{{Header}} {{hide_all_banners}} {{title|title= {{project_name_long}} - A Security Hardened Linux Distribution }} {{#css:/src-copy/_Page_About.css}} {{#seo: |description={{project_name_long}} Overview. Security by Design, Usability by default. A Hardened Fork of Debian. |image=Kicksecure-image-twitter-post.jpg }} {{intro| {{project_name_short}} is a free and open-source Linux distribution that aims to provide a highly secure computing environment. It has been developed from the ground up according to a formidable -- and time proven -- defense in-depth security design. In the default configuration, {{project_name_short}} provides superior layered defenses of protection from many types of [[Malware_and_Firmware_Trojans#Malware|Malware]]. {{project_name_short}} is a complete computer operating system. Numerous applications come pre-installed with safe defaults which can be used immediately upon installation with minimal user input. }}
{{LeftRightImageText |image=Kicksecure-promo.jpg |addToClass=promo-style |imagelink=About#Hardening_by_Default |imageAlt=Kicksecure promo image |text=

Security Hardened

{{project_name_short}} uses an extensively security reconfigured of the Debian base (Hardened) which is run inside multiple virtual machines (VMs) on top of the host OS. This architecture provides a substantial layer of protection from malware and [[Data_Collection_Techniques#IP_Address|IP]] leaks. Applications are pre-installed and configured with safe defaults to make them ready for use with minimal user input.

}}
{{LeftRightImageText |image=Onion-website-promo.jpg |addToClass=promo-style |imageright=1 |imagelink=About#Hardening_by_Default |imageAlt=Torified apt promo image |text=

Secure and Privacy-Protected Software Installation and Upgrades

The security and privacy of default software management (installing and upgrading software) are much better, making it harder for anyone to send you targeted, malicious software updates. This only applies to system updates over Tor, not all your internet traffic. [[#Hardening_by_Default|Learn more]]

}}
{{LeftRightImageText |image=Selected-software-promo.jpg |addToClass=promo-style |imagelink=About#Hardening_by_Default |imageAlt=Selected software promo image |text=

Curated Software Pre-Selection

In {{project_name_short}} no unnecessary software is installed by default such as exim, samba, cups etc. At the same time security enhancing software like AppArmor, sdwdate and tirdad are preinstalled. [[#Hardening_by_Default|Learn more]].

}}
{{LeftRightImageText |image=Optimized-defaults-promo.jpg |addToClass=promo-style |imageright=1 |imagelink=About#Hardening_by_Default |imageAlt=Optimized defaults promo image |text=

Optimized defaults

{{project_name_short}} enhances all kinds of security settings, including: kernel hardening, Strong Linux User Account Isolation, disabling legacy login methods, higher quality randomness (entropy), network hardening, root access restrictions, application-specific hardening and much more. [[#Hardening_by_Default|Learn more]].

