scope: - will be initially released for VMs (VirtualBox, Qubes, maybe KVM) - "sudo apt-get install hardened-debian-cli" will be possible on bare metal Debian hosts, in other words installations of Debian can be easily converted into Hardened Debian by installing the hardened-debian-cli or other hardened debian package - maybe later available as ISO for installation on hardware depending on community interest and support hardening by default in Hardened Debian version 1: - install haveged by default for better entropy - sdwdate rather than insecure NTP - security-misc (deactivates previews in Dolphin; deactivates previews in Nautilus; deactivates TCP timestamps; deactivates Netfilter's connection tracking helper - open-link-confirmation - enable apparmor by default - available apparmor profiles - hopefully spectre / meltdown resistant by default hardening by default in Hardened Debian version 2: - hardened browser (Tor Browser without Tor) hardening by default in Hardened Debian version 3: - better kernel version usability by default: - https://github.com/Whonix/shared-folder-help - https://github.com/Whonix/usability-misc desktop environment: initially will be available most likely for: - CLI only (console only, no desktop environment) - KDE Later on likely for: - XFCE vision: - computer security community is larger than computer anonymity community - we can work on a shared interest that is security - we apply as many security settings by default - we apply as much as default from - Hardened Debian will be the base for Whonix - Anonymous Operating System (Whonix is applying most of above already anyhow) development status of version 1: - approximately 50% done - meta package "hardened-debian-kde" and "hardened-debian-cli" exist - https://github.com/Whonix/anon-meta-packages/blob/master/debian/control - most packages working (since reused from Whonix) - build script ready (--flavor hardened-debian-kde / --hardened-debian-cli) - builds successfully temporary homepage: https://www.whonix.org/wiki/Hardened_Debian About me: I am the founder and a maintainer of the Debian Linux and Tor based Whonix - Anonymous Operating System. Questions: Are you interested in Hardened Debian? What do you think? What would you like to see? Any suggestions?
Interesting! Some things that come to my mind: 1. Use Firejail to sandbox applications by default. 2. I don't know if Hardened Debian will be using SystemD. If it does - use its sandboxing abilities to confine system processes. 3. Kernel hardening: I'm sure you're aware of this.
Will use systemd, yes. These are all good things of course. Let's see how much we manage to implement.
Subgraph OS (development seems to have stopped) has some interesting ideas: http://www.linux-magazine.com/Issues/2017/198/Subgraph-OS/(language)/eng-US
Subgraph OS was all about grsec/sandbox everything , but its not secure by design (like Qubes) which led ofcourse to Vulnerability toked off its security read: https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ and died since 2017... ( last tweet march-2018 ) ^TNT
Will this use the default debian repositories? If so, will it overwrite configuration for packages or harden packages after installation? Thanks for this initiative.
Yes plus hardened debian repositories. Overwrite configuration: only when we tweak settings for better security by default. Not sure what you mean by harden packages after installation.
The options I was trying to present: would the config be overwritten in a custom repository (hardened as you state) versus overwriting config after installation from a default repository. What is going to be hosted in the hardened repositories?
Very interested and worthwhile. I'd second use of Firejail as well as Apparmor. I haven't followed details of the grsec/kernel patches recently, and that debacle, but obviously, all those good things should be "in". Secure boot with possible use of TPM, and LUKS encryption with Yubikey seem a decent possibility, especially for laptops where you don't want to be typing long strong passwords every time. It's embarrassing that a hardened Linux would not be able to compete with Windows, but that's the reality today in that aspect. Full support for U2F dongles and Yubikey PAM/SSL would be great, with hardened Meltdown/Spectre secrets hiding. I've been disappointed that wayland hasn't been used for security boundaries more. I know that Qubes partitions like this, but it seems to me that the architecture should allow for better memory isolation and sandboxing. X was obviously a disaster from that perspective, but I don't see why wayland shouldn't be better (though this is a lot of work which isn't the wayland teams priority). I know this isn't exactly the kernel's responsibility, but if we're talking practical desktops, that does need attention and kernel support probably. Automounting of drives is not nearly configurable enough IMO. There are quite a few times when I do not want drives to be automounted and it is hard to turn that off.
These are all good ideas. What gets ever implemented depends on traction in community, i.e. how many people are going to contribute. Initially only packages as mentioned in original post in this subject. (Also all Whonix packages because I am going to reuse the same repository.) I would also like to have a compile farm, recompile all Debian packages with more hardening flags such as Ubuntu (minus spyware) (https://www.whonix.org/wiki/Dev/Operating_System#Comparison_of_Hardening_Compile_Flags) but I don't think I'll be able to do that alone.
I'm not sure if using Haveged is better, especially in VMs. Some references: https://lwn.net/Articles/525459/ https://security.stackexchange.com/...ed-as-a-source-of-entropy-on-virtual-machines Does it start in Hardened Debian by default?
haveged starts by default. It's working in VMs. It can and has been tested, see: https://www.whonix.org/wiki/Dev/Entropy#haveged Additionally, once based on Debian buster (next build), jitterentropy-rngd will be installed by default, started by default. We contacted the author and did testing in VMs, too. Works. References can be found here: https://phabricator.whonix.org/T817
