{{Header}}
{{#seo:
|description=Hardening the Debian operating system, which is the base {{project_name_long}}. It covers topics such as Debian Security Announcements, hardening steps, kernel hardening, and module loading.

|image=Oshardening34234.jpg
}}
[[File:Oshardening34234.jpg|thumb]]
{{intro|
The page is about hardening the Debian operating system, which is the base {{project_name_short}}. It covers topics such as Debian Security Announcements, hardening steps, kernel hardening, and module loading.
}}
= Debian =

== Debian Security Announcements ==

Since {{project_name_short}} is based on Debian, it takes advantage of all the hard work done by their security team: <ref>
https://www.debian.org/security/</ref>

<blockquote>Debian takes security very seriously. We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe. Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs.

Experience has shown that "security through obscurity" does not work. Public disclosure allows for more rapid and better solutions to security problems. In that vein, this page addresses Debian's status with respect to various known security holes, which could potentially affect Debian.</blockquote>

Users should consider subscribing to the Debian [https://lists.debian.org/debian-security-announce/ security announcement mailing list] to stay informed about the latest security advisories.

== Harden Debian ==

Most hardening steps cannot be easily added to {{project_name_short}} by default. Any major changes require careful research and significant developer/tester effort, otherwise system errors or breakage may occur. This is an open topic and {{project_name_short}} developers are amenable to suggestions - improving operating system security will always be a primary design goal.

Before attempting additional hardening measures below, be sure to fully understand them and apply the steps carefully:

* [https://wiki.debian.org/HardeningWalkthrough Debian Hardening Walkthrough]
* [https://www.debian.org/security/ Debian Security Information]
* [https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html Securing Debian Manual]
** [https://www.debian.org/doc/manuals/securing-debian-manual/automatic-harden.en.html Securing Debian Manual Chapter 6 - Automatic hardening of Debian systems]

Readers are welcome to add any additional hardening resources to this list.

== Hardened Kernels ==

The upstream Kernel Self Protection Project (KSPP) <ref>https://www.openwall.com/lists/kernel-hardening/</ref> was established in 2015 with the goal of introducing more hardening features into mainline Linux. This includes many features found in the Grsecurity patchset, which was [https://www.phoronix.com/news/GrSecurity-No-Longer-Free publicly available until early 2017]. One advantage of KSPP is that users will no longer need to compile and tweak settings to create a secure kernel. Instead, many hardening features will become the default over time in various distributions. Up-to-date information on available hardening features can be viewed [https://github.com/a13xp0p0v/linux-kernel-defence-map here].

The Hardened Kernel Project is a collaborative effort between Arch and Gentoo developers who handled Grsecurity packaging in their respective distributions with the goal of accelerating mainlining of the patchset. <ref>https://github.com/GrapheneOS/linux-hardened/wiki</ref> <ref>https://github.com/anthraxx/linux-hardened</ref>

While kernel hardening is important, it only addresses a subset of security risks. It cannot protect against backdoors or security issues related to design, policy or yet unknown exploit classes.

== Module Loading ==
Restricting module loading can protect the kernel.

Chapter "Module Loading" is for advanced users only since it could break various things. This is still under development. See {{project_name_short}} development discussion: [https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880 allow loading signed kernel modules by default / disallow kernel module loading by default]

<code>/usr/lib/modules-load.d/whonix-firewall.conf</code>

{{CodeSelect|code=
ipt_REJECT
ip6t_REJECT

nft_chain_nat_ipv4
nft_chain_route_ipv4
nft_chain_route_ipv6
nft_compat
nft_counter

xt_conntrack
xt_state
xt_tcpudp
}}

<code>/usr/lib/modules-load.d/xfce.conf</code>

{{CodeSelect|code=
snd_intel8x0

## Platform specific?
## is autoloaded by snd_intel8x0
#snd

evdev
drm

## works without too
#binfmt_misc
}}

{{project_name_workstation_long}} only: <code>/usr/lib/modules-load.d/kloak.conf</code>

{{CodeSelect|code=
uinput
}}

VirtualBox only: <code>/usr/lib/modules-load.d/vbox.conf</code>

{{CodeSelect|code=
vboxguest
vboxsf
vboxvideo
}}

Disable module loading by creating this file: <code>/etc/sysctl.d/module-loading.conf</code>

{{CodeSelect|code=
kernel.modules_disabled=1
}}

After reboot, test if module loading is really disabled. Try to load any module, for example <code>apanel</code>.

