System Hardening Checklist

From Kicksecure
Jump to navigation Jump to search

About this System Hardening Checklist Page
Support Status stable
Difficulty easy
Contributor torjunkie
Support Support
Hardening-13423213.jpg

Kicksecure ™ comes with many security features. Kicksecure ™ is Debian Security Hardened by default and also provides extensive Documentation including this System Hardening Checklist. The more you know, the safer you can be.

This page is targeted at users who wish to improve the security of their systems for even greater protection.

Introduction[edit]

Info Recommendations specific to Kicksecure ™ for Qubes or Kicksecure ™ are marked accordingly.

It is possible to significantly harden the Kicksecure ™ and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, secure activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.

Easy[edit]

Command Line Operations[edit]

  • Do not run commands unless they are completely understood -- first refer to a suitable Kicksecure ™ wiki resource if available.
  • If root privileges are required, run the command with sudo rather than logging in as root or using sudo su. [1]
  • Defeat login spoofing by using the Secure Access Key ("Sak"; SysRq + k) procedure.
  • Consider enabling SysRq "Security Keys" functionality as insurance against system malfunctions -- this assists in system recovery efforts and limits the potential harm of a malware compromise.

Disabling and Minimizing Hardware Risks[edit]

Entropy[edit]

  • To mitigate against inadequate entropy seeding by the Linux Random Number Generator (RNG), it is recommended to install daemons that inject more randomness into the pool.

File Handling[edit]

Info Kicksecure ™ for Qubes only.

  • In File Manager, disable previews of files from untrusted sources. Change file preferences in the Template's File Manager so future App Qubes inherit this feature.
  • Files received or downloaded from untrusted sources (the internet, via email etc.) should not be opened in a trusted VM. Instead, open them in a DisposableVM: Right-clickOpen In DisposableVM
  • Untrusted PDFs should be opened in a DisposableVM or converted into a trusted (sanitized) PDF to prevent exploitation of the PDF reader and potential infection of the VM.

File Storage Location[edit]

Mandatory Access Control[edit]

  • Enable all available apparmor profiles in the Kicksecure ™ Templates.
  • Enable seccomp on Kicksecure ™ (kicksecure ProxyVM).

Mobile Devices[edit]

Phones, smartphones, smartwatches, tablets and similar mobile devices are vulnerable to advanced malware and can be abused for eavesdropping, espionage, location tracing and more. Since the mobile devices security best practices for risk mitigation are often difficult / infeasible to adhere, it might be easier to physically move all mobiles devices to a distant physical location such as a different room and close the door and/or to power mobile devices.

Passwords and Logins[edit]

  • Use strong, unique and random passwords for all online accounts, system logins and encryption / decryption purposes to prevent the feasibility of brute-forcing attacks.
  • Use a trusted password manager (KeePassXC) [11], so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. [12]
  • For high-entropy passwords, consider using Diceware passphrases. [13]
  • In Kicksecure ™ for Qubes, store all login credentials and passwords in an offline vault VM (preferably with KeePassXC) and securely cut and paste them into the browser. [14]
  • Read and follow all the principles for stronger passwords.

Screensavers[edit]

Secure Downloads[edit]

  • Download Internet files securely using scurl instead of wget from the command line.
  • When downloading with a browser, prevent SSLstrip attacks by typing https:// links directly into the URL / address bar.

Secure Qubes Operation[edit]

Info Kicksecure ™ for Qubes only.

Secure Software Installation[edit]

Updates[edit]

  • Operating System Updates: It is crucial to regularly check for operating system updates on the host operating system Kicksecure ™ (or in a VM).
  • Stay tuned: It is absolutely crucial to subscribe to and read the latest Kicksecure ™ news category 'important-news' to stay in touch with ongoing developments. This way users benefit from notifications concerning important security advisories, potential upgrade issues and improved releases which address identified issues, like those affecting the updater or other core elements. Follow Kicksecure ™ Developments.
  • Debian Security Announcements: Since Kicksecure ™ is based on Debian, users should consider subscribing to the Debian security announcement mailing list to stay informed about the latest security advisories. See also chapter Debian Security Announcements.

