systemcheck Hardening

From Kicksecure
Jump to navigation Jump to search

systemcheck attack surface reduction.

Rationale[edit]

Although systemcheck already has AppArmor and systemd hardening, some marginal security benefits are gained by reducing: the number of network connections, the amount of code running, and unnecessary functionality. This is not the default configuration, since that would come at the cost of decreased usability for the entire Kicksecure population.

Hardening Steps[edit]

Prevent Autostart[edit]

To prevent systemcheck from automatically starting, run.

sudo systemctl mask systemcheck

Prevent Kicksecure Warrant Canary Check and User Census Counting[edit]

Refer to the following systemcheck chapters:

Prevent Polluting TransPort[edit]

Info

  • This is only useful when running systemcheck --leak-tests. However, running this command with the Tor TransPort test disabled makes little sense; in that case it would be useful as a Tor SocksPort connectivity test.

Deactivate the TransPort Test for better Stream Isolation.

Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.

Kicksecure

See Open File with Root Rights The Web Archive Onion Version for detailed instructions on why to use sudoedit for better security and how to use it.

sudoedit /etc/systemcheck.d/50_user.conf

Kicksecure for Qubes

NOTES:

sudoedit /etc/systemcheck.d/50_user.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Kicksecure, please refer to this link.

sudoedit /etc/systemcheck.d/50_user.conf

Add the following content.

SYSTEMCHECK_DISABLE_TRANS_PORT_TEST="1"

Save.

Prevent Running APT[edit]

Info Complete these steps on both Kicksecure and Kicksecure.

This prevents the running of APT by systemcheck.

Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.

Kicksecure

See Open File with Root Rights The Web Archive Onion Version for detailed instructions on why to use sudoedit for better security and how to use it.

sudoedit /etc/systemcheck.d/50_user.conf

Kicksecure for Qubes

NOTES:

sudoedit /etc/systemcheck.d/50_user.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Kicksecure, please refer to this link.

sudoedit /etc/systemcheck.d/50_user.conf

Add the following content.

systemcheck_skip_functions+=" check_operating_system "

Prevent torproject.org Connections[edit]

Connections to The Tor Project are prevented by default, therefore no action is required.

systemcheck only connects to torproject.org if the command systemcheck --leak-tests is manually run.

Footnotes[edit]

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!