Download
Upgrade
Alternatively, an in-place release upgrade is possible using the Kicksecure repository.
This release would not have been possible without the numerous supporters of Kicksecure!
Please Donate!
Please Contribute!
Major Changes
- Updated packages
- BTRFS now available as an option during Kicksecure Calamares ISO Installer
- Ported to Debian live-build to improve the boot compatibility of Kicksecure ISO
- Added GRUB bootloader themes
- Swap-file-creator improvements
- Progress towards ARM64 support
- Improved theoretical multiple architecture (untested) for builds from source code
- Miscellaneous hardening, improvements, maintenance, and fixes
Changelog
- grub-live:
- Avoid unnecessary kernel parameters: set dracut-specific kernel parameters only when dracut is detected
- Avoid unnecessary kernel parameters: set initramfs-tools-specific kernel parameters only when initramfs-tools is detected
- helper-scripts:
- calculate-swap-size: cap swap size at 10% of disk size (Thanks to @ArrayBolt3!)
- Rewrite str_replace and str_match in Python (Thanks to @ArrayBolt3!)
- Terminate apt-get-update securely in apt-get-update-kill-helper (Thanks to @ArrayBolt3!)
- Add archive.today CLI frontend (Thanks to @ArrayBolt3!)
- Add
dummy-dependency
script for dummy package generation (Thanks to @ArrayBolt3!)
- kicksecure-base-files:
- Create GRUB themes for BIOS and UEFI systems (Thanks to @ArrayBolt3!)
- kicksecure-meta-packages:
- Adjust location of packages in metapackages for consistency (Thanks to @ArrayBolt3!)
- Add Vim for developer convenience (Thanks to @ArrayBolt3!)
- Add btrfs-progs to kicksecure-recommended-cli (Thanks to @ArrayBolt3!)
- Add
gnome-keyring
tokicksecure-desktop-environment-essential-xfce
to fix error message:
- libvirt-dist:
- Fixed plist.template compatibility with CLI version (Thanks to Ian C!)
- live-config-dist:
- Offer BTRFS as a usable filesystem (Thanks to @ArrayBolt3!)
- Shrink welcome image and don’t scale it up (Thanks to @ArrayBolt3!)
- fixconkeys_part1: Only take into account the first loaded keyboard layout (Thanks to @ArrayBolt3!)
- msgcollector:
- Permission hardening
- rads:
- Fix typo in configuration and variable name:
rads_no_swtich_vt
→rads_no_switch_vt
- Fix: set rads_minimum_ram to 500
- Fix typo in configuration and variable name:
- sdwdate:
- Remove unneeded group nopasswd exception from sudoers config (Thanks to @ArrayBolt3!)
- Tidy up and harden url_to_unixtime, adjust remote_times.py for API change (Thanks to @ArrayBolt3!)
- Remove non-working onion mirrors (Thanks to @nurmagoz!)
- security-misc:
- Disable legacy matroxfb_base framebuffer driver, fix typo matroxfb_bases → matroxfb_base (Thanks to @ArrayBolt3 for the bug report!)
- Fix optional opt-in
harden-module-loading.service
by making/usr/libexec/security-misc/disable-kernel-module-loading
executable (Thanks to @ArrayBolt3 for the bug report!) - Fix permission-hardener issue: “Removing capabilities failed. File: ‘/bin/ping’”; no longer use end-of-options marker (
--
) forsetcap
since setcap does not support it. Fixes: - Enable
ssbd=force-on
(Thanks to @raja!) - hide-hardware-info: also parse
/usr/local/etc/hide-hardware-info.d/*.conf
- Avoid faillock lock/tally reset on reboot or timeout (Thanks to @ArrayBolt3!)
- Clarify KSPP compliance header for the undocumented case (Thanks to @raja!)
- No longer set
kernel.unprivileged_userns_clone=0
because it breaks too much. Fixes: - Expand documentation on
kernel.unprivileged_userns_clone=0
sysctl: - Add KSPP=no definition (Thanks to @raja!)
- setup-dist:
- Renamed: usr/sbin/setup-dist → usr/bin/setup-dist because no longer running as root
- swap-file-creator:
- Pass disk size to calculate-swap-size (Thanks to @ArrayBolt3!)
- No longer consider hibernation by default to have a smaller default swap file because hibernation is not yet compatible with Secure Boot
- systemcheck:
- Permission hardening (Thanks to @ArrayBolt3!)
- tb-starter:
- Harden remount-exec (Thanks to @ArrayBolt3!)
- tb-updater:
- Harden JSON parsing (Thanks to @ArrayBolt3!)
- Tor Browser ARM64 download: source code now supports OSCP, therefore added
--cert-status
option to curl - Add dependency on
libdbus-glib-1-2
to fix error:-
XPCOMGlueLoad error for file /home/user/.tb/tor-browser/Browser/libxul.so:
-
libdbus-glib-1.so.2: cannot open shared object file: No such file or directory
-
Couldn’t load XPCOM.
- Tor Browser Integration - #116 by Patrick - Development - Whonix Forum
-
- tirdad:
- Return random 32-bit numbers in ISN generation routines (Thanks to @ArrayBolt3!)
- Hardening, refactoring. Use kernel live patching API (Thanks to @ArrayBolt3!)
- Update for newer kernels (Thanks to Sirus Shahini!)
- usability-misc:
- Add
/usr/bin/passwordless-root
, a tool for root to easily set up passwordlesssudo
for useruser
- Add
- derivative-maker:
- Implemented
--dry-run
- Fixed
--fast 2
- Improved support for non-amd64 architectures (Thanks to @ArrayBolt3!)
- Add support for arm64 builds and cross-builds of Kicksecure’s ISO (Thanks to @ArrayBolt3!)
- Delete no longer needed raw image to save disk space during the build process
- Add
dist_build_version
andtarget_architecture_pretty_name
to image names for:- ova
- iso
- raw xz
- qcow xz
- source xz
- Create /etc/hosts and /etc/hostname for live-build ISO builds (Thanks to @ArrayBolt3!)
- Use grml-debootstrap upstream version v0.110
- Use security.debian.org during bootstrapping of the live-build chroot (Thanks to @ArrayBolt3!)
- Autodetect kernel architecture for ISOs based on build system architecture (Thanks to @ArrayBolt3!)
- Avoid ISO build crash caused by /home being mounted with nodev (Thanks to @ArrayBolt3!)
- No longer depend on apt-transport-https because it is a dummy transitional package nowadays
- Fix boot failure due to misnamed ISO volume (Thanks to @ArrayBolt3!)
- Adjust for repository-dist systemd config (Thanks to @ArrayBolt3!)
- CI: Rework build-from-tag and build-from-commit scripts (Thanks to Rob!)
- Build the Kicksecure ISO with live-build (Thanks to @ArrayBolt3!)
- Implemented
- developer-meta-files:
- Save disk space. Delete raw and ova images in
${dist_binary_build_folder}
after xz archive has been created. - Save disk space. Delete temporary VirtualBox VMs in temporary VM user build folder to save disk space during the build process.
- Make compatible with hardened JSON parsing code in tb-updater, harden Tor Browser ARM64 JSON parsing (Thanks to @ArrayBolt3!)
- Add wiki-vbox-version-update script (Thanks to @ArrayBolt3!)
- Save disk space. Delete raw and ova images in