Download Kicksecure for VirtualBox:
This is a point release.
Upgrade
Alternatively, in-place release upgrade is possible upgrade using Kicksecure repository.
This release would not have been possible without the numerous supporters of Kicksecure!
Please Donate!
Please Contribute!
Major Changes
- improved and enable SUID Disabler and Permission Hardener by default
- improved security of temporary files by libpam-tmpdir integration
- fixed apparmor-profile-torbrowser allows access to user home folder - AppArmor - Whonix Forum
- Wayland
- Wayland compatibility of project’s tools (but not port to wayland yet)
- towards port to Wayland
- disable sysreq by default
- port from pulseaudio to pipewire
- refactoring environment variables loading mechanism
- updated sdwdate onion time sources (Thanks to TNT BOM BOM!)
- research towards secure mount options by default (Thanks to monsieuremre!)
- harden-module-loading.service (experimental, only usable by servers) (Thanks to monsieuremre!)
- systemcheck: add check to see if qubes-updates-proxy.service is running in sys-whonix
- permission hardening:
- set default umask to 027 (using pam-umask) which mechanism
owner+groupare allowed reading and writing by default (but notothers)
- set default umask to 027 (using pam-umask) which mechanism
- disable sysrq (Thanks to monsieuremre!)
- Thunderbird hardening (Thanks to monsieuremre!)
- re-enable bluetooth by default, bluetooth hardening, time-out bluetooth discoverability after 30 seconds after boot (Thanks to monsieuremre!)
- enable Network Manager’s MAC address anonymization (Thanks to monsieuremre!)
- enable Network Manager’s IPv6 privacy extensions (Thanks to monsieuremre!)
- Kernel hardening fix by monsieuremre · Pull Request #135 · Kicksecure/security-misc · GitHub
fs.protected_fifos=2(Thanks to monsieuremre!) - grml-debootstrap (build tool used by derivative-maker) contributions
- strict error handling
- ARM64 support (can greatly simplify ports to ARM64)
- VM EFI support
- remove apparmor-profile-everything (development stalled), towards its replacement
apparmor.d- Full set of AppArmor profiles (~ 1500 profiles) (Full system policy · Issue #252 · roddhjav/apparmor.d · GitHub) (Thanks to monsieuremre and roddhjav!) - enabled CodeQL for all project repositories with non-trivial C code
- license change to AGPLv3+
- refactoring environment variables loading mechanism
- correct signal handling in python based applications (allow termination through ctrl + c (signal sigterm))
- add
amd_iommu=force_enable(Thanks to monsieuremre!) - add banner with legal keywords recommended by lynis to
/etc/issue.dfolder (Thanks to monsieuremre!) - port to /etc/apparmor.d/abstractions/base.d
- CI improvements