Hardened Debian - In Development - Feedback Wanted!

Discussion in 'all things UNIX' started by adrelanos, Sep 15, 2018.

  1. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    85
    scope:

    - will be initially released for VMs (VirtualBox, Qubes, maybe KVM)
    - "sudo apt-get install hardened-debian-cli" will be possible on bare metal Debian hosts, in other words installations of Debian can be easily converted into Hardened Debian by installing the hardened-debian-cli or other hardened debian package
    - maybe later available as ISO for installation on hardware depending on community interest and support

    hardening by default in Hardened Debian version 1:

    - install haveged by default for better entropy
    - sdwdate rather than insecure NTP
    - security-misc (deactivates previews in Dolphin; deactivates previews in Nautilus; deactivates TCP timestamps; deactivates Netfilter's connection tracking helper;)
    - open-link-confirmation
    - enable apparmor by default
    - available apparmor profiles
    - hopefully spectre / meltdown resistant by default

    hardening by default in Hardened Debian version 2:

    - hardened browser (Tor Browser without Tor)

    hardening by default in Hardened Debian version 3:

    - better kernel version

    usability by default:

    - https://github.com/Whonix/shared-folder-help
    - https://github.com/Whonix/usability-misc

    desktop environment:

    initially will be available most likely for:
    - CLI only (console only, no desktop environment)
    - KDE

    Later on likely for:
    - XFCE

    vision:

    - computer security community is larger than computer anonymity community - we can work on a shared interest that is security
    - we apply as many security settings by default
    - we apply as much as default from
    - Hardened Debian will be the base for
    Whonix - Anonymous Operating System (Whonix is applying most of above already anyhow)

    development status of version 1:

    - approximately 50% done
    - meta package "hardened-debian-kde" and "hardened-debian-cli" exist - https://github.com/Whonix/anon-meta-packages/blob/master/debian/control
    - most packages working (since reused from Whonix)
    - build script ready (--flavor hardened-debian-kde / --hardened-debian-cli)
    - builds successfully

    temporary homepage:
    https://www.whonix.org/wiki/Hardened_Debian

    About me:
    I am the founder and a maintainer of the Debian Linux and Tor based Whonix - Anonymous Operating System.

    Questions:

    Are you interested in Hardened Debian? What do you think? What would you like to see? Any suggestions?
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,225
    Interesting!

    Some things that come to my mind:
    1. Use Firejail to sandbox applications by default.
    2. I don't know if Hardened Debian will be using SystemD. If it does - use its sandboxing abilities to confine system processes.
    3. Kernel hardening: I'm sure you're aware of this.
     
  3. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    85
    Will use systemd, yes.

    These are all good things of course. Let's see how much we manage to implement.
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,912
    Location:
    Outer space
  5. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    85
  6. Cryptk

    Cryptk Registered Member

    Joined:
    Oct 4, 2018
    Posts:
    2
    Location:
    Earth
    Will this use the default debian repositories? If so, will it overwrite configuration for packages or harden packages after installation?

    Thanks for this initiative.
     
  7. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    85
    Yes plus hardened debian repositories.

    Overwrite configuration: only when we tweak settings for better security by default.
    Not sure what you mean by harden packages after installation.
     
  8. Cryptk

    Cryptk Registered Member

    Joined:
    Oct 4, 2018
    Posts:
    2
    Location:
    Earth
    The options I was trying to present: would the config be overwritten in a custom repository (hardened as you state) versus overwriting config after installation from a default repository.

    What is going to be hosted in the hardened repositories?
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Very interested and worthwhile.

    I'd second use of Firejail as well as Apparmor.

    I haven't followed details of the grsec/kernel patches recently, and that debacle, but obviously, all those good things should be "in".

    Secure boot with possible use of TPM, and LUKS encryption with Yubikey seem a decent possibility, especially for laptops where you don't want to be typing long strong passwords every time. It's embarrassing that a hardened Linux would not be able to compete with Windows, but that's the reality today in that aspect.

    Full support for U2F dongles and Yubikey PAM/SSL would be great, with hardened Meltdown/Spectre secrets hiding.

    I've been disappointed that wayland hasn't been used for security boundaries more. I know that Qubes partitions like this, but it seems to me that the architecture should allow for better memory isolation and sandboxing. X was obviously a disaster from that perspective, but I don't see why wayland shouldn't be better (though this is a lot of work which isn't the wayland teams priority). I know this isn't exactly the kernel's responsibility, but if we're talking practical desktops, that does need attention and kernel support probably.

    Automounting of drives is not nearly configurable enough IMO. There are quite a few times when I do not want drives to be automounted and it is hard to turn that off.
     
  10. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    85
    These are all good ideas. What gets ever implemented depends on traction in community, i.e. how many people are going to contribute.

    Initially only packages as mentioned in original post in this subject.

    (Also all Whonix packages because I am going to reuse the same repository.)

    I would also like to have a compile farm, recompile all Debian packages with more hardening flags such as Ubuntu (minus spyware) (https://www.whonix.org/wiki/Dev/Operating_System#Comparison_of_Hardening_Compile_Flags) but I don't think I'll be able to do that alone.
     
  11. 142395

    142395 Guest

  12. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    85
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.