systemcheck - Security Check Application
systemcheck is a script which checks numerous, important system variables. systemcheck can be run in a CLI environment (such as in terminal emulator xfce4-terminal) or via the GUI option, which has an in-built progress meter and summary notification popup of the results. The script is stored in the and directories. Kicksecure ™ is functional without the systemcheck script since it only checks the system status; it is not responsible for core settings. Nothing is compiled, and the script can be easily inspected in the source code.
The systemcheck script was inspired by https://check.torproject.org. In the past this was an important check when people were still recommended to use proxy settings to torify web browsers. Tor Browser is now securely pre-configured upon release, which means manual torification of web browsers is now recommended against. As an additional protection the default Tor Browser visits
check.torproject.org to confirm everything is working as expected.  This site also checks whether Tor Browser is up-to-date by having Tor Button perform a local check after downloading version information.
check.torproject.org is useful for a browser check, but Kicksecure ™ is a complete operating system. This means certain checks must be performed before the browser starts, otherwise a user's anonymity or security might be compromised. systemcheck's design allows the entire Kicksecure ™ community to stay informed about important updates or advice, and this is particularly important for users who might not start the browser or visit the Kicksecure ™ website regularly. For these reasons, systemcheck is automatically started after boot/login if it has not been completed within the last 24 hours. This behavior holds true even if the system is not restarted, thereby keeping any long-running systems (like Onion Services) safely informed.
If it is necessary to hide Tor and Kicksecure ™ use from an ISP, see here. While only a small minority of users configure their system to hide Tor, it is still desirable to hide any obvious Kicksecure ™ signature. Kicksecure ™ users are better off if adversaries cannot distinguish them from vanilla Tor Browser users, as the Kicksecure ™ user pool is far smaller.
When systemcheck auto-starts, it first waits for a randomized period of time ranging between 60 and 500 seconds. This obfuscation feature is intended to further stymie traffic analysis, while Tor is still responsible for basic defenses against traffic volume and pattern signatures. Without waiting for a randomized period traffic flows would be more distinguishable, since a spike in systemcheck traffic would always occur immediately after bootstrapping.
Tor bootstrap refers to the process of attempting to connect to the Tor network (successfully or unsuccessfully). Familiar output related to this process includes: "Tor connecting xx percent...", "Tor not connected", "Tor connected" and so on. Bootstrapping does not refer to related concepts, such as whether connections are "secure", "not secure", "anonymous" or "not anonymous".
In all the checks below, systemcheck warnings appear if a problem is detected. Conversely, systemcheck output is otherwise quiet unless using the
--verbose option. Any operating system updates, downloads or other network activity are stream-isolated by default.
Table: System Checks run by
|Canary||An automated Kicksecure ™ warrant canary check is available with the |
|Clock Source||Check if the clock source is KVMClock and warn if that is the case. |
|Control Port Filter Proxy||Check if Control Port Filter Proxy is running.|
|Entropy Test||An entropy availability check confirmscontains no less than 112 bytes.|
Also inform if Project-APT-Repository is enabled, and if so, which repository has been selected.
|IP Address Routing||Check if IP forwarding is disabled on Kicksecure ™ (|
|Leak Tests||When using |
|Log Inspection||When using the |
|Meta-package Check||Check if the relevant meta-packages  are installed on Kicksecure ™ (|
|Network Connection||Check setup-dist has properly configured networking.|
|Operating System Updates||apt update is run through a separate APT SocksPort for stream isolation. A notification is provided whether the system is up-to-date or requires updating.|
|Package Manager||Check if a package manager is currently running and wait until the process is finished.  This prevents connection failures during concurrent upgrades of the Tor or Control Port Filter Proxy packages.|
|Repository Notification||Notifies whether Kicksecure ™ APT Repository is enabled or not.|
|Stream Isolation||When using |
On Kicksecure ™ (
|Tor Bootstrap||Tor Bootstrap Status:
|Virtualization Platform||Check Kicksecure ™ is being run on one of the supported virtualizer platforms, including bare metal (Physical Isolation), VirtualBox, KVM or Qubes.|
Kicksecure ™ Build Version
The version number of the Kicksecure ™ build never changes. This is acceptable because at build time  the current Kicksecure ™ version number is added to the image itself. 