Virtual Machines[edit]

All Virtualizers[edit]

VirtualBox[edit]

Warrant Canary[edit]

Moderate[edit]

Create a USB Qube[edit]

Info Kicksecure ™ for Qubes only.

Kicksecure as a Host Operating System Hardening[edit]

All Platforms[edit]

Kernels / Kernel Modules[edit]

Info Note:

  • Cutting-edge kernels can destabilize the system or cause boot failures.
  • Newer kernels can expose additional vulnerabilities; see footnotes. [23] [24]
  • Kernel modules in Qubes and Kicksecure ™ for Qubes usually require configuration of a Qubes VM Kernel.

Live-mode[edit]

Info Kicksecure ™ only.

Memory Allocator[edit]

Networking[edit]

All Platforms[edit]

  • If possible, use a dedicated network connection (LAN, WiFi etc.) that is not shared with other potentially compromised computers.
  • If using a shared network via a common cable modem/router or ADSL router, configure a de-militarized zone (perimeter network). [34]
  • Test the LAN's router/firewall with either an internet port scanning service or preferably a port scanning application from an external IP address.
  • Change the default administration password on the router to a unique, random, and suitably long Diceware passphrase to prevent bruteforcing attacks.
  • WiFi users should default to the WPA2-AES (avoid TKIP) or WPA3 standard; the protocols are safer and have stronger encryption. [35] [36]
  • Follow all other Kicksecure ™ recommendations to lock down the router.
  • TCP Selective Acknowledgement (SACK) is a commonly exploited option in the TCP protocol and not needed for many people. [37] For this reason, it is recommended to disable it unless required.

Open file /etc/sysctl.d/30_security-misc.conf in an editor with root rights.

(Kicksecure ™ inside Qubes: In Template)

This box uses sudoedit for better security. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Kicksecure ™, please refer to this link.

sudoedit /etc/sysctl.d/30_security-misc.conf

Uncomment all lines starting with net.ipv4.

This procedure can also be repeated on the Kicksecure.

TCP SACK is not disabled by default because on some systems it can greatly decrease network performance. [38]

Kicksecure-Qubes Only[edit]

  • Prefer the Kicksecure ™ Template for networking (sys-net and sys-firewall) since it is minimal in nature and does not "ping home", unlike the Fedora Template. [39]
  • Consider using customized minimal templates for NetVMs to reduce the attack surface and memory requirements.

Sandboxing[edit]

Spoof MAC Addresses[edit]

Info Tip: MAC spoofing is only necessary if traveling with your laptop or PC. It is not required for home PCs that do not change locations.

Time Related[edit]

Tor Settings[edit]

(Tor is used in kicksecure for updates and time fixes and maybe more)

Kicksecure VM Security[edit]

Difficult[edit]

Anti-Evil Maid[edit]

  • Consider the Android Haven application for sensitive devices -- motion, sound, vibration and light sensors can monitor and protect physical areas. [45]
  • If a Trusted Platform Module (TPM) is available, enable it in BIOS/UEFI and configure the required services to protect against Evil Maid Attacks.
    • Kicksecure ™ for Qubes: Utilize AEM protection to attest that only desired (trusted) components are loaded and executed during the system boot. [46]

DisposableVMs[edit]

Info Qubes / Kicksecure ™ for Qubes only.
Note: Some traces of DisposableVM usage and data contents will leak into the dom0 filesystem and survive reboots; see here for further information. (This is a Qubes-specific issue and unrelated to Kicksecure ™.)

