System Hardening Checklist

From Whonix
Jump to navigation Jump to search

About this System Hardening Checklist Page
Contributor maintained wiki page.
Support Status stable
Difficulty easy
Contributor torjunkiearchive.org
Support Support

Whonix comes with many security featuresarchive.org. Whonix is Kicksecure The Web Archive Onion Version Hardened by default and also provides extensive Documentation including this System Hardening Checklist. The more you know, the safer you can be.

This page is targeted at users who wish to improve the security of their systems for even greater protection.

Introduction[edit]

Info Recommendations specific to Qubes-Whonix or Non-Qubes-Whonix are marked accordingly.

It is possible to significantly harden the Whonix and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.

Easy[edit]

Anonymous Blogging, Posting, Chat, Email and File Sharing[edit]

  • To remain anonymous, follow all the Whonix recommendations to minimize threats of keyboard/mouse biometrics, stylometric analysis and other covert channels.
    • A browser is an unsafe environment to directly write text, regardless of whether it is a forum post, email, webmail or IMAP-related reply.
      • At a minimum users should not type into browsers with JavaScript enabled, since this opens up this deanonymization vector. Text should be written in an offline text editor and then copied and pasted into the web interface when it is complete.
  • Remove metadata from documents, pictures, videos or other files before uploading them to the Internet.
  • Think twice before sharing "anonymous" photos due to unique embedded noise signatures that have no known countermeasures.
  • Be careful sharing anonymous documents. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.
  • Utilize OnionShare to anonymously share or receive files securely over the Tor network, anonymously chat, or host anonymous websites. [1]

Command Line Operations[edit]

  • Do not run commands unless they are completely understood -- first refer to a suitable Whonix wiki resource if available.
  • If root privileges are required, run the command with sudo rather than logging in as root or using sudo su. [2]
  • Defeat login spoofing by using the Secure Access Key ("Sak"; SysRq + k) procedure.
  • Consider enabling SysRq "Security Keys" functionality as insurance against system malfunctions -- this assists in system recovery efforts and limits the potential harm of a malware compromise.

Disabling and Minimizing Hardware Risks[edit]

Entropy[edit]

  • To mitigate against inadequate entropy seeding by the Linux Random Number Generator (RNG), it is recommended to install daemons that inject more randomness into the pool.

Dedicated Computer[edit]

For high security, it's best to use a dedicated, physically different computer only for the purpose of using Whonix and nothing else. For other use cases, use completely different hardware including a different screen.

This is to lower the impact of fingerprinting VMs in case they get ever compromised.

Kicksecure logo Use a Dedicated Host Operating System and Computer The Web Archive Onion Version

Related: VM Fingerprinting

Forum discussion: https://forums.whonix.org/t/high-opsec-recommendation/17237archive.org

File Handling[edit]

Info Qubes-Whonix only.

  • In File Manager, disable previews of files from untrusted sources. Change file preferences in the Template's File Manager so future App Qubes inherit this feature.
  • Files received or downloaded from untrusted sources (the internet, via email etc.) should not be opened in a trusted VM. Instead, open them in a Disposable: Right-clickOpen In Disposable
  • Untrusted PDFs should be opened in a Disposable or converted into a trusted (sanitized) PDFarchive.org to prevent exploitation of the PDF reader and potential infection of the VM.

File Folder Permissions[edit]

  • Linux user account nobody has no special meaning.
  • Also linux user group nogroup has no special meaning either.
  • Therefore the user should avoid running programs under user nobody and/or group nogroup as well as avoid setting file or folder permissions to that user / group.

[11]

File Storage Location[edit]

Mandatory Access Control[edit]

  • Enable all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway Templates.
  • Enable seccomp on Whonix-Gateway (sys-whonix ProxyVM).

Mobile Devices[edit]

Warning: Phones, smartphones, smartwatches, tablets and similar mobile devices are Kicksecure logo vulnerable to advanced malware The Web Archive Onion Version and can be abused for eavesdropping, espionage, location tracing and more.