}}
{{ThumbGallery| [[File:Kicksecure-basic-logo.png|thumb|100px|[[Dev/Logo|{{project_name_short}} logo]]|alt=Kicksecure Logo]] [[File:Debian.png|thumb|100px|alt=Debian logo|Debian logo]] [[File:Linuxkerneltux.png|thumb|100px|alt=Linux logo|Linux logo]] [[File:Osi_standard_logo_0.png|thumb|100px|alt=OSI logo|OSI logo]] [[File:Heckert_gnu.big.png|thumb|100px|alt=GNU logo|GNU logo]] [[File:Kicksecure-seal.png|thumb|100px|alt=Kicksecure seal|Kicksecure seal]] }} __TOC__ = Hardening by Default = {{project_name_short}} is a hardened operating system designed to be resistant to viruses and various attacks. It is based on Debian in accordance with an advanced multi-layer defense model, thereby providing in-depth security. {{project_name_short}} provides protection from many types of malware in its default configuration with no customization required. '''Table:''' ''{{project_name_short}} Hardening Features'' {| class="wikitable" |- ! scope="col"| '''Feature''' ! scope="col"| '''Description''' |- ! scope="row"| Default Package Selection | No unnecessary software is installed by default such as exim, samba, cups that otherwise gets installed by some flavors of Debian. Debian bookworm Xfce live ISO installed exim, samba, cups by default. |- ! scope="row"| {{Anchor|torified_updates}} Secure and privacy-protected operating system (apt) upgrades [[File:Tor-logo.png|thumb|100px|alt=Tor logo]] | [[File:Malware-updates-promo.jpg|thumb|alt=Malware updates promo]] This helps protect against targeted, malicious software upgrades. By default, when using APT (Advanced Package Tool) to upgrade the system or install new software, {{project_name_short}} uses torified operating system upgrades. This means all default APT package manager source files are set to only update over the Tor anonymity network. This makes sure that update servers cannot know who the user is or their IP address. As a result, this mitigates targeted malicious software attacks. This protection is not only much stronger than what iPhones or Android devices offer, but it's also better than what most Linux distributions provide. * Worst: Most iPhone / Android devices connect to official app stores, and these app stores know the user's identity and IP address, creating a large risk for targeted attacks. * Better: Some Linux distributions like Debian do not link the user's identity to update servers, but they still update over the clearnet (regular internet) using the user's real IP address by default. * Best: {{Kicksecure}} ensures all system updates are done over the Tor network by default. This way, update servers cannot know the user's identity or IP address. * https://github.com/Kicksecure/anon-apt-sources-list/blob/master/etc/apt/sources.list.d/debian.list This only applies to system updates. This does not mean that all of your internet traffic is automatically torified (protected by Tor). See also: [[Privacy|Privacy Goals and Non-Goals of Kicksecure]] |- ! scope="row"| Secure Package Sources Configuration | HTTPS (TLS) is enabled by default in APT. Debian installed using a Debian bookworm Xfce live ISO calamares came with an /etc/apt/sources.list file using http:// (unencrypted) instead of the more secure https:// (TLS) by default. |- ! scope="row"| TCP ISN CPU
Information Leak Protection | [https://github.com/{{project_name_short}}/tirdad tirdad (TCP Initial Sequence Numbers Randomization)] prevents TCP ISN-based CPU Information Leaks; see footnote.
The Linux kernel has a side-channel information leak bug. It is leaked in any outgoing traffic. This can allow side-channel attacks because sensitive information about a system's CPU activity is leaked. It may prove very dangerous for long-running cryptographic operations. Research has demonstrated that it can be used for de-anonymization of location-hidden services.
 |- ! scope="row"| security-misc | [https://github.com/{{project_name_short}}/security-misc security-misc] enhances miscellaneous security settings related to: * kernel hardening settings as recommended by the Kernel Self Protection Project (KSPP) * protecting Linux user accounts against brute force attacks * enforcing [[Dev/Strong Linux User Account Isolation|Strong Linux User Account Isolation]] * disabling legacy login methods via [[Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown|Console Lockdown]] for improved security hardening * higher quality randomness (entropy) generation Better encryption is achieved via preinstalled random number generators, specifically: * Loading of the jitterentropy-rng kernel module by default. * Installation of the user space entropy gathering daemons haveged and jitterentropy-rng by default. * See also: [[Dev/Entropy]]. * sysctl * boot parameters * various blacklisted kernel modules * network hardening * restrictive mount options * root access restrictions * access rights restrictions * application-specific hardening |- ! scope="row"| Secure network time synchronization using sdwdate | Secure Distributed Web Date ([[sdwdate]]) mitigates threats from [[TimeSync#Attacks|time based attacks]] by not relying upon unauthenticated NTP. |- ! scope="row"| Default security software