  • Run all instances of Firefox in a DisposableVM which is preferably uncustomized to resist fingerprinting.
  • Configure each ServiceVM as a static DisposableVM to mitigate the threat from persistent malware accross VM reboots. [47]

Email[edit]

All Platforms[edit]

Kicksecure-Qubes Only[edit]

  • Use split-GPG for email to reduce the risk of key theft used for encryption / decryption and signing.
  • Create an App Qube that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
  • Only open untrusted email attachments in a DisposableVM to prevent possible infection.

Ethernet/FDDI Station Activity Monitor[edit]

Flash the Router with Opensource Firmware[edit]

Ambox warning pn.svg.png Warning: risk of bricking your router!

Multi-Factor User Authentication[edit]

  • Set up two-factor authentication (2FA) to strengthen the security of online accounts, smartphones, web services, access to physical locations and other implementations.
  • Configure PAM USB as a module that only allows user authentication by inserting a token (a USB stick), in which a one-time password is stored.
  • For secure account logins, utilize a YubiKey hardware authentication device which supports one-time passwords, public-key encryption, and the Universal 2nd Factor (U2F) and FIDO2 protcols.
    • Qubes: Follow the YubiKey instructions to enhance the security of Qubes user authentication, mitigate the risk of password snooping, and to improve USB keyboard security.

Systemd Sandboxing[edit]

Expert[edit]

Disable Intel ME Functionality[edit]

Ambox warning pn.svg.png Warning: high risk of bricking your computer!

Disable SUID-enabled Binaries[edit]

Info This is an experimental feature recommended for testers.

Opensource Firmware[edit]

  • Libreboot is no longer recommended as a proprietary firmware alternative; see footnote. [52]
  • Coreboot is a possible BIOS/UEFI firmware alternative -- consider purchasing hardware that has it pre-installed (like Chromebooks), or research flashing procedures for the handful of refurbished motherboards that support it.

Footnotes[edit]

  1. This reduces the likelihood of a successful root or non-root user compromise.
  2. Kicksecure ™ 16 and later versions disable the root account by default.
  3. https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation/7599
  4. This addresses spying techniques:
  5. This applies to both Intel and AMD architecture.
  6. While this may introduce new vulnerabilities, this is objectively better than running a system that is vulnerable to known attacks.
  7. This hides hardware identifiers from unprivileged users.
  8. sudo apt install jitterentropy-rngd
  9. sudo apt install haveged
  10. The reason is AppArmor profiles (and possibly other mandatory access control frameworks) are unlikely to allow access to these folders by default.
  11. Debian KeePassXC package.
  12. For greater security, store the password manager off-line.
  13. To estimate strength, an 8-word Diceware passphrase provides ~90 bits of entropy, while a 10-word passphrase provides ~128 bits of entropy.
  14. For greater safety, copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.
  15. For example, sensitive notifications (pop up dialog boxes) can appear over the screensaver while locked, and screensaver bypass bugs are common. Screen Locker (In)Security - Can we disable these at least 4 backdoors?
  16. Also see: Disconnecting a video output can cause XScreenSaver to crash (QSB-068, CVE-2021-34557).
  17. The Kicksecure ™ and Debian repositories are no longer set to onion mirrors by default due to stability issues. This decision will be reviewed in the future once v3 onions have further matured.
  18. If a keyserver is required, utilize the v3 onion address for keys.openpgp.org: http://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
  19. Bidirectional clipboard sharing is currently enabled by default in Kicksecure ™ VirtualBox VMs. There are security reasons to disable clipboard sharing, for example to prevent the accidental copying of something (non-)anonymous and pasting it in its (non-)anonymous counterpart such as a browser, which would lead to identity correlation.
  20. Providing a mechanism to access files of the host system from within the guest system via a specially defined path necessarily enlarges the attack surface and provides a potential pathway for malicious actors to compromise the host.
  21. A USB qube is automatically created as of Qubes R4.0.
  22. USB keyboards and mice expose dom0 to attacks, and all USB devices are potential side channel attack vectors.
  23. The Truth about Linux 4.6:

    The real "hard truth" about Linux kernel security is that there's no such thing as a free lunch. Keeping up to date on the latest upstream kernel will generally net all the bug fixes that have been created thus far, but with it of course brings completely new features, new code, new bugs, and new attack surface. The majority of vulnerabilities in the Linux kernel are ones that have been released just recently, something any honest person active in kernel development can attest to.

