Actions

Systemcheck

From Whonix


systemcheck completion
systemcheck progress meter
systemcheck in Konsole

Introduction[edit]

systemcheck (previously called whonixcheck) is a script which checks numerous, important system variables. systemcheck can be run in a CLI environment (such as in terminal emulator xfce4-terminal) or via the GUI option, which has an in-built progress meter and summary notification popup of the results. The script is stored in the /usr/bin/systemcheck and /usr/lib/whonix/systemcheck/ directories. Whonix ™ is functional without the systemcheck script since it only checks the system status; it is not responsible for core settings. Nothing is compiled, and the script can be easily inspected in the source code.

The systemcheck script was inspired by https://check.torproject.org [archive]. In the past this was an important check when people were still recommended to use proxy settings to torify web browsers. Tor Browser is now securely pre-configured upon release, which means manual torification of web browsers is now recommended against. As an additional protection the default Tor Browser visits check.torproject.org to confirm everything is working as expected. [1] This site also checks whether Tor Browser is up-to-date by having Tor Button perform a local check after downloading version information.

check.torproject.org is useful for a browser check, but Whonix ™ is a complete operating system. This means certain checks must be performed before the browser starts, otherwise a user's anonymity or security might be compromised. whonicheck's design allows the entire Whonix ™ community to stay informed about important updates or advice, and this is particularly important for users who might not start the browser or visit the Whonix ™ website regularly. For these reasons, systemcheck is automatically started after boot/login if it has not been completed within the last 24 hours. This behavior holds true even if the system is not restarted, thereby keeping any long-running systems (like Onion Services) safely informed.

If it is necessary to hide Tor and Whonix ™ use from an ISP, see here. While only a small minority of users configure their system to hide Tor, it is still desirable to hide any obvious Whonix ™ signature. Whonix ™ users are better off if adversaries cannot distinguish them from vanilla Tor Browser users, as the Whonix ™ user pool is far smaller.

When systemcheck auto-starts, it first waits for a randomized period of time ranging between 60 and 500 seconds. This obfuscation feature is intended to further stymie traffic analysis, while Tor is still responsible for basic defenses against traffic volume and pattern signatures. Without waiting for a randomized period traffic flows would be more distinguishable, since a spike in systemcheck traffic would always occur immediately after bootstrapping.

Running systemcheck[edit]

systemcheck verifies that the Whonix system is up-to-date and that everything is in proper working order.

Follow the steps below to manually run systemcheck and check the system status.

How-to: Manually Run systemcheck[edit]

If you are using Qubes-Whonix ™, complete the following steps. [2]

Qubes App Launcher (blue/grey "Q")click the Whonix VM you want to checkSystem Check

If you are using a graphical Whonix, complete the following steps.

Start MenuSystemsystemcheck

If you are using a terminal-only Whonix, complete the following step.

systemcheck

Depending on system specifications, systemcheck can take up to a few minutes to complete. If everything is working as intended, the output should highlight each INFO heading in green (not red). A successful systemcheck process will have output similar to below.

Sample systemcheck Output[edit]

[INFO] [systemcheck] anon-whonix | Whonix-Workstation | whonix-ws-15 TemplateBased AppVM | Sun 25 Apr 2021 07:56:41 AM UTC

[INFO] [systemcheck] Connected to Tor. [INFO] [systemcheck] Whonix APT Repository: Enabled. When the Whonix team releases BUSTER-PROPOSED-UPDATES updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.whonix.org/wiki/Trust [archive] to understand the risk. If you want to change this, use: sudo whonix_repository [INFO] [systemcheck] Debian Package Update Check: Checking for software updates via apt-get... ( Documentation: https://www.whonix.org/wiki/Update [archive] ) [INFO] [systemcheck] Debian Package Update Check Result: No updates found via apt-get. [INFO] [systemcheck] Please donate! See: https://www.whonix.org/wiki/Donate [archive]

Tor Bootstrap[edit]

Tor bootstrap refers to the process of attempting to connect to the Tor network (successfully or unsuccessfully). Familiar output related to this process includes: "Tor connecting xx percent...", "Tor not connected", "Tor connected" and so on. Bootstrapping does not refer to related concepts, such as whether connections are "secure", "not secure", "anonymous" or "not anonymous".