installations | Software like [[AppArmor]] * [https://github.com/{{project_name_short}}?q=apparmor-profile apparmor profiles by {{project_name_short}}], [https://packages.debian.org/{{stable project version based on Debian codename}}/apparmor-profiles apparmor-profiles by Debian], [https://packages.debian.org/{{stable project version based on Debian codename}}/apparmor-profiles-extra apparmor-profiles-extra] for confinement of potentially compromised, high-risk application. |- ! scope="row"| [https://github.com/{{project_name_short}}/open-link-confirmation Open Link Confirmation] | This is enabled by default and prevents links from being unintentionally opened in supported browsers. |- |} = Development Vision = == Introduction == While many valuable security guides exist, better security and privacy for the masses necessitates software that applies a majority of hardening instructions by default. This is the reason the Free and Open Source {{project_name_short}} project exist; to offer a system that provides a reasonable security-hardened baseline, with the in-built flexibility to apply additional hardening dependent upon the user's threat model, hardware capabilities, motivation and knowledge. It is also accepted that no "perfect configuration" exists that can make a system invulnerable against advanced adversaries. Further, systems that are excessively hardened can become almost unusable except for the most advanced individuals. The table below provides a further rationale for this position. '''Table:''' ''Security Guide Limitations'' {| class="wikitable" |- ! scope="col"| '''Factor''' ! scope="col"| '''Description''' |- ! scope="row"| Initial vulnerability | When a base system is first installed, various security customizations are not yet applied. All users are vulnerable during this period. |- ! scope="row"| Recipient insecurity | Security principles do not exist in a vacuum: * Even after applying various security hardening steps, correspondence/network partners might have serious, unaddressed vulnerabilities. * Some security problems cannot be solved by individuals and may rely on factors in the broader ecosystem. For example: ** Advanced adversaries perform continual surveillance of all Internet traffic and attempt to attribute collected meta-data to individuals. ** Following a guide to enhance entropy is insufficient if Tor relays being used are insecure. ** Often personal security can only be improved if the security of others is also improved. |- ! scope="row"| Reliance on human memory | Adequate hardening often depends on discovering and remembering to apply all necessary steps from favorite security guides. |- ! scope="row"| Error risks | Manually applying security guide steps can lead to mistakes that render the whole procedure ineffective. |- ! scope="row"| Time requirements | Security guide steps are often lengthy and cover many different facets of computing. |- ! scope="row"| Secure guide discovery | There are countless security/hardening guides available on the Internet. It is impossible to follow them all and serious research is required to find valuable new resources. |- ! scope="row"| Incompleteness | Logically there is not one definitive, all-encompassing security guide. This means some users harden the kernel and install CPU microcode updates, while others rely on sandboxing and implement better random number generators, and so on. Most users miss critical elements because they are simply not aware they exist. |- ! scope="row"| Currency | Even the best security guides often contain outdated material. This is especially true for technically detailed or lengthy guides that canvass many topics. |- ! scope="row"| Publication form | The form of security guides can effect their utility. For example, those published in blogs and which do not allow comments have grave disadvantages compared to systems relying on collaborative version control software (like git) or collaborative websites (such as a wiki). The reason is contributors can easily fix issues or update contents. |- ! scope="row"| Popularity | Security guides which have low popularity cannot effect change and improve security practices if most people are unaware they exist. |} For these reasons {{project_name_short}} will remain focused on enabling the majority of (reasonable) hardening settings by default, and allowing additional settings to be easily enforced via installable packages. For further information on this topic, see: [https://forums.whonix.org/t/the-problem-with-security-guides-and-how-we-can-fix-it/8563 The Problem with Security Guides and How We Can Fix It]. {{Anchor|iPhone and Android Level Security for Linux Desktop Distributions}} {{Anchor|goals}} == Planned Features == The {{project_name_short}} development roadmap includes various security improvements: * Many features are already available for testing, see [[Test]] wiki page. * Encrypted and/or authenticated system-wide DNS (domain name resolution) [https://forums.whonix.org/t/use-dnscrypt-by-default-in-kicksecure-not-whonix/8117 use DNSCrypt by default] to mitigate against threats from DNS cache poisoning aka [https://en.wikipedia.org/wiki/DNS_spoofing DNS spoofing]. DNS