Passwords and Logins[edit]

  • Use strong, unique and random passwords for all online accounts, system logins and encryption / decryption purposes to prevent the feasibility of brute-forcing attacks.
  • Use a trusted password manager (KeePassXC) [13], so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. [14]
  • For high-entropy passwords, consider using Diceware passphrases. [15]
  • In Qubes-Whonix, store all login credentials and passwords in an offline vault VM (preferably with KeePassXC) and securely cut and paste them into the Tor Browser. [16]
  • Read and follow all the principles for stronger passwords.

Screensavers[edit]

Secure Downloads[edit]

  • Download Internet files securely using scurl instead of wget from the command line.
  • When downloading with Tor Browser, prevent SSLstrip attacks by typing https:// links directly into the URL / address bar.
  • Prefer onion services file downloads, which provide greater security and anonymity than https.

Secure Qubes Operation[edit]

Info Qubes-Whonix only.

Secure Software Installation[edit]

Updates[edit]

  • Operating System Updates: It is crucial to regularly check for operating system updates on the host operating system, and both the Whonix-Workstation and Whonix-Gateway.
  • Stay tuned: It is absolutely crucial to subscribe to and read the latest Whonix news category 'important-news' to stay in touch with ongoing developments. This way users benefit from notifications concerning important security advisories, potential upgrade issues and improved releases which address identified issues, like those affecting the updater or other core elements. Follow Whonix Developments.
  • Debian Security Announcements: Since Whonix is based on Debian, users should consider subscribing to the Debian security announcement mailing listarchive.org to stay informed about the latest security advisories. See also chapter Debian Security Announcements.

Tor Browser Series and Settings[edit]

Virtual Machines[edit]

All Virtualizers[edit]

VirtualBox[edit]

Warrant Canary[edit]

Moderate[edit]

Create a USB Qube[edit]

Info Qubes-Whonix only.

Host Operating System Distribution[edit]

Info Non-Qubes-Whonix only.

  • For a truly private operating system, install GNU/Linux on the host. [33]
  • The Debian distribution is recommended by Whonix as providing a reasonable balance of security and usability.
    • Consider installing the Kicksecure Debian derivative, since it has considerable security hardening by default. [34]

Host Operating System Hardening[edit]

All Platforms[edit]

Non-Qubes-Whonix Only[edit]

  • Harden the host Debian Linux OS.

Kernels / Kernel Modules[edit]

Info Note:

  • Cutting-edge kernels can destabilize the system or cause boot failures.
  • Newer kernels can expose additional vulnerabilities; see footnotes. [35] [36]
  • Kernel modules in Qubes and Qubes-Whonix usually require configuration of a Qubes VM Kernel.

Live-mode[edit]

Info Non-Qubes-Whonix only.

Networking[edit]

All Platforms[edit]

  • If possible, use a dedicated network connection (LAN, WiFi etc.) that is not shared with other potentially compromised computers.
  • If using a shared network via a common cable modem/router or ADSL router, configure a Kicksecure logo de-militarized zone The Web Archive Onion Version (perimeter network). [44]
  • Test the LAN's router/firewall with either an internet port scanning service or preferably a port scanning application from an external IP address.
  • Change the default administration password on the router to a unique, random, and suitably long Diceware passphrase to prevent bruteforcing attacks.
  • WiFi users should default to the WPA2-AESarchive.org or WPA3archive.org standard; the protocols are safer and have stronger encryption. [45] [46]
  • Follow all other Whonix recommendations to lock down the router.
  • Disable TCP SACK to limit the risk of remote DoS and other attacks.

Qubes-Whonix Only[edit]

Sandboxing[edit]

Spoof MAC Addresses[edit]

Info Tip: MAC spoofingarchive.org is only necessary if traveling with your laptop or PC. It is not required for home PCs that do not change locations.