  24. Kicksecure ™ developer madaidan has noted:

    LTS kernels have less hardening features and not all bug fixes are backported but it has less attack surface and potentially less chance of having bugs. Stable kernels have more hardening features and all bug fixes but more attack surface and more bugs.

  25. Including grsecurity elements being mainlined by the Kernel Self Protection Project.
  26. This will likely become the default in future, see: Simplify and promote using in-vm kernel.
  27. Do not raise Qubes VM Kernel issues at Kicksecure ™. Instead, contact Qubes support.
  28. https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not/2275
  29. Openwall:

    ... LKRG attempts to post-detect and hopefully promptly respond to unauthorized modifications to the running Linux kernel (integrity checking) or to credentials (such as user IDs) of the running processes (exploit detection). For process credentials, LKRG attempts to detect the exploit and take action before the kernel would grant the process access (such as open a file) based on the unauthorized credentials.

  30. The TCP Initial Sequence Numbers (ISNs) are randomized.
  31. tirdad is installed in Kicksecure ™ by default.
  32. This prevents remounting of the hard drive as read-write.
  33. This provides hardening against heap corruption vulnerabilities and improves overall memory performance and usage. Note that using Hardened Malloc with Tor Browser or Firefox is difficult and unsupported.
  34. This restricts Kicksecure ™ accessibility to/from other nodes on the network such as printers, phones and laptops.
  35. WPA3 protocol improvements include:
    • Protection against brute force “dictionary” attacks -- adversaries cannot make multiple login attempts with commonly used passwords.
    • Stronger encryption: WPA2 relies on a 64-bit or 128-bit encryption key, but WPA3 uses 192-bit encryption.
    • Use of individualized data encryption in open networks to strengthen user privacy.
    • Forward secrecy: if an adversary captures encrypted Wi-Fi transmissions and cracks the password, they cannot use it to read older data.
  36. Do not rely on WiFi Protected Set-up (WPS), which has major security flaws.
  37. For example, it has been used for remote denial of service attacks and can even lead to a Linux kernel panic.
  38. https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
  39. https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org/1952
  40. Although not implemented yet, all user-installed applications will be automatically configured to run in the sandbox and a prompt will ask which permissions should be granted to the application.
  41. Such as system information, host time, system uptime, and fingerprinting of devices behind a router.
  42. This prevents time-related attack vectors which rely on leakage of the host time.
  43. https://forums.whonix.org/t/tor-connectionpadding/7477
  44. For example, Kicksecure ™ users residing in China.
  45. Notifications are made in real time for any potentially suspicious activity.
  46. Unauthorized modifications to BIOS or the boot partition will be notified.
  47. Users can configure sys-net, sys-firewall and sys-usb as static DisposableVMs. This option has been available from Qubes R4 onward.
  48. Reminder: The Subject: line and other header fields are not encrypted in the current configuration.
  49. Attackers use these methods to redirect local network traffic and execute Man-in-the-middle Attacks.
  50. Administrators are advised of any changes via email, such as new station/activity, flip-flops and re-used/changed old addresses.
  51. This reduces the attack surface by disabling SUID-enabled binaries and improves Strong Linux User Account Isolation. Some SUID binaries have a history of privilege escalation security vulnerabilities. This feature is part of security-misc.
  52. Although Libreboot is a free, opensource BIOS or UEFI replacement that initializes the hardware and starts the bootloader for the OS, the absence of proprietary firmware means important microcode security updates are unavailable. Also, even experts risk bricking their hardware during the process and it is incompatible with newer architectures, making it impractical for the majority of the Kicksecure ™ population.


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.