[tor-talk] Hardened Debian Security Focused Distribution - Feedback Wanted!
john doe
johndoe65534 at mail.com
Fri Sep 28 17:50:33 UTC 2018
On 9/27/2018 9:10 AM, TNT BOM BOM wrote:
> === scope ===
>
> * will be initially released for VMs (VirtualBox, Qubes, maybe KVM)
> * “sudo apt-get install hardened-debian-cli” will be possible on bare
> metal Debian hosts, in other words installations of Debian can be easily
> converted into Hardened Debian by installing the hardened-debian-cli or
> other hardened debian package
> * maybe later available as ISO for installation on hardware depending on
> community interest and support
>
Being able to do a fresh install of something that involve
"security/anonimity" is clearly welcome.
I don't feel comfortable installing some "security" on top of something
else.
> === hardening by default in Hardened Debian version 1 ===
>
> * install haveged by default for better entropy
> * sdwdate (https://github.com/Whonix/sdwdate) rather than insecure NTP
> (https://www.whonix.org/wiki/Dev/TimeSync)
> * security-misc (https://github.com/Whonix/security-misc) - (deactivates
> previews in Dolphin; deactivates previews
> in Nautilus; deactivates TCP timestamps; deactivates Netfilter’s
> connection tracking helper;)
> * open-link-confirmation
> * enable apparmor by default
> * available apparmor profiles
> (https://github.com/Whonix?utf8=%E2%9C%93&q=apparmor-profile&type=&language=)
> * hopefully spectre / meltdown resistant by default
> (https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages-spectre-meltdown-retpoline-l1-terminal-fault-l1tf/5739)
>
> === hardening by default in Hardened Debian version 2 ===
>
> * hardened browser (https://www.whonix.org/wiki/Tor_Browser_without_Tor
> Tor Browser without Tor)
>
> === hardening by default in Hardened Debian version 3 ===
>
> * better kernel version
> (https://forums.whonix.org/t/kernel-versions-and-security/5791)
>
> === usability by default ===
>
> * https://github.com/Whonix/shared-folder-help 2
> * https://github.com/Whonix/usability-misc 2
>
> === desktop environment ===
>
> - initially will be available most likely for:
>
> * CLI only (console only, no desktop environment)
Will links2 be available?
> * KDE
>
> - Later on likely for:
>
> * XFCE
>
> === vision ===
>
> * computer security community is larger than computer anonymity
> community - we can work on a shared interest that is security
> * we apply as many security settings by default
> * we apply as much as default from
> * Hardened Debian will be the base for Whonix - Anonymous Operating
> System (https://www.whonix.org/wiki/System_Hardening_Checklist Whonix is
> applying most of above already anyhow)
>
> === development status of version 1 ===
>
> * approximately 50% done
> * meta package "hardened-debian-kde" and "hardened-debian-cli" exist -
> https://github.com/Whonix/anon-meta-packages/blob/master/debian/control
> * most packages working (since reused from Whonix)
> * build script ready (--flavor hardened-debian-kde / --hardened-debian-cli)
> * builds successfully
>
> === temporary homepage ===
> * https://www.whonix.org/wiki/Hardened_Debian
>
> === Questions ===
>
> * Are you interested in Hardened Debian? What do you think? What would
> you like to see? Any suggestions?
>
Firewall capability would be nice.
Remote access to Hardent Debian.
Fully installable/usable using CLI.
Note that my comments are based on my understanding of Hardent Debian
which I understand to be a Debian distribution with security in mind.
P.S. My SMTP provider restrict the number of recipients I can send to.
--
John Doe
More information about the tor-talk
mailing list