This information is made available so
systemcheck can determine which build script version was used to create that particular image.
This version number should remain static and be unaffected by updating or other issues, since it only applies to specific (usually older) versions of the build script. This is useful for diagnostic purposes and means specific build versions can be deprecated if they are too difficult or expensive to upgrade. In this case,
systemcheck's Kicksecure ™ News function would inform users about the change.
By design, the build version number cannot be upgraded. See also Upgrade vs Image Re-Installation. It's similar to a day of birth which is also unchangeable.
To check the current Kicksecure ™ version, run the following command.
The output should be similar to below.
[INFO] [systemcheck] disp766 | Kicksecure | kicksecure-16-dvm DispVM AppVM | Sun 25 Apr 2021 07:13:17 AM UTC
[INFO] [systemcheck] Input Detection: INPUT_AUTO=true CLI=true GUI=false stdin connected to terminal. Using cli output. Not using gui output. Alternatively, if want to run from command line, but still use the graphical user interface for input, you could add to command line: --gui [INFO] [systemcheck] Root Check Result: Ok, not running as root. [INFO] [systemcheck] /etc/kicksecure_version: 16
Warrant Canary Check
There are several reasons an Automated Warrant Canary Check is justified:
- Kicksecure ™ warrant canary has limited utility if it is forgotten over time and not regularly verified.
- It is unlikely the Kicksecure ™ warrant canary is routinely verified by the community.
- If a community member discovered the Kicksecure ™ warrant canary verification failed, there is no effective way to notify all Kicksecure ™ users.
Table: Automated Warrant Canary Check Features
|Function||Functions similar to an update check, but it establishes if Kicksecure ™ warrant canary is still valid.|
|Verbose parameter||During the initial deployment phase of this new feature, systemcheck will only show canary status information when using the |
|Troubleshooting||In case of issues, manually verify Kicksecure ™ warrant canary. Also see: Whonix Warrant Canary Forum Discussion|
Disable Warrant Canary Check
This will prevent the anonymous, daily Kicksecure ™ census.
/etc/systemcheck.d/50_user.conf in an editor with root rights.
(Kicksecure ™ inside Qubes: In Template)
Add the following content.
- Tor Browser in Kicksecure ™ is configured to load a local Kicksecure ™ resource after launch -- the familiar landing page.
- This is only expected to affect those following the KVM instructions.
- These capture packages which depend on all other recommended / default-installed packages.
- Otherwise, eventually the system is locked or the package manager is left in a broken state. Advice is provided on what to do in such circumstances.
- Some users may wonder why it is necessary to check the IP address if the Kicksecure ™ design ensures that the real IP cannot be leaked. Sometimes
check.torproject.orgreports false positives and fails to detect Tor exit nodes, so it is better to provide information about that possibility. This also reduces support requests and bad press. Users are welcome to investigate a Tor exit node that could not be detected, but it can be stated with high confidence that the IP address will be associated with a known Tor exit node.
- Another reason to perform this check is because some users set up dangerous and/or unsupported configurations, such as:
- Changing the Kicksecure ™ (
kicksecure) network interface from network to or .
- Using virtualizers which are entirely unsupported and untested by Kicksecure ™ developers.
- Installing arbitrary packages on Kicksecure ™ (
kicksecure-16). This could theoretically create leak vectors, and systemcheck is the last layer of defense against such leaks.
- Changing the Kicksecure ™ (
- The time at which the image was created.
dist-base-files.postinstchroot script in essence runs:
echo "$dist_build_version" > "$build_version_file"
- For convenience, the clearnet link that is unused by systemcheck can be previewed here: https://download.kicksecure.com/developer-meta-files/canary/canary.txt.embed.sig
sudo -u canary signify-openbsd -V -e -p /usr/share/repository-dist/derivative-distribution-signify-key.pub -x /var/lib/canary/canary.txt.embed.sig -m /var/lib/canary/canary-unembed.txt