cwtch.im
/
docs.cwtch.im
4
0
Fork 3
Code Issues 2 Pull Requests Projects Releases Wiki Activity

Harden Whonix onion-grater profile

This commit is contained in:
nyxnor 2023-09-04 02:43:06 +00:00
parent 9736c73e57
commit b5cc3cf24c
1 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/platforms/whonix.md
View File

@ -21,28 +21,31 @@ Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard ac
The onion-grater configuration `cwtch-whonix.yml` is reproduced below. As noted this configuration is can likely be restricted much further. The onion-grater configuration `cwtch-whonix.yml` is reproduced below. As noted this configuration is can likely be restricted much further.
```yaml ```yaml
# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern
--- ---
- exe-paths: - exe-paths:
- '' - '*'
users: users:
- '*' - '*'
hosts: hosts:
- '*' - '*'
commands: commands:
AUTHCHALLENGE:
- 'SAFECOOKIE .*'
SETEVENTS: SETEVENTS:
- 'CIRC WARN ERR' - 'CIRC WARN ERR'
- 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT' - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
GETINFO: GETINFO:
- 'net/listeners/socks' - pattern: 'network-liveness'
- '.*' response:
- pattern: '250-network-liveness=.*'
replacement: '250-network-liveness=up'
- pattern: 'status/bootstrap-phase'
response:
- pattern: '250-status/bootstrap-phase=*'
replacement: '250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"'
GETCONF: GETCONF:
- 'DisableNetwork' - pattern: 'DisableNetwork'
SETCONF: response:
- 'DisableNetwork.*' - pattern: '250 DisableNetwork=.*'
replacement: '250 DisableNetwork=0'
ADD_ONION: ADD_ONION:
## {{{ Host: [::], Ports: 15000-15378 ## {{{ Host: [::], Ports: 15000-15378
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])' - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])'