From b5cc3cf24c6c2e834c61d04c7988281c38977632 Mon Sep 17 00:00:00 2001
From: nyxnor <nyxnor@protonmail.com>
Date: Mon, 4 Sep 2023 02:43:06 +0000
Subject: [PATCH] Harden Whonix onion-grater profile

---
 docs/platforms/whonix.md | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/docs/platforms/whonix.md b/docs/platforms/whonix.md
index 89f17dfe..cecdef88 100644
--- a/docs/platforms/whonix.md
+++ b/docs/platforms/whonix.md
@@ -21,28 +21,31 @@ Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard ac
 The onion-grater configuration `cwtch-whonix.yml`  is reproduced below. As noted this configuration is can likely be restricted much further.
 
 ```yaml
-# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern
-
 ---
 - exe-paths:
-    - ''
+    - '*'
   users:
     - '*'
   hosts:
     - '*'
   commands:
-    AUTHCHALLENGE:
-      - 'SAFECOOKIE .*'
     SETEVENTS:
       - 'CIRC WARN ERR'
       - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
     GETINFO:
-      - 'net/listeners/socks'
-      - '.*'
+      - pattern:       'network-liveness'
+        response:
+        - pattern:     '250-network-liveness=.*'
+          replacement: '250-network-liveness=up'
+      - pattern:       'status/bootstrap-phase'
+        response:
+        - pattern:     '250-status/bootstrap-phase=*'
+          replacement: '250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"'
     GETCONF:
-      - 'DisableNetwork'
-    SETCONF:
-      - 'DisableNetwork.*'
+      - pattern:       'DisableNetwork'
+        response:
+        - pattern:     '250 DisableNetwork=.*'
+          replacement: '250 DisableNetwork=0'
     ADD_ONION:
       ## {{{ Host: [::], Ports: 15000-15378
       - pattern:     'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])'