spoofing results in traffic being diverted to the attacker's computer (or any other computer). See also [[DNS Security]]. * Validating DNS. * [https://github.com/roddhjav/apparmor.d apparmor.d] == {{project_name_short}} Development Goals == {{project_name_short}} is a security-hardened Linux Distribution. (Mobile version not planned yet.) This section details potential future security enhancements for {{project_name_short}}. (The wiki source for the following text can be found [[Template:Kicksecure_Android|in Template:Kicksecure_Android]].) {{kicksecure_Android}} {{project_name_short}} will not implement these kinds of user freedom restrictions since it is not required nor desirable. The capability to replace the operating system or gain administrator access will remain fully supported. Many popular device operating systems utilize security technologies which restrict user freedoms. In contrast, {{project_name_short}} aims to utilize the same security concepts for the goal of empowering the user and increasing protection from malware. It is theoretically possible to provide some of the same iPhone / Android security concepts on a Linux computer too. Steps have already been made to apply mobile device security concepts to Linux distributions such as [https://github.com/{{project_name_short}}/security-misc security-misc] and [https://github.com/roddhjav/apparmor.d apparmor.d]. Security technologies like hardened kernels or verified boot used by popular mobile operating systems could also be ported to Linux distributions. Community contributions are gladly welcomed! Here is a list of potential security enhancements for {{project_name_short}}: * [https://forums.whonix.org/t/multiple-boot-modes-for-better-security-persistent-root-persistent-noroot-live-root-live-noroot/7708 multiple boot modes for better security: persistent user | live user | persistent admin | persistent superadmin | persistent recovery mode] * [https://forums.whonix.org/t/disable-suid-binaries/7706 Disable SUID Binaries] * [https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 (re-)mount home (and other?) with noexec (and nosuid (among other useful mount options)) for better security] * [https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880 enforce kernel module software signature verification] * [[Dev/VirusForget|deactivate malware after reboot from non-root compromise]] * [https://forums.whonix.org/t/walled-garden-firewall-whitelisting-application-whitelisting-sudo-lockdown-superuser-mode-protected-mode/5725 walled garden, firewall whitelisting, application whitelisting, sudo lockdown, superuser mode, protected mode] * [https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598 Hardened Kernel] * [[Verified_Boot#Hash_Check_all_Files_at_Boot|Verified Boot]] * [https://forums.whonix.org/t/signify-openbsd/7842/5 signify signed releases] * Post-Quantum Cryptography ([[PQCrypto]]) [https://forums.whonix.org/t/use-codecrypt-to-sign-whonix-releases/7844/2 resistant signing of releases] * [https://forums.whonix.org/t/untrusted-root-does-it-make-sense-to-try-to-improve-security-by-restricting-root/7998 Untrusted Root User] = Design = == Usability by Default == While developed with security-focused design goals, {{project_name_short}} remains highly flexible. The layered approach to security allows applications to retain usability. {{project_name_short}} can be used for everyday "general-purpose computing" or for more risky activities that require a highly advanced security-centric platform. Since {{project_name_short}} is [[Reasons for Freedom Software|Freedom Software]] users may install any application of their choosing -- no restrictions are placed on how {{project_name_short}} can be used, customized or modified. {{project_name_short}} aims to maximize usability by default so it can be utilized as an everyday, multipurpose operating system by users of all skill levels. '''Table:''' ''{{project_name_short}} Usability Features'' {| class="wikitable" |- ! scope="col"| '''Feature''' ! scope="col"| '''Description''' |- ! scope="row"| Debian Usability Fixes | * Functional default APT sources configuration. Debian comes with a broken /etc/apt/sources.list file by default. * Debian default /etc/apt/sources.list comes with a broken deb cd-rom: line. * Debian default /etc/apt/sources.list comes with http instead of https by default. * Debian default /etc/apt/sources.list has only the debian-security repository enabled by default but not the debian repository. As a result, no packages are installable until the user figures out how to add that line to APT sources. When using Debian Installer (not Calamares), installing while not using a network mirror, Debian default /etc/apt/sources.list comes empty except fora broken deb cd-rom: line. * sudo pre-configured by default. On Debian, the user must run after a new installation su followed by /usr/bin/adduser user sudo and reboot (or re-login) to be able to user sudo. * bash-completion installed by default so for example by typing sudo apt install libreo followed by the TAB key a word completion to libreoffice will be suggested. * zsh installed as default shell that supports TAB word