System Checks[edit]

In all the checks below, systemcheck warnings appear if a problem is detected. Conversely, systemcheck output is otherwise quiet unless using the --verbose option. Any operating system updates, downloads or other network activity are stream-isolated by default.

Table: System Checks run by systemcheck

Check Description
Canary TODO: document. Meanwhile, see Warrant Canary Check.
Clock Source Check if the clock source is KVMClock and warn if that is the case. [3]
Control Port Filter Proxy Check if Control Port Filter Proxy is running.
Entropy Test An entropy availability check confirms /proc/sys/kernel/random/entropy_avail contains no less than 112 bytes.
Hostname Check if:
  • hostname --fqdn outputs host.localdomain.
  • hostname outputs host.
  • hostname --ip-address outputs 127.0.0.1.
  • hostname --domain outputs localdomain.

Also inform if Project-APT-Repository is enabled, and if so, which repository has been selected.

IP Address Routing Check if IP forwarding is disabled on Whonix-Gateway ™ (sys-whonix).
Leak Tests When using --leak-tests, Dev/Leak Tests:
  1. Download https://check.torproject.org [archive] with curl through an extra SocksPort.
  2. Download https://check.torproject.org [archive] with curl through TransPort.

checks if check.torproject.org reports the IP to be a Tor IP address.

Log Inspection When using the --verbose option, check if ~/.whonix/msgdispatcher-error.log or ~/.whonix/whonix_torbrowser_updater_error.log exist and report this if confirmed.
Meta-package Check Check if the relevant meta-packages [4] are installed on Whonix-Gateway ™ (sys-whonix) or Whonix-Workstation ™ (anon-whonix). Also see: Whonix ™ Debian Packages.
Network Connection Check setup-dist has properly configured networking.
Operating System Updates apt-get update is run through a separate apt-get SocksPort for stream isolation. A notification is provided whether the system is up-to-date or requires updating.
Package Manager Check if a package manager is currently running and wait until the process is finished. [5] This prevents connection failures during concurrent upgrades of the Tor or Control Port Filter Proxy packages.
Tor Check:
  • If Tor has been enabled by inspecting if DisableNetwork 1 has been commented out from /usr/local/etc/torrc.d/50_user.conf either manually or via setup-dist.
  • If the Tor process (pid) is running on Whonix-Gateway ™ (sys-whonix).
  • The validity of Tor configuration files in Whonix-Gateway ™ (sys-whonix) by using sudo tor --verify-config.

Notify about the Tor connection / IP address. [6] [7]

Repository Notification Notifies whether Whonix ™ APT Repository is enabled or not.
Stream Isolation When using --leak-tests,
  1. Download https://check.torproject.org [archive] with curl through an extra SocksPort.
  2. Download https://check.torproject.org [archive] with curl through TransPort.

on Whonix-Workstation ™ (anon-whonix), a Stream Isolation test checks the IP addresses from (1) and (2) differ.

Tor Bootstrap Tor Bootstrap Status:
  • TODO: document
  • anondate
Misc
  • TODO: document
  • control port filter proxy running
  • remarkable kernel messages
  • timedatectl check
  • timezone
Virtualization Platform Check Whonix ™ is being run on one of the supported virtualizer platforms, including bare metal (Physical Isolation), VirtualBox, KVM or Qubes.

Version Numbers[edit]

Whonix ™ Build Version[edit]

The version number of the Whonix ™ build never changes. This is acceptable because at build time [8] the current Whonix ™ version number is added to the image itself. [9] This information is made available so systemcheck can determine which build script version was used to create that particular image.

This version number should remain static and be unaffected by updating or other issues, since it only applies to specific (usually older) versions of the build script. This is useful for diagnostic purposes and means specific build versions can be deprecated if they are too difficult or expensive to upgrade. In this case, systemcheck's Whonix ™ News function would inform users about the change.

By design, the build version number cannot be upgraded. See also Upgrade vs Image Re-Installation. It's similar to a day of birth which is also unchangeable.

Check Version[edit]

To check the current Whonix ™ version, run the following command.

systemcheck --verbose --function show_versions

The output should be similar to below.

