Whonix Testers Release

From Whonix

About this Whonix Testers Release Page
Support Status	stable
Difficulty	easy
Maintainer	torjunkie
Support	Support

Contents

1 Stay Tuned!
2 Whonix 15: VirtualBox Testers Release
3 Footnotes

Stay Tuned![edit]

As Whonix ™ 15 was recently released on 1 July 2019 and work is ongoing, a testers release of Whonix ™ 16 is not yet available -- check back here at a later date.

Interested readers can refer to the Whonix ™ 16 roadmap to see where Whonix is heading. Major items include:

A Whonix host operating system (tickets);
Live mode (tickets); and
A policy for inclusion of compiled software; for example this might possibly allow for the Electrum bitcoin thin client to be installed by default. ^[1]

Whonix 15: VirtualBox Testers Release[edit]

On 9 August, 2019 a testers-only version of Whonix ™ for VirtualBox was released. ^[2] Willing testers can either:

Download the testers-only VirtualBox version; or
Perform an in-place release upgrade via the Whonix ™ testers repository.

Over time, these changes will gradually filter through to the Whonix ™ 15 stable-proposed-updates and stable APT repositories.

AppArmor[edit]

Implemented apparmor-profile-torbrowser improvements, see: Why does the Tor Browser AppArmor profile have sys_admin, sys_chroot and ptrace capabilities?

Bug Fixes[edit]

Fixed anon-connection-wizard truncated text.

Contentious Changes[edit]

Tor Browser Updater (by Whonix developers): reduced old versions being kept to 0 in /var/cache/tb-binary

Developer Notes[edit]

Added anon-base-files to whonix-host-xfce-kvm-freedom.
Added hardened-malloc to hardened-packages-dependencies-cli.
Removed unneeded dependency live-config-systemd.
anon-base-files:
- Do not create a home folder during postinst.
- Leave user user creation to Qubes.
- Fixed and actually use --no-create-home.

Documentation[edit]

Documented how to use recovery mode.

Improved Functionality and Usability[edit]

Disabled whonixcheck “Connecting to Tor…” and “Connected to Tor.” messages. ^[3]
Added support for OnionShare “bundled Tor”.
Packaged str_replace for literal search and replace functions.
Display the pulseaudio plugin by default.
Added arc-theme, gnome-themes-extra, gnome-themes-extra-data and gtk2-engines-murrine for better visual presentation.
Set SUDO_EDITOR="mousepad" if: mousepad is installed and the environment variable SUDO_EDITOR has not already been set.

Kernel Hardening[edit]

Significant kernel and other security hardening has been implemented; numerous enhancements have been made to security-misc:

Enabled kernel panic on kernel oops after boot, see: set oops=panic kernel parameter or kernel.panic_on_oops=1 sysctl for better security.
Changed the default umask to 006.
Enabled pam_umask.so usergroups, so group permissions are the same as user permissions. ^[4]
Removed read, write and execute access for others for all users who have home folders under folder /home. ^[5] ^[6]
Group sudo membership is required to use su.
Passwordless, recovery / emergency mode has been implemented.
Lock user accounts with pam_tally2 after five failed authentication attempts are detected. ^[7]
The thunderbolt and firewire modules were blacklisted, since they can be used for Direct Memory Access (DMA) attacks.
Uncommon network protocols were blacklisted: these are rarely used and may have unknown vulnerabilities. ^[8]
Enabled IOMMU.
The SysRq key is restricted to only allow shutdowns/reboots.
A systemd service mounts /proc with hidepid=2 at boot, thereby preventing users from seeing each other’s processes.
A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. ^[9]
The kernel logs are restricted to root only.
The BPF JIT compiler is restricted to the root user and is hardened.
The ptrace system call is restricted to the root user only.
Added user root to group sudo. This is necessary so it is still possible to login as a user in a virtual console. ^[10]
Kernel symbols in /proc/kallsyms are hidden. This prevents malware from reading and using them to learn more about system vulnerabilities that can be attacked.
Kexec is disabled because it can be used for live patching of the running kernel.
For a full list of changes, see: https://github.com/Whonix/security-misc

Security Enhancements[edit]

Much stronger Linux user account isolation has been enforced in non-Qubes-Whonix: ^[11]

Locked and expired the root account in new Whonix builds. Existing users who upgraded are advised to lock their root account. ^[12]
Disabled root login in virtual consoles by default. ^[13]
Added a Tor Browser first startup popup to ask whether the security slider should be set to safest.
Anonymized /etc/machine-id.
anon-gpg-tweaks: disabled keyservers for improved security. ^[14]
Enabled APT seccomp sandboxing.
Enforced msgcollector security hardening.
Implemented systemd unit file hardening of services maintained by Whonix.
Tor Browser Starter (tb-starter Whonix package) hardening: implemented optional --hardening / tb_hardening="true" which utilizes Firejail and/or Hardened Malloc, see: Tor Browser Hardening documentation.
Installed Hardened Malloc by default to ease usage (although it is not enabled by default to avoid breakage).

Footnotes[edit]

↑ See: https://electrum.org/
↑ https://forums.whonix.org/t/whonix-virtualbox-15-0-0-3-6-testers-wanted-stronger-linux-user-account-isolation-and-more-hardening/7891
↑ In favor of sdwdate-gui. whonixcheck connectivity check code checks Tor as well as sdwdate. Due to slow Tor/onion speed it often times out. Improving that code is difficult, so sdwdate-gui is used instead as a solution that provides better visual feedback to users.
↑ By default, Debian utilizes User Private Groups (UPG). Also see: /usr/share/pam-configs/usergroups-security-misc
↑ For example, this affects those running “chmod o-rwx /home/user” during package installation or an upgrade.
↑ This is only performed once for each folder in the parent /home folder, so users who wish to relax file permissions can do so. This action protects files in the user's home folder which were previously created with lax file permissions prior to the installation of this package.
↑ See: unlock instructions. This means it is possible to have short, easy-to-remember, "weak" passwords for the user user account, while still preventing compromised non-root users from bruteforcing it.
↑ See: /etc/modprobe.d/uncommon-network-protocols.conf
↑ Forum discussion.
↑ See: debian/security-misc.postinst
↑ This does not yet apply to Qubes-Whonix.
↑ Qubes issue.
↑ This is a purposeful security feature and there are no user freedom restrictions; read more here.
↑ See: gpg --recv-keys fails / no longer use keyservers for anything.

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Enable comment auto-refresher

Random News:

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.

https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Retrieved from "http://kkkkkkkkkk63ava6.onion/w/index.php?title=Whonix_Testers_Release&oldid=50258"

Documentation