Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Connectivity Test. Sanity Test. Update Check. And More.

systemcheck is a script which checks numerous, important system variables. systemcheck can be run in a CLI environment (such as in terminal emulator xfce4-terminal) or via the GUI option, which has an in-built progress meter and summary notification popup of the results. The script is stored in the /usr/bin/systemcheck and /usr/libexec/systemcheck/ directories. Kicksecure is functional without the systemcheck script since it only checks the system status; it is not responsible for core settings. Nothing is compiled, and the script can be easily inspected in the source code.

The systemcheck script was inspired by browser based check websites.

Browser based check websites are useful for very specialized checks, but Kicksecure is a complete operating system. This means certain checks can be performed, otherwise a user's security might be endangered.

systemcheck allows the entire Kicksecure community to stay informed about important updates or advice, and this is particularly important for users who might not start the browser or visit the Kicksecure website regularly.

systemcheck verifies that the Kicksecure system is up-to-date and that everything is in proper working order.

Follow the steps below to manually run systemcheck and check the system status.

Depending on system specifications, systemcheck can take up to a few minutes to complete. If everything is working as intended, the output should highlight each INFO heading in green (not red). A successful systemcheck process will have output similar to below.

[INFO] [systemcheck] Kicksecure | Kicksecure kicksecure-17 TemplateBased AppVM | Sun 25 Apr 2021 07:56:41 AM UTC
[INFO] [systemcheck] Connected to Tor.
[INFO] [systemcheck] Kicksecure APT Repository: Enabled.
When the Kicksecure team releases BUSTER-PROPOSED-UPDATES updates,
they will be AUTOMATICALLY installed (when you run apt full-upgrade)
along with updated packages from the Debian team. Please
read https://www.kicksecure.com/wiki/Trust to understand the risk.
If you want to change this, use:
<code>sudo repository-dist</code>
[INFO] [systemcheck] Debian Package Update Check: Checking for software updates via apt... ( Documentation: https://www.kicksecure.com/wiki/Update )
[INFO] [systemcheck] Debian Package Update Check Result: No updates found via apt.
[INFO] [systemcheck] Please donate!
See: https://www.kicksecure.com/wiki/Donate

Tor bootstrap refers to the process of attempting to connect to the Tor network (successfully or unsuccessfully). Familiar output related to this process includes: "Tor connecting xx percent...", "Tor not connected", "Tor connected" and so on. Bootstrapping does not refer to related concepts, such as whether connections are "secure", "not secure", "anonymous" or "not anonymous".

Perform these steps to automatically start systemcheck; this step is optional.

1. Create folder ~/.config/autostart.

mkdir -p ~/.config/autostart

2. Create a symlink from /usr/share/applications/systemcheck.desktop to ~/.config/autostart/systemcheck.desktop.

ln -s /usr/share/applications/systemcheck.desktop ~/.config/autostart/systemcheck.desktop

3. Done.

systemcheck will now automatically start after boot.

In all the checks below, systemcheck warnings appear if a problem is detected. Conversely, systemcheck output is otherwise quiet unless using the --verbose option. Any operating system updates, downloads or other network activity are Tor stream-isolated by default.

Figure: updatecheck notification (passive popup)

Platform specific.

• Kicksecure: Applicable. See below.
• Kicksecure for Qubes: Not applicable, because Qubes has its own updater, which is documented on the Operating System Software and Updates wiki page.

Runs approximately every 6 hours.

Features:

• Passive popup.
• Wait for a good time to run the update check.
  • Waits 2 minutes after boot before checking for updates, to give the user a chance to run APT before the package database gets locked. Updatecheck runs APT, which locks the package database as it updates it.
  • Runs leaprun onion-time-pre-script up to 5 times until it succeeds. Waits 2 minutes between each call if it fails. This is to ensure Tor bootstrap has been completed.
  • Waits up to 6 minutes for sdwdate to complete time synchronization.
  • Waits up to 20 minutes for the package database to be unlocked, which means no other APT process (run by the user) is currently locking it.
• Stale notifications are cleared. If there was an issue upgrading but not when updatecheck runs again, the stale, no longer applicable notification will be cleared to avoid confusion.

Note: No administrative ("root") rights required. Do not use sudo!

Check logs.

journalctl --boot --user -u updatecheck.service

Check status.

systemctl --boot --user status updatecheck.service

Disable.

systemctl --user mask updatecheck.service

Re-enable.

systemctl --user unmask updatecheck.service

Information for developers: See wiki page Dev/Automatic Updates chapter updatecheck.

updatecheck starts automatically when a normal user logs in graphically into a normal desktop. This is triggered by the file /etc/xdg/autostart/updatecheck.desktop. This is only expected to happen if the system is booted in PERSISTENT mode - USER session or LIVE mode - USER session. This means all normal user accounts will automatically have updatecheck working for them.

When user-sysmaint-split is installed, the sysmaint user account will only be able to log into a sysmaint graphical session, and only when the system is booted into a SYSMAINT session. The sysmaint graphical session is not a normal desktop, and it does not automatically run all of the services configured in /etc/xdg/autostart. This means updatecheck will not run in a sysmaint session.

Figure: systemcheck - Physical Security Check

Several checks related to Protection Against Physical Attacks.

• Login security check:
  • Checks if all Linux user accounts have a password set or if it is absent.
  • Checks if all Linux user accounts have a autologin set or if it is absent.
• Whether Full Disk Encryption (FDE) is enabled or disabled.
• Whether the GRUB boot menu is protected by a Bootloader Password.

