Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Hardened Debian Security Focused Distribution - Feedback Wanted!

TNT BOM BOM bo0od at riseup.net
Thu Sep 27 00:10:00 PDT 2018


=== scope ===

* will be initially released for VMs (VirtualBox, Qubes, maybe KVM)
* “sudo apt-get install hardened-debian-cli” will be possible on bare
metal Debian hosts, in other words installations of Debian can be easily
converted into Hardened Debian by installing the hardened-debian-cli or
other hardened debian package
* maybe later available as ISO for installation on hardware depending on
community interest and support

=== hardening by default in Hardened Debian version 1 ===

* install haveged by default for better entropy
* sdwdate (https://github.com/Whonix/sdwdate) rather than insecure NTP
(https://www.whonix.org/wiki/Dev/TimeSync)
* security-misc (https://github.com/Whonix/security-misc) - (deactivates
previews in Dolphin; deactivates previews
in Nautilus; deactivates TCP timestamps; deactivates Netfilter’s
connection tracking helper;)
* open-link-confirmation
* enable apparmor by default
* available apparmor profiles
(https://github.com/Whonix?utf8=%E2%9C%93&q=apparmor-profile&type=&language=)
* hopefully spectre / meltdown resistant by default
(https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages-spectre-meltdown-retpoline-l1-terminal-fault-l1tf/5739)

=== hardening by default in Hardened Debian version 2 ===

* hardened browser (https://www.whonix.org/wiki/Tor_Browser_without_Tor
Tor Browser without Tor)

=== hardening by default in Hardened Debian version 3 ===

* better kernel version
(https://forums.whonix.org/t/kernel-versions-and-security/5791)

=== usability by default ===

* https://github.com/Whonix/shared-folder-help 2
* https://github.com/Whonix/usability-misc 2

=== desktop environment ===

- initially will be available most likely for:

* CLI only (console only, no desktop environment)
* KDE

- Later on likely for:

* XFCE

=== vision ===

* computer security community is larger than computer anonymity
community - we can work on a shared interest that is security
* we apply as many security settings by default
* we apply as much as default from
* Hardened Debian will be the base for Whonix - Anonymous Operating
System (https://www.whonix.org/wiki/System_Hardening_Checklist Whonix is
applying most of above already anyhow)

=== development status of version 1 ===

* approximately 50% done
* meta package "hardened-debian-kde" and "hardened-debian-cli" exist -
https://github.com/Whonix/anon-meta-packages/blob/master/debian/control
* most packages working (since reused from Whonix)
* build script ready (--flavor hardened-debian-kde / --hardened-debian-cli)
* builds successfully

=== temporary homepage ===
* https://www.whonix.org/wiki/Hardened_Debian

=== Questions ===

* Are you interested in Hardened Debian? What do you think? What would
you like to see? Any suggestions?


More information about the liberationtech mailing list