Whonix-Workstation Security Hardening

From Whonix
Jump to navigation Jump to search

Doors-1767563 640.jpg
Kicksecure-badge.png

Whonix ™ comes with many security features The Web Archive Onion Version . Whonix ™ is Kicksecure ™ The Web Archive Onion Version hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.

This page is targeted at users who wish to improve the security of their Whonix-Workstation ™ to become even more secure.

Introduction[edit]

Whonix ™ is by no means a perfectly hardened system. Additional hardening measures are most welcome, but at the same time hardening by default is very difficult. Until the Whonix ™ project realizes a significant increase in resources or community assistance, extra measures will remain out of scope and hardening will be left to the upstream operating system. See Virtualization Platform for further details.

AppArmor[edit]

Learn more about AppArmorarchive.org, which helps to protect against vulnerabilities by confining a program's file access based upon strict rule-sets. It is recommended to apply the available Whonix ™ AppArmor profiles to contain various applications which are run in Whonix-Gateway ™ (sys-whonix) and/or Whonix-Workstation ™ (anon-whonix), like Tor, Tor Browser, Thunderbird and others.

Disable TCP SACK[edit]

TCP Selective Acknowledgement (SACK)archive.org is a commonly exploited option in the TCP protocol and not needed for many people. [1] For this reason, it is recommended to disable it unless required.

Open file /etc/sysctl.d/30_security-misc.conf in an editor with root rights.

(Qubes-Whonix ™: In Template)

This box uses sudoedit for better security. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/sysctl.d/30_security-misc.conf

Uncomment all lines starting with net.ipv4.

This procedure can also be repeated on the Whonix-Gateway.

TCP SACK is not disabled by default because on some systems it can greatly decrease network performance. [2]

Restrict Hardware Information to Root[edit]

See Restrict Hardware Information to Root.

Footnotes[edit]

  1. For example, it has been used for remote denial of service attacksarchive.org and can even lead to a Linux kernel panic.
  2. https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5archive.org