Time Related[edit]

Tor Settings[edit]

Whonix VM Security[edit]

  • Consider disabling the Control Port Filter Proxy to reduce the attack surface of both the Whonix-Gateway and Whonix-Workstation.
  • Consider hardening systemcheck.
  • Consider the periodic deletion and recreation of VMs that are used for sensitive operations.
    • If a compromise of Whonix-Gateway and/or Whonix-Workstation is suspected, follow the compromise recovery instructions.

Difficult[edit]

Anti-Evil Maid[edit]

Chaining Anonymizing Tunnels[edit]

Disposables[edit]

Info Qubes / Qubes-Whonix only.
Note: Some traces of Disposable usage and data contents will leak into the dom0 filesystem and survive reboots; see herearchive.org for further information. (This is a Qubes-specific issue and unrelated to Whonix.)

Email[edit]

All Platforms[edit]

Qubes-Whonix Only[edit]

  • Use split-GPGarchive.org for email to reduce the risk of key theft used for encryption / decryption and signing.
  • Create an App Qube that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
  • Only open untrusted email attachmentsarchive.org in a Disposable to prevent possible infection.

Ethernet/FDDI Station Activity Monitor[edit]

Flash the Router with Opensource Firmware[edit]

Warning: risk of bricking your router!

Mix Personal Tor Traffic with Own Tor Bridge or Relay[edit]

Multi-Factor User Authentication[edit]

  • Set up two-factor authentication (2FA) to strengthen the security of online accounts, smartphones, web services, access to physical locations and other implementations.
  • Configure PAM USBarchive.org as a module that only allows user authentication by inserting a token (a USB stick), in which a one-time password is stored.
  • For secure account logins, utilize a Nitrokeyarchive.org hardware authentication device which supports one-time passwords, public-key encryption, and the Universal 2nd Factor (U2F) and FIDO2 protcols.
    • Qubes: Check the YubiKeyarchive.org (will be not much different from Nitrokey) instructions to enhance the security of Qubes user authentication, mitigate the risk of password snooping, and to improve USB keyboard security.

Systemd Sandboxing[edit]

Whitelisting Tor Traffic[edit]

Expert[edit]

Disable Intel ME Functionality[edit]

Warning: high risk of bricking your computer!

Disable SUID-enabled Binaries[edit]

Info This is an experimental feature recommended for testers.

Opensource Firmware[edit]

  • Librebootarchive.org is no longer recommended as a proprietary firmware alternative; see footnote. [71]
  • Corebootarchive.org is a possible BIOS/UEFI firmware alternative -- consider purchasing hardware that has it pre-installed (like Chromebooks), or research flashing procedures for the handful of refurbished motherboards that support it.
    • Exception: Several laptops meet Qubes' Certified Hardwarearchive.org requirements and are configured with Coreboot, Heads and a partially disabled Intel Management Engine.

Physical Isolation[edit]

Info Non-Qubes-Whonix only.

Footnotes[edit]

