{{Header}}
{{Title|title=
systemcheck Hardening
}}
{{#seo:
|description=systemcheck attack surface reduction.
|image=whonixcheckhard.jpg
}}
[[File:whonixcheckhard.jpg|240px|thumb]]
{{intro|
systemcheck attack surface reduction.
}}
= Rationale =

Although <code>systemcheck</code> already has AppArmor and systemd hardening, some marginal security benefits are gained by reducing: the number of network connections, the amount of code running, and [[Advanced_Host_Security#Attack_Surface_Reduction|unnecessary functionality]]. This is not the default configuration, since that would come at the cost of decreased usability for the entire {{project_name_long}} population.

= Hardening Steps =

== Prevent Autostart ==

To prevent <code>systemcheck</code> from automatically starting, run.

{{CodeSelect|code=
sudo systemctl mask systemcheck
}}

{{Anchor|Prevent Downloading {{project_name_short}} News}}

{{Anchor|Prevent_Downloading_Whonix_News_and_Whonix_User_Census_Counting}}

{{Anchor|Prevent {{project_name_short}} User Census Counting}}
== Prevent {{project_name_short}} Warrant Canary Check and User Census Counting ==

Refer to the following [[systemcheck]] chapters:

* [[systemcheck#Warrant_Canary_Check|Warrant Canary Check]]; and
* [[systemcheck#Disable_Warrant_Canary_Check|Disable Warrant Canary Check]].

== Prevent Polluting TransPort ==
{{whonix_only}}

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = <br />
* This is only useful when running <code>systemcheck --leak-tests</code>. However, running this command with the Tor <code>TransPort</code> test disabled makes little sense; in that case it would be useful as a Tor <code>SocksPort</code> connectivity test.
}}

Deactivate the <code>TransPort</code> Test for better {{whonix_wiki
|wikipage=Stream_Isolation
|text=Stream Isolation
}}.

{{Open with root rights|filename=
/etc/systemcheck.d/50_user.conf
}}

Add the following content.

{{CodeSelect|code=
SYSTEMCHECK_DISABLE_TRANS_PORT_TEST="1"
}}

Save.

== Prevent Running APT ==

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = Complete these steps on ''both'' {{project_name_gateway_long}} and {{project_name_workstation_long}}.
}}

This prevents the running of APT by systemcheck.

{{Open with root rights|filename=
/etc/systemcheck.d/50_user.conf
}}

Add the following content.

{{CodeSelect|code=
systemcheck_skip_functions+=" check_operating_system "
}}

== Prevent torproject.org Connections ==

Connections to The Tor Project are prevented by default, therefore no action is required.

<code>systemcheck</code> only connects to <code>torproject.org</code> if the command <code>systemcheck --leak-tests</code> is manually run.

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]