{{CodeSelect|code=
sudo modprobe apanel
}}

Should show.

<pre>
modprobe: ERROR: could not insert 'apanel': Operation not permitted
</pre>

== Harden Software Repositories ==

Many operating systems provide multiple repositories. Since the {{project_name_short}} implementation is based on Debian, these resources provide a suitable introduction for interested readers:

* [https://www.debian.org/doc/debian-policy/ch-archive.html Debian Policy Manual Chapter 2 - The Debian Archive].
* [https://help.ubuntu.com/community/Repositories/ Ubuntu Repositories (similar to Debian)].

In summary, these resources confirm the main repository receives the most developer attention and security updates. This suggests a degree of hardening might involve editing ''/etc/apt/sources.list'' to strictly limit software to the main repository, while only installing security fixes and no other updates.

{{project_name_short}} has <u>not</u> implemented this design by default and it is an open research question whether this will actually improve security.

= Vulnerabilities at Install Time =

== Introduction ==

Various installation media expose users to vulnerabilities, including:

* <u>Importable [[Download|VM images]]:</u> {{project_name_short}} and [https://virtualboxes.org/ other images].
* <u>Installer DVDs:</u> [https://www.debian.org Debian] and other major platforms.
* <u>Live DVDs:</u> [https://tails.boum.org Tails] and similar platforms.
* <u>VM Images built with [[Dev/Build_Documentation|frozen sources]]:</u> Platforms without current sources.

The threat arises because the latest stable releases sometimes contain vulnerable, remotely exploitable applications. These applications are very likely to be used over untrusted networks <ref>Such as Tor exit relays.</ref> which are in a position to run [[Warning#Man-in-the-middle_Attacks|Man-in-the-Middle Attacks]].

One recent example is the January, 2019 APT vulnerability ([https://security-tracker.debian.org/tracker/CVE-2019-3462 CVE-2019-3462]) which allowed content injection by a MiTM attacker, thereby enabling remote code execution on the affected Linux machine. Specifically, improper sanitization of parameters in HTTP redirects allowed malicious content (altered packages) to be installed via a harmful mirror or direct injection into the network traffic. <ref>https://thehackernews.com/2019/01/linux-apt-http-hacking.html</ref> For another example, see [https://lists.debian.org/debian-security-announce/2014/msg00219.html CVE-2014-6273] which affected APT in 2014.

Readers are welcome to help research this issue further and document sane and effective solutions. <ref>[https://forums.whonix.org/t/new-chapter-vulnerabilities-at-install-time-in-advanced-security-guide/538 Forum discussion].</ref> For example, users who solely rely on Debian and {{project_name_short}} onion services for updates may have had (partial) protection against the 2019 APT bug, but this requires investigation.

== Possible Solutions ==

=== Always Up-to-date Builds ===

If {{project_name_short}} regularly released up-to-date builds, this would be an optimal solution for end users. However, the maintenance effort -- building, testing and uploading -- is resource-intensive and not currently feasible for the {{project_name_short}} team.

Greater community support is needed for [[Contribute#Testing|testing]] proposed {{project_name_short}} package updates and major new releases, alongside an automated test suite for {{project_name_short}}.

=== apt-cache ===

When using virtual machines, {{project_name_gateway_long}} could be configured to use the host apt-cache. [[Physical Isolation|Physically-isolated]] {{project_name_gateway_long}} could use an apt-cache running on a separate machine. [https://packages.debian.org/apt-cacher-ng apt-cacher-ng] is an example implementation of such an apt-cache.

This configuration does not secure [[Operating_System_Software_and_Updates#Updates|operating system updates]] by default over Tor, which is a big disadvantage. <ref>This leaks a list of installed packages to ISP-level adversaries and update servers. For example, if a user installed a webserver that is likely to be used to host a hidden web service, then this information would leak.</ref> It would be first necessary to determine how to configure apt-cacher-ng on the host to force downloads through Tor.

=== apt-offline ===

Another possibility is somehow using [https://packages.debian.org/apt-offline apt-offline] to complete the initial updates of {{project_name_short}}.

=== Building from Source Code using Current Sources ===

Self-created {{project_name_short}} builds from source code use [[Template:Build_Documentation_CurrentSources|current sources]], thereby solving this problem. Although frozen sources have been deprecated for reasons outlined in the [[Dev/Build_Documentation|Build]] documentation, using current sources comes with its own issues.

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]