Harden Whonix onion-grater profile

This commit is contained in:
nyxnor 2023-09-06 00:08:12 +00:00
parent e019f5f52d
commit 549d8a0405
1 changed files with 72 additions and 56 deletions

View File

@ -1,57 +1,73 @@
# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern
## Keep profiles in sync:
## - https://git.openprivacy.ca/cwtch.im/cwtch-ui/src/branch/trunk/linux/cwtch-whonix.yml
## - https://github.com/Whonix/onion-grater/blob/master/usr/share/doc/onion-grater-merger/examples/40_bitcoind.yml
---
- exe-paths:
- ''
users:
- '*'
hosts:
- '*'
commands:
AUTHCHALLENGE:
- 'SAFECOOKIE .*'
SETEVENTS:
- 'CIRC WARN ERR'
- 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
GETINFO:
- 'net/listeners/socks'
- '.*'
GETCONF:
- 'DisableNetwork'
SETCONF:
- 'DisableNetwork.*'
ADD_ONION:
- '.*'
DEL_ONION:
- '.+'
HSFETCH:
- '.+'
events:
CIRC:
suppress: true
ORCONN:
suppress: true
INFO:
suppress: true
NOTICE:
suppress: true
WARN:
suppress: true
ERR:
suppress: true
HS_DESC:
response:
- pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
- pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*'
replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
- pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+'
replacement: '650 HS_DESC UPLOADED {} {} redacted'
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH'
replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
- pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
- pattern: '.*'
replacement: ''
HS_DESC_CONTENT:
suppress: true
- '*'
users:
- '*'
hosts:
- '*'
commands:
SETEVENTS:
- 'CIRC WARN ERR'
- 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
GETINFO:
- pattern: 'network-liveness'
response:
- pattern: '250-network-liveness=.*'
replacement: '250-network-liveness=up'
- pattern: 'status/bootstrap-phase'
response:
- pattern: '250-status/bootstrap-phase=*'
replacement: '250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"'
GETCONF:
- pattern: 'DisableNetwork'
response:
- pattern: '250 DisableNetwork=.*'
replacement: '250 DisableNetwork=0'
ADD_ONION:
## {{{ Host: [::], Ports: 15000-15378
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])'
replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(153[0-6][0-9])'
replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(1537[0-8])'
replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
## }}}
DEL_ONION:
- '.+'
HSFETCH:
- '.+'
events:
CIRC:
suppress: true
ORCONN:
suppress: true
INFO:
suppress: true
NOTICE:
suppress: true
WARN:
suppress: true
ERR:
suppress: true
HS_DESC:
response:
- pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
- pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*'
replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
- pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+'
replacement: '650 HS_DESC UPLOADED {} {} redacted'
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH'
replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
- pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
- pattern: '.*'
replacement: ''
HS_DESC_CONTENT:
suppress: true