  1. OnionShare 2.0 and higher enforce v3 onion connections. Whonix 16 is based on Debian bookworm which provides OnionShare v2.2.
  2. This reduces the likelihood of a successful root or non-root user compromise.
  3. Whonix 16 and later versions disable the root account by default.
  4. https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation-and-whonix-software/7599archive.org
  5. This addresses spying techniques:
  6. This applies to both Intel and AMD architecture.
  7. While this may introduce new vulnerabilities, this is objectively better than running a system that is vulnerable to known attacks.
  8. This hides hardware identifiers from unprivileged users.
  9. sudo apt install jitterentropy-rngd
  10. sudo apt install haveged
  11. https://forums.whonix.org/t/delete-disable-nobody-user-from-whonix-passwd/14085archive.org
  12. The reason is AppArmor profiles (and possibly other mandatory access control frameworks) are unlikely to allow access to these folders by default.
  13. Debian KeePassXC packagearchive.org.
  14. For greater security, store the password manager off-line.
  15. To estimate strength, an 8-word Diceware passphrase provides ~90 bits of entropy, while a 10-word passphrase provides ~128 bits of entropy.
  16. For greater safety, copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.
  17. For example, sensitive notificationsarchive.org (pop up dialog boxes) can appear over the screensaver while lockedarchive.org, and screensaver bypassarchive.org bugsarchive.org are common. Screen Locker (In)Security - Can we disable these at least 4 backdoors?archive.org
  18. Also see: Disconnecting a video output can cause XScreenSaver to crash (QSB-068, CVE-2021-34557)archive.org.
  19. The Whonix and Debian repositories are no longer set to onion mirrors by default due to stability issues. This decision will be reviewed in the future once v3 onions have further matured.
  20. If a keyserver is required, utilize the v3 onion address for keys.openpgp.org: http://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.oniononion
  21. Tor Blogarchive.org:

    Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

  22. Selfrandoarchive.org (load-time memory randomization) protection has been removed from alpha Tor Browser Linux buildsarchive.org. Although Selfrando provides a security improvement over standard address space layout randomization (ASLR) present in Tor Browser and other browsers, Tor developers believe it is relatively easy for attackers to bypass and not worth the effort.
  23. The "hardened" Tor Browser series has been deprecated, see: https://gitlab.torproject.org/legacy/trac/-/issues/21912archive.org
  24. Following the official release of the v8.0+ Tor Browser series (based on Firefox 60 ESR), the stable and alpha Tor Browser versions both have a native sandboxarchive.org.
  25. This may affect usability and proper functioning on some websites.
  26. This is more secure, but increases the user's fingerprinting risk due to selective use of Javascript.
  27. Take care to observe you stay within the Tor network -- 'downgrade' attacks have been observed that result in clearnet URLs being loaded in place of onion services across successive page loads on some sites.
  28. Thereby circumventing any possible future problems, like the breakage of Whonix.
  29. Bidirectional clipboard sharing is currently enabled by default in Whonix VirtualBox VMs. There are security reasons to disable clipboard sharing, for example to prevent the accidental copying of something (non-)anonymous and pasting it in its (non-)anonymous counterpart such as a browser, which would lead to identity correlation.
  30. Providing a mechanism to access files of the host system from within the guest system via a specially defined path necessarily enlarges the attack surface and provides a potential pathway for malicious actors to compromise the host.
  31. A USB qube is automatically created as of Qubes R4.0.
  32. USB keyboards and mice expose dom0 to attacks, and all USB devices are potential side channel attack vectorsarchive.org.
  33. Windowsarchive.org and macOSarchive.org are surveillance platforms that do not respect user freedom or privacy.
  34. Kicksecure has an advanced multi-layer defense model, thereby providing in-depth security. In its default configuration, Kicksecure provides protection from many types of malware, with no customization required.
  35. The Truth about Linux 4.6archive.org:

    The real "hard truth" about Linux kernel security is that there's no such thing as a free lunch. Keeping up to date on the latest upstream kernel will generally net all the bug fixes that have been created thus far, but with it of course brings completely new features, new code, new bugs, and new attack surface. The majority of vulnerabilities in the Linux kernel are ones that have been released just recently, something any honest person active in kernel development can attest to.

  36. Whonix contributor madaidan has notedarchive.org:

    LTS kernels have less hardening features and not all bug fixes are backported but it has less attack surface and potentially less chance of having bugs. Stable kernels have more hardening features and all bug fixes but more attack surface and more bugs.