Checks not included:

• BIOS Password check. Operating systems do not have permission to detect if a BIOS password is set or absent.

Unwanted packages systemcheck will warn against.

systemcheck default configuration file /etc/systemcheck.d/30_default.conf contains several configuration directives systemcheck_unwanted_package.

At time of writing, these are packages associated with privacy issues or deprecated packages.

• Build version never changes: The Kicksecure build version - the version number of the Kicksecure build - is immutable, similar to a date of birth. It does not change and is not supposed to.
• Version embedded at build time: When the image is created, the current Kicksecure version number is embedded in it. This allows systemcheck to determine which build script version was used.
• Static for diagnostics: The version number remains fixed and is not affected by updates. It is mainly relevant to older build script versions and is useful for diagnostics. Deprecated builds may be announced if upgrading becomes too difficult or costly. In such cases, we intent to use systemcheck or dismissable one time popups to informs users.
• Non-upgradable build version numbers: Build version cannot be upgraded. This is by design.
• Generally not important for users: Unless instructed otherwise by documentation or developers, users typically do not need to worry about the build version.
• Updates remain possible: Standard ("everyday") updates can still be installed.
• Release upgrades remain possible: Even Release Upgrade are typically possible when announced via Kicksecure News. So Follow Announcements.
• See also: Update vs Image Re-Installation.

To check the current Kicksecure version, run the following command:

systemcheck --verbose --function show_versions

The output should be similar to the following, depending on the platform.

Non-Qubes:

[INFO] [systemcheck] Kicksecure build version: 17.4.4.6
[INFO] [systemcheck] kicksecure-dependencies-cli: 31.5-1
[INFO] [systemcheck] derivative_major_release_version /etc/kicksecure_version: 17

Qubes:

[INFO] [systemcheck] Kicksecure build version: 3:10.2-1
[INFO] [systemcheck] kicksecure-dependencies-cli: 31.5-1
[INFO] [systemcheck] derivative_major_release_version /etc/kicksecure_version: 17

For advanced users only.

The dist-base-files package contains the script dist-base-files.postinst, which essentially runs:

echo "$dist_build_version" > "$build_version_file"

Platform-specific details:

• For non-Qubes, this corresponds to the derivative-maker Git tag version used to create the image.
• For Qubes, the following command is executed during the initial installation of dist-base-files

zless /usr/share/doc/dist-base-files/changelog.Debian.gz | dpkg-parsechangelog -l- -SVersion

There are several reasons an Automated Warrant Canary Check is justified:

• The Kicksecure warrant canary has limited utility if it is forgotten over time and not regularly verified.
• It is unlikely the Kicksecure warrant canary is routinely verified by the community.
• If a community member discovers the Kicksecure warrant canary verification has failed, there is no effective way to notify all Kicksecure users.

Automated Warrant Canary Check Features

Feature	Description
Function	Functions similarly to an update check but determines if the Kicksecure warrant canary is still valid.
Security	Downloads over Tor from .onion link canary.txt.embed.sig. [8] The downloader canary-download.py is written in the memory-safe Python language (python3-requests) and runs under a dedicated and limited Linux user account canary. canary.txt.embed.sig is verified using signify-openbsd. [9] Has an AppArmor profile. Has systemd hardening (seccomp). Similar to sdwdate, it fetches time from onion time sources.
Implementation details	Minimal canary-daemon (with systemd-notify). The canary wrapper includes logic on when to run canary-download.py. This only runs on Kicksecure to reduce server load. Comprises a systemcheck module check_warrant_canary.bsh.
Verbose parameter	During the initial deployment phase of this new feature, systemcheck will only show canary status information when using the --verbose parameter. The reason is that there might be non-security-related potential bugs to address: The server file location might change. The server file might become unreadable due to Linux file access permissions. Onion connectivity issues could emerge. Server caching issues could serve a stale warrant copy. General warrant canary improvements.
Troubleshooting	In case of issues, manually verify the Kicksecure warrant canary. Also see: Whonix Warrant Canary Forum Discussion

This will prevent the daily Kicksecure census.

Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.

Select your platform.

Kicksecure

See Open File with Root Rights for detailed instructions on why using sudoedit improves security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /etc/systemcheck.d/50_user.conf

Kicksecure-Qubes

Notes:

• When using Kicksecure-Qubes, this must be done inside the Template.

sudoedit /etc/systemcheck.d/50_user.conf

• After applying this change, shut down the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Others and Alternatives

Notes:

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

sudoedit /etc/systemcheck.d/50_user.conf

Add the following content.

canary=false

Only useful in case of systemcheck GUI issues.

systemcheck --function check_arg_max

Expected result:

[INFO] [systemcheck] ERROR: ARG_MAX exceeded!

debug information:
output_func was called with too many arguments.
${FUNCNAME[0]}: output_func
${FUNCNAME[1]}: output_func_cli
${FUNCNAME[2]}: check_arg_max
${FUNCNAME[3]}: systemcheck_run_function
${FUNCNAME[5]}: systemcheck_main
${FUNCNAME[6]}: main
$0: /usr/libexec/systemcheck/systemcheck

The output message will probably be improved in the future. "ERROR: ARG_MAX exceeded!" will be rewritten to "ARG_MAX detected.".

• System Audit

• Dev/systemcheck

Boot firmware Documentation Basic Security Guide Introduction Previous page: Boot firmware Index page: Documentation Next page: Basic Security Guide Introduction

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!