systemcheck Hardening

From Kicksecure
Jump to navigation Jump to search

Whonixcheckhard.jpg

systemcheck attack surface reduction.

Rationale[edit]

Although systemcheck already has AppArmor and systemd hardening, some marginal security benefits are gained by reducing: the number of network connections, the amount of code running, and unnecessary functionality. This is not the default configuration, since that would come at the cost of decreased usability for the entire Kicksecure ™ population.

Hardening Steps[edit]

Prevent Autostart[edit]

To prevent systemcheck from automatically starting, run.

sudo systemctl mask systemcheck

Prevent Kicksecure ™ Warrant Canary Check and User Census Counting[edit]

Refer to the following systemcheck chapters:

Prevent Polluting TransPort[edit]

Info

  • This is only useful when running systemcheck --leak-tests. However, running this command with the Tor TransPort test disabled makes little sense; in that case it would be useful as a Tor SocksPort connectivity test.

Deactivate the TransPort Test for better Stream Isolation.

Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.

(Kicksecure ™ for Qubes: In Template)

This box uses sudoedit for better security. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Kicksecure ™, please refer to this link.

sudoedit /etc/systemcheck.d/50_user.conf

Add the following content.

SYSTEMCHECK_DISABLE_TRANS_PORT_TEST="1"

Save.

Prevent Running APT[edit]

Info Complete these steps on both Kicksecure ™ and Kicksecure ™.

This prevents the running of APT by systemcheck.

Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.

(Kicksecure ™ for Qubes: In Template)

This box uses sudoedit for better security. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Kicksecure ™, please refer to this link.

sudoedit /etc/systemcheck.d/50_user.conf

Add the following content.

systemcheck_skip_functions+=" check_operating_system "

Prevent torproject.org Connections[edit]

Connections to The Tor Project are prevented by default, therefore no action is required.

systemcheck only connects to torproject.org if the command systemcheck --leak-tests is manually run.

Footnotes[edit]

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.
Retrieved from "https://www.kicksecure.com/w/index.php?title=Systemcheck_Hardening&oldid=70058"