From 549d8a0405aa81823e9e54bbd8f345fcbd98d89b Mon Sep 17 00:00:00 2001 From: nyxnor Date: Wed, 6 Sep 2023 00:08:12 +0000 Subject: [PATCH 1/2] Harden Whonix onion-grater profile --- linux/cwtch-whonix.yml | 128 +++++++++++++++++++++++------------------ 1 file changed, 72 insertions(+), 56 deletions(-) diff --git a/linux/cwtch-whonix.yml b/linux/cwtch-whonix.yml index 9bf7788d..e379a24e 100644 --- a/linux/cwtch-whonix.yml +++ b/linux/cwtch-whonix.yml @@ -1,57 +1,73 @@ -# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern +## Keep profiles in sync: +## - https://git.openprivacy.ca/cwtch.im/cwtch-ui/src/branch/trunk/linux/cwtch-whonix.yml +## - https://github.com/Whonix/onion-grater/blob/master/usr/share/doc/onion-grater-merger/examples/40_bitcoind.yml + +--- - exe-paths: - - '' -users: - - '*' -hosts: - - '*' -commands: - AUTHCHALLENGE: - - 'SAFECOOKIE .*' - SETEVENTS: - - 'CIRC WARN ERR' - - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT' - GETINFO: - - 'net/listeners/socks' - - '.*' - GETCONF: - - 'DisableNetwork' - SETCONF: - - 'DisableNetwork.*' - ADD_ONION: - - '.*' - DEL_ONION: - - '.+' - HSFETCH: - - '.+' -events: - CIRC: - suppress: true - ORCONN: - suppress: true - INFO: - suppress: true - NOTICE: - suppress: true - WARN: - suppress: true - ERR: - suppress: true - HS_DESC: - response: - - pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)' - replacement: '650 HS_DESC CREATED {} {} {} redacted {}' - - pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*' - replacement: '650 HS_DESC UPLOAD {} {} redacted redacted' - - pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+' - replacement: '650 HS_DESC UPLOADED {} {} redacted' - - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH' - replacement: '650 HS_DESC REQUESTED {} NO_AUTH' - - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+' - replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted' - - pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+' - replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted' - - pattern: '.*' - replacement: '' - HS_DESC_CONTENT: - suppress: true \ No newline at end of file + - '*' + users: + - '*' + hosts: + - '*' + commands: + SETEVENTS: + - 'CIRC WARN ERR' + - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT' + GETINFO: + - pattern: 'network-liveness' + response: + - pattern: '250-network-liveness=.*' + replacement: '250-network-liveness=up' + - pattern: 'status/bootstrap-phase' + response: + - pattern: '250-status/bootstrap-phase=*' + replacement: '250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"' + GETCONF: + - pattern: 'DisableNetwork' + response: + - pattern: '250 DisableNetwork=.*' + replacement: '250 DisableNetwork=0' + ADD_ONION: + ## {{{ Host: [::], Ports: 15000-15378 + - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])' + replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}' + - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(153[0-6][0-9])' + replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}' + - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(1537[0-8])' + replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}' + ## }}} + DEL_ONION: + - '.+' + HSFETCH: + - '.+' + events: + CIRC: + suppress: true + ORCONN: + suppress: true + INFO: + suppress: true + NOTICE: + suppress: true + WARN: + suppress: true + ERR: + suppress: true + HS_DESC: + response: + - pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)' + replacement: '650 HS_DESC CREATED {} {} {} redacted {}' + - pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*' + replacement: '650 HS_DESC UPLOAD {} {} redacted redacted' + - pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+' + replacement: '650 HS_DESC UPLOADED {} {} redacted' + - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH' + replacement: '650 HS_DESC REQUESTED {} NO_AUTH' + - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+' + replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted' + - pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+' + replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted' + - pattern: '.*' + replacement: '' + HS_DESC_CONTENT: + suppress: true From 88e405fdfed9ace15f91a32af19f8c6ad0ec1617 Mon Sep 17 00:00:00 2001 From: nyxnor Date: Wed, 6 Sep 2023 00:08:31 +0000 Subject: [PATCH 2/2] Add Whonix installation script --- linux/cwtch-whonix.yml | 2 +- linux/install-whonix.sh | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100755 linux/install-whonix.sh diff --git a/linux/cwtch-whonix.yml b/linux/cwtch-whonix.yml index e379a24e..3ae13683 100644 --- a/linux/cwtch-whonix.yml +++ b/linux/cwtch-whonix.yml @@ -1,6 +1,6 @@ ## Keep profiles in sync: ## - https://git.openprivacy.ca/cwtch.im/cwtch-ui/src/branch/trunk/linux/cwtch-whonix.yml -## - https://github.com/Whonix/onion-grater/blob/master/usr/share/doc/onion-grater-merger/examples/40_bitcoind.yml +## - https://github.com/Whonix/onion-grater/blob/master/usr/share/doc/onion-grater-merger/examples/40_cwtch.yml --- - exe-paths: diff --git a/linux/install-whonix.sh b/linux/install-whonix.sh new file mode 100755 index 00000000..9ffbda9f --- /dev/null +++ b/linux/install-whonix.sh @@ -0,0 +1,22 @@ +#!/bin/sh +set -eu + +INSTALL_PREFIX=$HOME/.local +INSTALL_PREFIX=$INSTALL_PREFIX DESKTOP_PREFIX=$INSTALL_PREFIX ./install.sh + +# Open incoming ports +echo "Opening Cwtch firewall for incoming traffic on ports 15000 to 15378" +sudo mkdir -p /usr/local/etc/whonix_firewall.d +echo "EXTERNAL_OPEN_PORTS+=\" \$(seq 15000 15378) \"" | \ + sudo tee /usr/local/etc/whonix_firewall.d/40_cwtch.conf >/dev/null +sudo whonix_firewall + +# Set launch options +sed -i "s|env LD|env CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true LD|" $INSTALL_PREFIX/bin/cwtch + +# Inform about steps to be done in the gateway +echo "Complete installation in the Whonix-Gateway with the following command:" +echo " $ sudo onion-grater-add 40_cwtch" + +echo "Launch Cwtch in the Whonix-Workstation with:" +echo " $ $INSTALL_PREFIX/bin/cwtch"