=== scope === * will be initially released for VMs (VirtualBox, Qubes, maybe KVM) * “sudo apt-get install hardened-debian-cli” will be possible on bare metal Debian hosts, in other words installations of Debian can be easily converted into Hardened Debian by installing the hardened-debian-cli or other hardened debian package * maybe later available as ISO for installation on hardware depending on community interest and support
=== hardening by default in Hardened Debian version 1 === * install haveged by default for better entropy * sdwdate (https://github.com/Whonix/sdwdate) rather than insecure NTP (https://www.whonix.org/wiki/Dev/TimeSync) * security-misc (https://github.com/Whonix/security-misc) - (deactivates previews in Dolphin; deactivates previews in Nautilus; deactivates TCP timestamps; deactivates Netfilter’s connection tracking helper;) * open-link-confirmation * enable apparmor by default * available apparmor profiles (https://github.com/Whonix?utf8=%E2%9C%93&q=apparmor-profile&type=&language=) * hopefully spectre / meltdown resistant by default (https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages-spectre-meltdown-retpoline-l1-terminal-fault-l1tf/5739) === hardening by default in Hardened Debian version 2 === * hardened browser (https://www.whonix.org/wiki/Tor_Browser_without_Tor Tor Browser without Tor) === hardening by default in Hardened Debian version 3 === * better kernel version (https://forums.whonix.org/t/kernel-versions-and-security/5791) === usability by default === * https://github.com/Whonix/shared-folder-help 2 * https://github.com/Whonix/usability-misc 2 === desktop environment === - initially will be available most likely for: * CLI only (console only, no desktop environment) * KDE - Later on likely for: * XFCE === vision === * computer security community is larger than computer anonymity community - we can work on a shared interest that is security * we apply as many security settings by default * we apply as much as default from * Hardened Debian will be the base for Whonix - Anonymous Operating System (https://www.whonix.org/wiki/System_Hardening_Checklist Whonix is applying most of above already anyhow) === development status of version 1 === * approximately 50% done * meta package "hardened-debian-kde" and "hardened-debian-cli" exist - https://github.com/Whonix/anon-meta-packages/blob/master/debian/control * most packages working (since reused from Whonix) * build script ready (--flavor hardened-debian-kde / --hardened-debian-cli) * builds successfully === temporary homepage === * https://www.whonix.org/wiki/Hardened_Debian === Questions === * Are you interested in Hardened Debian? What do you think? What would you like to see? Any suggestions? -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing the moderator at zakwh...@stanford.edu.