  37. Including grsecurity elementsarchive.org being mainlined by the Kernel Self Protection Projectarchive.org.
  38. This will likely become the default in future, see: Simplify and promote using in-vm kernelarchive.org.
  39. Do not raise Qubes VM Kernel issues at Whonix. Instead, contact Qubes supportarchive.org.
  40. https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not/2275archive.org
  41. The TCP Initial Sequence Numbers (ISNs) are randomized.
  42. tirdadarchive.org is installed in Non-Qubes-Whonix by default.
  43. This prevents remounting of the hard drive as read-write.
  44. This restricts Whonix-Gateway accessibility to/from other nodes on the network such as printers, phones and laptops.
  45. WPA3 protocol improvementsarchive.org include:
    • Protection against brute force “dictionary” attacks -- adversaries cannot make multiple login attempts with commonly used passwords.
    • Stronger encryption: WPA2 relies on a 64-bit or 128-bit encryption key, but WPA3 uses 192-bit encryption.
    • Use of individualized data encryption in open networks to strengthen user privacy.
    • Forward secrecyarchive.org: if an adversary captures encrypted Wi-Fi transmissions and cracks the password, they cannot use it to read older data.
  46. Do not rely on WiFi Protected Set-up (WPS), which has major security flawsarchive.org.
  47. https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org/1952archive.org
  48. Example: sudo qvm-template install centos-8-minimal
  49. Example: sudo qvm-template install debian-12-minimal
  50. Example: sudo qvm-template install fedora-36-minimal
  51. Qubes tracker: Use OpenBSD as NetVMarchive.org. OpenBSD is assessed as having a lower attack surface than Linux, uses less system resources, and has strong exploit mitigations. Note that OpenBSD cannot currently be configured as sys-firewall.
  52. Previously The Tor Project's alpha sandbox was recommended to restrict Tor Browser, but the project has unfortunately been abandonedarchive.org.
  53. Although not implemented yet, all user-installed applications will be automatically configured to run in the sandbox and a prompt will ask which permissions should be granted to the application.
  54. Such as system information, host time, system uptime, and fingerprinting of devices behind a router.
  55. This prevents time-related attack vectors which rely on leakage of the host time.
  56. https://forums.whonix.org/t/tor-connectionpadding/7477archive.org
  57. Via creation of a new Whonix-Gateway (sys-whonix).
  58. For example, Whonix users residing in China.
  59. This is useful when testing later Whonix releases to stymie deanonymization attempts by advanced adversaries, or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.
  60. Notifications are made in real time for any potentially suspicious activity.
  61. Unauthorized modifications to BIOS or the boot partition will be notified.
  62. This is safe in the stable Qubes R4 release, but privacy issuesarchive.org were unresolved in Qubes R3.2 (now unsupported).
  63. Users can configure sys-net, sys-firewall and sys-usb as static Disposables. This option has been available from Qubes R4 onward.
  64. Reminder: The Subject: line and other header fields are not encrypted in the current configuration.
  65. Attackers use these methods to redirect local network traffic and execute Man-in-the-middle Attacks.
  66. Administrators are advised of any changes via email, such as new station/activity, flip-flops and re-used/changed old addresses.
  67. The reason is adversaries observing traffic will need to perform classification of both traffic generated by the Tor relay or bridge and your personal client traffic.
  68. This provides an additional fail-safe to protect from accidental clearnet leaks that might arise from hypothetical Whonix bugs, but does not address potential Qubes ProxyVM leaks.
  69. https://github.com/rustybird/corridorarchive.org
  70. This reduces the attack surface by disabling SUID-enabled binaries and improves Strong Linux User Account Isolation. Some SUID binaries have a history of privilege escalation security vulnerabilities. This feature is part of security-misc.
  71. Although Libreboot is a free, opensource BIOS or UEFI replacement that initializes the hardware and starts the bootloader for the OS, the absence of proprietary firmware means important microcode security updates are unavailable. Also, even experts risk bricking their hardware during the process and it is incompatible with newer architectures, making it impractical for the majority of the Whonix population.
  72. Using two different computers and virtualization is one of the most secure configurations available, but may be less secure than Qubes' approacharchive.org (software compartmentalization).

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!