Kicksecure - for VirtualBox - Point Release!

Kicksecure for VirtualBox

Download Kicksecure for VirtualBox:

This is a point release.

Major Changes

Numerous software packages updated, improved security, usability and bug fixes.

  • Install apparmor-profiles-kicksecure by default. This results in installing the following packages by default:
    • apparmor-profiles
    • apparmor-profiles-extra
    • apparmor-profile-thunderbird
    • apparmor-profile-torbrowser
    • apparmor-profile-hexchat
    • provide package dummy-dependency-apparmor-profiles-kicksecure as an easy opt-out.
  • Work towards Change default shell from bash to zsh by default? - Development - Whonix Forum
    • zsh is now installed by default.
    • Try running zsh for testing, to see how beauty it looks and nice its functionality is. Has command completion, command line parameter suggestion and completion, colorful visuals for better usability, hotkeys and much more. See also this video as a demonstration and to learn what’s possible. Thanks to @nyxnor!
    • zsh is not yet the default shell but probably will be in the next release.
  • Protect source code of this project and outreach: Detecting Malicious Unicode in Source Code and Pull Requests - Development - Whonix Forum
    • grep-find-unicode-wrapper - new helper-script to detect invisible potentially malicious unicode
  • Fix, keep grub live boot menu related entries grouped together, instead of having one entry per installed kernel implemented. Thanks to @TNT_BOM_BOM.
  • support hushlogin - less output in terminal emulator - Development - Whonix Forum
  • grub-live: fix dracut support
  • work towards dracut support which is a prerequisite to implement Cold Boot Attack Defense
  • developed RAM Wipe at Shutdown Design, pending implementation.
  • fix hostname showing localhost.localdomain instead of localhost
  • update Monero GUI to
  • sdwdate: remove onion time sources that were down and added replacements (Suggest Trustworthy Tor Hidden Services as Time Sources for sdwdate - #223 by TNT_BOM_BOM - Development - Whonix Forum)
  • sdwdate-log-viewer: improvements; include output by timesanitycheck
  • security-misc improvements - Thanks to Raja Grewal!
    • machine check exception (Kernel Hardening - #494 by Patrick - Development - Whonix Forum)
    • force kernel to panic on “oopses”
    • update details around disabling SMT
    • update SRBDS mitigation
    • CPU mitigation - MMIO Stale Data
    • CPU mitigation - L1D FLushing
    • CPU mitigation - SRBDS
    • enforce default net.ipv6.icmp_ignore_bogus_error_responses
    • improved kernel module disabling usability
    • enable randomize_kstack_offset
    • disable slub_debug
    • enforce defualt net.ipv4.ip_forward
    • enforce default net.ipv4.icmp_ignore_bogus_error_responses
    • enforce default kernel.randomize_va_space
    • More verbose kernel module blocking error logs
    • Incorporated Ubuntu’s kernel module blacklists
    • Blacklist more kernel modules
    • hide-hardware-info selinux compatibility (Thanks to Krish-sysadmin!)
  • derivative-maker:
    • more robust use mount/umount
    • run as non-root by default and only sudo to root when required (as opposed to previously running as root and sudo to user when required)


Alternatively, in-place release upgrade is possible upgrade using Kicksecure repository.

This release would not have been possible without the numerous supporters of Kicksecure!

Please Donate!

Please Contribute!


Full difference of all changes

Comparing · Kicksecure/derivative-maker · GitHub