[INFO] [systemcheck] disp766 | Whonix-Workstation | whonix-ws-15-dvm DispVM AppVM | Sun 25 Apr 2021 07:13:17 AM UTC

[INFO] [systemcheck] Input Detection: INPUT_AUTO=true CLI=true GUI=false stdin connected to terminal. Using cli output. Not using gui output. Alternatively, if want to run from command line, but still use the graphical user interface for input, you could add to command line: --gui [INFO] [systemcheck] Root Check Result: Ok, not running as root. [INFO] [systemcheck] whonix_build_version: 3:3.4-1 [INFO] [systemcheck] whonix-workstation-packages-dependencies-cli: 21.2-1 [INFO] [systemcheck] /etc/whonix_version: 15

Warrant Canary Check[edit]

Introduction[edit]

Prerequisite knowledge: Whonix ™ warrant canary

Rationale for Automated Warrant Canary Check:

  • Whonix ™ warrant canary is of little use if it gets forgotten over time and not regularly verified
  • Likelihood of Whonix ™ warrant canary being regularly verified by the community is probably low.
  • Even if a community member verified Whonix ™ warrant canary and noticed that verification failed, there would be no effective way to notify all users of Whonix ™.

Automated Warrant Canary Check:

  • Similar to an update check but to establish if Whonix ™ warrant canary is still valid.

Security:

More implementation details:

For now, during initial deployment phase of this new feature, systemcheck will only shown information about canary status when using systemcheck with parameter --verbose. That is because there might be non-security related potential bugs to be ironed out:

  • File location might change on server.
  • File on server might become unreadable due to linux file access permissions.
  • Onion connectivity issues.
  • Serving stale copy due to server caching issues.
  • General warrant canary improvements.

In case of issues, manually verify Whonix ™ warrant canary.

Whonix Warrant Canary Forum Discussion [archive]

Disable Warrant Canary Check[edit]

Info Whonix-Gateway ™ only.

Ambox warning pn.svg.png This disables automated verification of Whonix ™ warrant canary when running systemcheck.

This will prevent the anonymous, daily Whonix ™ census.

Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/systemcheck.d/50_user.conf

Add the following content.

systemcheck_skip_functions+=" download_whonix_news "

Related[edit]

See Also[edit]

Footnotes[edit]

  1. Tor Browser in Whonix ™ is configured to load a local Whonix ™ resource after launch -- the familiar landing page.
  2. Qube Managerright-click the Whonix VM you want to checkselect "Run command in qube"

    Type each command below, followed by the ENTER key.
    xfce4-terminal-emulator

    systemcheck

  3. This is only expected to affect those following the KVM instructions.
  4. These capture packages which depend on all other recommended / default-installed packages.
  5. Otherwise, eventually the system is locked or the package manager is left in a broken state. Advice is provided on what to do in such circumstances.
  6. Some users may wonder why it is necessary to check the IP address if the Whonix ™ design ensures that the real IP cannot be leaked. Sometimes check.torproject.org reports false positives and fails to detect Tor exit nodes, so it is better to provide information about that possibility. This also reduces support requests and bad press. Users are welcome to investigate a Tor exit node that could not be detected, but it can be stated with high confidence that the IP address will be associated with a known Tor exit node.
  7. Another reason to perform this check is because some users set up dangerous and/or unsupported configurations, such as:
    • Changing the Whonix-Workstation ™ (anon-whonix) network interface from internal network "Whonix" to bridged or NAT.
    • Using virtualizers which are entirely unsupported and untested by Whonix ™ developers.
    • Installing arbitrary packages on Whonix-Workstation ™ (whonix-ws-16). This could theoretically create leak vectors, and systemcheck is the last layer of defense against such leaks.
  8. The time at which the image was created.
  9. The dist-base-files [archive] package, dist-base-files.postinst [archive] chroot script in essence runs:
    echo "$dist_build_version" > "$build_version_file"
    
  10. clearnet link for convenience, preview, not used by systemcheck: https://download.whonix.org/whonixdevelopermetafiles/canary/canary.txt.embed.sig [archive]
  11. sudo -u canary signify-openbsd -V -e -p /usr/share/repository-dist/derivative-distribution-signify-key.pub -x /var/lib/canary/canary.txt.embed.sig -m /var/lib/canary/canary-unembed.txt



Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Did you know that anyone can edit the Whonix ™ wiki to improve it?

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.