weakening protections.)

sudo addgroup user sysfs

Re-login required after changing groups. Easiest: reboot. [3] [4]

For example, after reboot it would be possible to run the cpu-info utility (from Debian package cpuinfo).

cpu-info

systemd[edit]

For example, to run a systemd service as the sysfs group, create a drop-in directory and add the following.

[Service]
SupplementaryGroups=sysfs

setgid method[edit]

To run a specific binary as the sysfs group, the binary must be owned by the sysfs group and be made setgid. To achieve this, change the ownership of the binary by running the following.

sudo chgrp sysfs /path/to/binary

Then make the binary setgid.

sudo chmod g+s /path/to/binary

The binary will now run with the permissions of the sysfs group and have access to /sys.

All of these steps can also be applied to the cpuinfo group.

Disable the Whitelist[edit]

In order to reduce the attack surface as much as possible, optionally the whitelist can be disabled entirely.

Open file /etc/hide-hardware-info.d/30_whitelist.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/hide-hardware-info.d/30_whitelist.conf

Uncomment the sysfs_whitelist=0 and cpuinfo_whitelist=0 sections to disable the whitelist.

Note that this setting will break many applications; for example, the desktop environment will not even start. Do not perform this action unless you understand the implications and can reverse the change.

SUID Disabler and Permission Hardener[edit]

See SUID Disabler and Permission Hardener.

hidepid[edit]

TODO: document

sudo systemctl enable proc-hidepid.service

Experimental Features[edit]

Unreleased. (Developers only.) Will flow into other repositories as per usual.

Remount Secure[edit]

Feature not ready!

sudo touch /etc/noexec

Installation of security-misc[edit]

Whonix / Kicksecure default admin password is: changeme This chapter is only required for users which aren't users of Whonix or Kicksecure. That is because security-misc is installed by default in Whonix and Kicksecure.

Prerequisites:

  • Debian buster installed.
  • User account user exists.

Become root. [5]

su

Install sudo and adduser.

Install sudo adduser.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the sudo adduser package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends sudo adduser

The procedure of installing sudo adduser is complete.

The following commands need to be run either by root or use sudo.

Create group console.

addgroup --system console

Add user user to group console.

adduser user console

Add user user to group sudo.

adduser user sudo

Reboot.

reboot

Add Whonix ™ Repository.

Choose either: Option A, Option B OR Option C.

Option A: Add Whonix ™ Onion Repository.

To add Whonix ™ Repository over Onion please press on expand on the right.

Install apt-transport-tor from the Debian repository.

sudo apt-get install apt-transport-tor

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster.

echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Option B: Add Whonix ™ Clearnet Repository over Tor.

To add Whonix ™ Repository over torified clearnet please press on expand on the right.

Install apt-transport-tor from the Debian repository.

sudo apt-get install apt-transport-tor

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster.

echo "deb tor+https://deb.Whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Option C: Add Whonix Clearnet Repository over clearnet.

To add Whonix ™ Repository over clearnet please press on expand on the right.

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster.

echo "deb https://deb.Whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Install security-misc.

Install security-misc.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the security-misc package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends security-misc

The procedure of installing security-misc is complete.

selinux[edit]

Community Support Only!:
Info

Community Support Only means Whonix ™ developers are unlikely to provide free support for wiki chapters or pages with this tag. See Community Support for further information, including implications and possible alternatives.

References[edit]

  1. https://gitlab.com/whonix/security-misc/-/blob/master/lib/systemd/system/user@.service.d/sysfs.conf [archive]
  2. No reboot required: Use the execute command as different group ID command line utility sg to execute the cpu-info (from Debian package cpuinfo) application under group cpuinfo.
    sg cpuinfo cpu-info

  3. Also no reboot required:
    sudo -u user bash

    cpu-info

    Or.

    sudo -u user cpu-info

  4. One way or another.


text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

We are looking for contributors and developers.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.