completion, colorful output, etc. |- ! scope="row"| Simplicity and flexibility | * Package [https://github.com/{{project_name_short}}/vm-config-dist shared folder help] simplifies shared folder set up for virtual machines. It currently only assists with using shared folders in VirtualBox. Other virtualizers -- such as KVM shared folder setup -- might be possible in the future. * Package [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] is installed by default, increasing flexibility and providing numerous, miscellaneous usability features. Such as creating default folders, allowing commands to be run without a password, simplifying the running of OpenVPN as an unpriveleged user, and much more. |- ! scope="row"| Popular applications | Popular applications come [[Software|pre-installed]] and configured with safe defaults to make them ready for use right out of the box. |- ! scope="row"| Data protection | Sensitive user data is protected by state-of-the-art cryptographic tools: * Local user data can be protected by Linux Unified Key Setup ([https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home LUKS]) which uses strong encryption to safeguard personal information. See [[Full Disk Encryption]]. * Communications (email) can be both [https://en.wikipedia.org/wiki/End-to-end_encryption end-to-end encrypted] and [https://en.wikipedia.org/wiki/Digital_signature signed] with [[OpenPGP]]. |- |} == Based on Debian == {{Based_on_Debian}} == Based on Freedom Software == Many people wonder why developers would spend countless hours of their own time to build an operating system and then give it away. {{project_name_short}} developers believe it is immoral to benefit from those [https://en.wikipedia.org/wiki/Free_software Free] / [[Reasons for Freedom Software|Freedom Software]] components and give back nothing to the community. We stand on the shoulders of giants. {{project_name_short}} and many other Libre software projects are only made possible because people invested time in writing code and kept it accessible for the public's benefit. Of course, a lot of us just find it great fun. == User Population / Promotion == * Apply as many security settings by default without breaking usability too much. * {{project_name_short}} is already the base for [[Whonix]] - Anonymous Operating System. https://www.wilderssecurity.com/threads/hardened-debian-in-development-feedback-wanted.408245/ = Releases = == {{project_name_short}} Version == Each {{project_name_short}} release is based on a particular version of Debian: {| class="wikitable" |- ! {{project_name_short}} version !! ''Debian Version'' !! ''Debian Codename'' |- | {{project_name_short}} {{VersionNew}} || ''{{Stable_project_version_based_on_Debian_version_short}}'' || [https://www.debian.org/releases/{{Stable project version based on Debian codename}}/ {{Stable project version based on Debian codename}}] |} Users can manually check the {{project_name_short}} version at any time by following [[FAQ#How_do_I_Check_the_Current_{{project_name_short}}_Version.3F|this step]]. {{Anchor|Release and Support Schedule}} == Release Schedule == {{project_name_short}} does not have a fixed release schedule. A new stable release only becomes available when it is deemed ready. == Support Schedule == '''Table:''' ''{{project_name_short}} Support Schedule'' {| class="wikitable" |- ! scope="col"| '''Release''' ! scope="col"| '''Description''' |- ! scope="row"| New Debian Release | ''One month'' after a new stable version of Debian is released, {{project_name_short}} VMs may no longer be supported on any older version of Debian. All users must upgrade the Debian platform promptly after the deprecation notice in order to use {{project_name_short}} safely. |- ! scope="row"| New {{project_name_short}} Release | ''One month'' after a new stable version of {{project_name_short}} is released, older versions will no longer be supported. All users must upgrade the {{project_name_short}} platform promptly in order to remain safe. |- ! scope="row"| Deprecation Notices | The deprecation notice is provided at least one month in advance and posted in the [https://forums.{{project_clearnet}}/c/news {{project_clearnet}} news forum]. [[Stay Tuned]]! All users must upgrade the respective platform promptly in order to remain safe. |- |} = Next Steps = Learning more about {{project_name_short}} is the best way to determine whether it is a suitable solution in your personal circumstances. The following chapters are recommended: * The [[Warning]] page to understand the security limitations of {{project_name_short}}. * Further information about {{project_name_short}} [[Features]]. * The implied [[Trust]] placed in {{project_name_short}} when it is used. * The Security Guide, Advanced Security Guide and [[Design]] chapters detailing the {{project_name_short}} specifications, threat model and implementation. * Other relevant [[Documentation|Documentation]] explaining how to use {{project_name_short}} safely. = Help Wanted = * {{project_name_short}} will hopefully soon become available as a Template for [https://www.qubes-os.org/ Qubes OS]. = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]