systemcheck Hardening
Donate
systemcheck attack surface reduction.
Rationale
[edit]Although systemcheck already has AppArmor and systemd hardening, some marginal security benefits are gained by reducing the number of network connections, the amount of code running, and unnecessary functionality. This is not the default configuration, since that would come at the cost of decreased usability for the entire Kicksecure population.
Hardening Steps
[edit]Prevent Autostart
[edit]1 Sysmaint Notice
- A If using
user-sysmaint-split: The user must boot into the sysmaint session. For details and instructions on how to do so, see user-sysmaint-split. - B If using unrestricted admin mode: This sysmaint notice does not apply. Continue with the steps below.
1 To prevent systemcheck from automatically starting, run.
sudo systemctl mask systemcheck
2 Learn about, consider disabling Update Notifications by updatecheck.
Optional.
Do not use sudo/root.
systemctl --user mask updatecheck.service
2 Done.
Autostart for systemcheck has been prevented.
Prevent Kicksecure Warrant Canary Check and User Census Counting
[edit]1 Refer to the following systemcheck chapters:
2 Done.
The relevant systemcheck chapters have been referenced.
Prevent Polluting TransPort
[edit]
This is applicable to Whonix only, which is a derivative of Kicksecure.
This is only useful when running systemcheck --leak-tests. However, running this command with the Tor TransPort test disabled makes little sense; in that case, it would be useful as a Tor SocksPort connectivity test.
Deactivate the TransPort test for better Stream Isolation
.
1 Open the following file with root rights.
Open file /etc/systemcheck.d/50_user.conf in an editor with administrative ("root") rights.
1 Select your platform.
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand.
3 Open the file with root rights.
sudoedit /etc/systemcheck.d/50_user.conf
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand. - Template requirement: When using Kicksecure-Qubes, this must be done inside the Template.
3 Open the file with root rights.
sudoedit /etc/systemcheck.d/50_user.conf
4 Notes.
- Shut down Template: After applying this change, shut down the Template.
- Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
- Qubes persistence: See also Qubes Persistence
- General procedure: This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.
2 Notes.
- Example only: This is just an example. Other tools could achieve the same goal.
- Troubleshooting and alternatives: If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.
3 Open the file with root rights.
sudoedit /etc/systemcheck.d/50_user.conf
2 Add the following content.
SYSTEMCHECK_DISABLE_TRANS_PORT_TEST="1"
3 Save.
4 Done.
The TransPort test has been disabled for systemcheck.
Prevent Running APT
[edit]
Complete these steps on both Kicksecure and Kicksecure.
This prevents the running of APT by systemcheck.
1 Open the following file with root rights.
Open file /etc/systemcheck.d/50_user.conf in an editor with administrative ("root") rights.
1 Select your platform.
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand.
3 Open the file with root rights.
sudoedit /etc/systemcheck.d/50_user.conf
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand. - Template requirement: When using Kicksecure-Qubes, this must be done inside the Template.
3 Open the file with root rights.
sudoedit /etc/systemcheck.d/50_user.conf
4 Notes.
- Shut down Template: After applying this change, shut down the Template.
- Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
- Qubes persistence: See also Qubes Persistence
- General procedure: This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.
2 Notes.
- Example only: This is just an example. Other tools could achieve the same goal.
- Troubleshooting and alternatives: If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.
3 Open the file with root rights.
sudoedit /etc/systemcheck.d/50_user.conf
2 Add the following content.
systemcheck_skip_functions+=" check_operating_system "
3 Consider disabling updatecheck.
Learn about, consider disabling Update Notifications by updatecheck.
4 Done.
APT checks by systemcheck have been prevented.
Prevent torproject.org Connections
[edit]1 Connections to The Tor Project are prevented by default; therefore, no action is required.
systemcheck only connects to torproject.org if the command systemcheck --leak-tests is manually run.
2 Done.
It has been confirmed that no additional steps are required by default.
Footnotes
[edit]
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2026 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 14 year success story and maybe DONATE!