Actions

Whonix-Workstation Security Hardening

From Whonix


Introduction[edit]

Whonix ™ is by no means a perfectly hardened system. Additional hardening measures are most welcome, but at the same time hardening by default is very difficult. Until the Whonix ™ project realizes a significant increase in resources or community assistance, extra measures will remain out of scope and hardening will be left to the upstream operating system. See Virtualization Platform for further details.

AppArmor[edit]

Learn more about AppArmor [archive], which helps to protect against vulnerabilities by confining a program's file access based upon strict rule-sets. It is recommended to apply the available Whonix ™ AppArmor profiles to contain various applications which are run in Whonix-Gateway ™ (sys-whonix) and/or Whonix-Workstation ™ (anon-whonix), like Tor, Tor Browser, Thunderbird and others.

Disable TCP SACK[edit]

TCP Selective Acknowledgement (SACK) [archive] is a commonly exploited option in the TCP protocol and not needed for many people. [1] For this reason, it is recommended to disable it unless required.

Open file /etc/sysctl.d/tcp_sack.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/sysctl.d/tcp_sack.conf

Uncomment all lines starting with net.ipv4.

This procedure can also be repeated on the Whonix Gateway.

TCP SACK is not disabled by default because on some systems it can greatly decrease network performance. [2]

Multiple Tor Browser Instances and Workstations[edit]

Appropriate compartmentalization of user activities is important when different identities and/or additional software are in use. Multiple Tor Browser instances provide some separation of distinct identities, however this issue has not yet been fully solved by Tor Browser or Torbutton. A more secure method of compartmentalization is using Multiple Whonix-Workstation ™, which are easily created.

Multiple Tor Browser Instances[edit]

To better separate different contextual identities, consider starting multiple Tor Browser instances. Follow the steps in the Manually Downloading Tor Browser entry, except for minor changes that are necessary; for example Tor Browser must be extracted into a different folder.

This method is less secure than using multiple Whonix-Workstation ™s, which is outlined below.

Multiple Whonix-Workstation ™[edit]

For tasks requiring different identities and/or additional software, it is recommended to utilize two or more Whonix-Workstation ™ VMs since different torified clients are isolated from each other. In this configuration, a Tor Browser exploit in one Whonix-Workstation ™ cannot simultaneously read the user's identity in another VM (for example, an IRC account). [3]

This method is less secure than using Tor Browser in a Qubes Whonix-Workstation ™ DisposableVM.

Restrict Hardware Information to Root[edit]

Details about your hardware can be used for identification, so Whonix includes the hide-hardware-info.service systemd unit that restricts access to /proc/cpuinfo, /proc/bus, /proc/scsi and /sys to the root user only. This hides most hardware identifiers and increases security as /sys exposes a lot of information that should not be accessible by unprivileged users.

This setting is disabled by default because it might break many applications. It can optionally be enabled by running the following command.

sudo systemctl enable hide-hardware-info.service

This command can also be run on Whonix Gateway.

A whitelist that allows specific applications to access /sys and /proc/cpuinfo is enabled by default to maintain basic functionality. For example, this allows the launching of applications like XFCE.

Whitelisting Applications[edit]

To whitelist applications, they must be run under the sysfs group (if allowing access to /sys) or the cpuinfo group (if allowing access to /proc/cpuinfo).

For example, to run a systemd service as the sysfs group, create a drop-in directory and add the following.

[Service]
SupplementaryGroups=sysfs

To run a specific binary as the sysfs group, the binary must be owned by the sysfs group and be made setgid. To achieve this, change the ownership of the binary by running the following.

sudo chgrp sysfs /path/to/binary

Then make the binary setgid.

sudo chmod g+s /path/to/binary

The binary will now run with the permissions of the sysfs group and have access to /sys.

All of these steps can also be applied to the cpuinfo group.

Remember that any whitelisted applications add to the attack surface. An attacker can attempt to exploit a vulnerability in the whitelisted application(s) to gain access to hardware information.

Disable the Whitelist[edit]

In order to reduce the attack surface as much as possible, optionally the whitelist can be disabled entirely.

Open file /etc/hide-hardware-info.d/30_whitelist.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/hide-hardware-info.d/30_whitelist.conf

Uncomment the sysfs_whitelist=0 and cpuinfo_whitelist=0 sections to disable the whitelist.

Note that this setting will break many applications; for example, the desktop environment will not even start. Do not perform this action unless you understand the implications and can reverse the change.

Footnotes[edit]

  1. For example, it has been used for remote denial of service attacks [archive] and can even lead to a Linux kernel panic.
  2. https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 [archive]
  3. This does not protect against the sudden loss of networking, which could reveal to the attacker that two activities / accounts suddenly going off-line are probably related.


Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!

https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png