Actions

Whonix Testers Release

From Whonix

About this Whonix Testers Release Page
Support Status stable
Difficulty easy
Maintainer torjunkie
Support Support

Stay Tuned![edit]

As Whonix ™ 15 was recently released on 1 July 2019 and work is ongoing, a testers release of Whonix ™ 16 is not yet available -- check back here at a later date.

Interested readers can refer to the Whonix ™ 16 roadmap to see where Whonix is heading. Major items include:

Whonix 15: VirtualBox Testers Release[edit]

On 9 August, 2019 a testers-only version of Whonix ™ for VirtualBox was released. [2] Willing testers can either:

Over time, these changes will gradually filter through to the Whonix ™ 15 stable-proposed-updates and stable APT repositories.

AppArmor[edit]

Bug Fixes[edit]

  • Fixed anon-connection-wizard truncated text.

Contentious Changes[edit]

  • Tor Browser Updater (by Whonix developers): reduced old versions being kept to 0 in /var/cache/tb-binary

Developer Notes[edit]

  • Added anon-base-files to whonix-host-xfce-kvm-freedom.
  • Added hardened-malloc to hardened-packages-dependencies-cli.
  • Removed unneeded dependency live-config-systemd.
  • anon-base-files:
    • Do not create a home folder during postinst.
    • Leave user user creation to Qubes.
    • Fixed and actually use --no-create-home.

Documentation[edit]

Improved Functionality and Usability[edit]

  • Disabled whonixcheck “Connecting to Tor…” and “Connected to Tor.” messages. [3]
  • Added support for OnionShare “bundled Tor”.
  • Packaged str_replace for literal search and replace functions.
  • Display the pulseaudio plugin by default.
  • Added arc-theme, gnome-themes-extra, gnome-themes-extra-data and gtk2-engines-murrine for better visual presentation.
  • Set SUDO_EDITOR="mousepad" if: mousepad is installed and the environment variable SUDO_EDITOR has not already been set.

Kernel Hardening[edit]

Significant kernel and other security hardening has been implemented; numerous enhancements have been made to security-misc:

  • Enabled kernel panic on kernel oops after boot, see: set oops=panic kernel parameter or kernel.panic_on_oops=1 sysctl for better security.
  • Changed the default umask to 006.
  • Enabled pam_umask.so usergroups, so group permissions are the same as user permissions. [4]
  • Removed read, write and execute access for others for all users who have home folders under folder /home. [5] [6]
  • Group sudo membership is required to use su.
  • Passwordless, recovery / emergency mode has been implemented.
  • Lock user accounts with pam_tally2 after five failed authentication attempts are detected. [7]
  • The thunderbolt and firewire modules were blacklisted, since they can be used for Direct Memory Access (DMA) attacks.
  • Uncommon network protocols were blacklisted: these are rarely used and may have unknown vulnerabilities. [8]
  • Enabled IOMMU.
  • The SysRq key is restricted to only allow shutdowns/reboots.
  • A systemd service mounts /proc with hidepid=2 at boot, thereby preventing users from seeing each other’s processes.
  • A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. [9]
  • The kernel logs are restricted to root only.
  • The BPF JIT compiler is restricted to the root user and is hardened.
  • The ptrace system call is restricted to the root user only.
  • Added user root to group sudo. This is necessary so it is still possible to login as a user in a virtual console. [10]
  • Kernel symbols in /proc/kallsyms are hidden. This prevents malware from reading and using them to learn more about system vulnerabilities that can be attacked.
  • Kexec is disabled because it can be used for live patching of the running kernel.
  • For a full list of changes, see: https://github.com/Whonix/security-misc

Security Enhancements[edit]

Much stronger Linux user account isolation has been enforced in non-Qubes-Whonix: [11]

Footnotes[edit]

  1. See: https://electrum.org/
  2. https://forums.whonix.org/t/whonix-virtualbox-15-0-0-3-6-testers-wanted-stronger-linux-user-account-isolation-and-more-hardening/7891
  3. In favor of sdwdate-gui. whonixcheck connectivity check code checks Tor as well as sdwdate. Due to slow Tor/onion speed it often times out. Improving that code is difficult, so sdwdate-gui is used instead as a solution that provides better visual feedback to users.
  4. By default, Debian utilizes User Private Groups (UPG). Also see: /usr/share/pam-configs/usergroups-security-misc
  5. For example, this affects those running “chmod o-rwx /home/user” during package installation or an upgrade.
  6. This is only performed once for each folder in the parent /home folder, so users who wish to relax file permissions can do so. This action protects files in the user's home folder which were previously created with lax file permissions prior to the installation of this package.
  7. See: unlock instructions. This means it is possible to have short, easy-to-remember, "weak" passwords for the user user account, while still preventing compromised non-root users from bruteforcing it.
  8. See: /etc/modprobe.d/uncommon-network-protocols.conf
  9. Forum discussion.
  10. See: debian/security-misc.postinst
  11. This does not yet apply to Qubes-Whonix.
  12. Qubes issue.
  13. This is a purposeful security feature and there are no user freedom restrictions; read more here.
  14. See: gpg --recv-keys fails / no longer use keyservers for anything.

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.