{{Header}} {{Title|title= Post-installation Security Advice }} {{#seo: |description=This page provides security advice, steps that can be applied after installation of {{project_name_long}} for better security such as changing passwords. |image=Ball-63527-640.jpg }} [[File:Ball-63527-640.jpg|thumb]] {{intro| This page provides security advice, steps (such as changing passwords) that can be applied after installation of {{project_name_short}} for better security. }} = Introduction = {{security_intro}} This page provides security advice, including steps that can be applied after installation of {{project_name_short}} for better security. = On {{project_name_gateway_long}} = == Increase Virtual Machine RAM == If using a {{Project_name_long}} VM... {{mbox | image = [[File:Ambox_notice.png|40px|alt={{project_name_short}} default password info box]] | text = [[Qubes|{{q_project_name_long}}]] users can skip this section. Qubes has dynamic RAM assignment. }} If enough host RAM is available, ideally the virtual RAM setting of {{project_name_short}} should be increased to 2048 MB RAM. This provides higher performance during upgrades and lowers the likelihood of [https://forums.whonix.org/t/swap-swap-file-whonix-gateway-freezing-during-apt-get-dist-upgrade-encrypted-swap-file-creator/8317 issues]. If it is infeasible to increase the virtual RAM setting, {{project_name_gateway_short}} will still function properly. Although non-ideal, [https://github.com/{{project_name_short}}/swap-file-creator swap-file-creator] will create an encrypted swap file and the [https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278 system is configured to swap as little as possible]. If it is unknown how much RAM is available, follow these steps on the host: https://www.tenforums.com/tutorials/66809-determine-system-memory-size-speed-type-windows-10-a.html https://vitux.com/how-to-check-installed-ram-on-debian/ https://support.apple.com/en-us/HT201191 * Windows 10: Task Manager in More details viewClick/tap on the Performance tabClick/tap on Memory; or Open a command promptRun wmic MemoryChip get /format:list * macOS: Apple menuAbout This Mac * Linux: Open a terminalRun free -h This command works in Red Hat, CentOS, Suse, Ubuntu, Fedora, Debian and other distributions. Alternative commands include: cat /proc/meminfo |grep MemTotal, top, and vmstat -s. Related: * [[Troubleshooting#Low_RAM_Issues|Low RAM Issues]] * [[RAM|Advice for Systems with Low RAM]] === VirtualBox === # To add RAM in VirtualBox the VM must first be powered down. # Virtual machineMenuSettingsAdjust Memory sliderHit: OK === KVM === {{KVM_RAM}} == Change Keyboard Layout == {{mbox | image = [[File:Ambox_notice.png|40px|alt={{project_name_short}}Change Keyboard Layout info box]] | text = [[Qubes|{{q_project_name_short}}]] users can skip this section. By default, Qubes VMs use the same keyboard layout as Qubes dom0. }} If you are using a keyboard layout other than qwerty (US), consider changing the keyboard layout. Refer to the dedicated [[Keyboard Layout]] entry for further details. == Test Keyboard Layout == {{mbox | image = [[File:Ambox_notice.png|40px|alt={{project_name_short}}Test Keyboard Layout info box]] | text = [[Qubes|{{q_project_name_short}}]] users can skip this section. }} * Start menuAccessoriesMousepad; or * {{Open File |filename=~/testfile }} Try typing the words user, changeme and qwerty. Try typing further words to ensure the desired keyboard layout is functional. {{Anchor|Change Passwords}} == Change Password == {{mbox | image = [[File:Ambox_notice.png|40px|alt={{project_name_short}} default password info box]] | text = [[Qubes|{{q_project_name_short}}]] users can skip this section. By default, Qubes does not require a password for superuser access. https://www.qubes-os.org/doc/vm-sudo/ }}
The user can set or change the password for the user user account in {{project_name_gateway_short}}, if this is useful for the user's threat model based on this [[Default_Passwords|default passwords information]]. {{Box|text= '''1.''' [[#Change Keyboard Layout|Change Keyboard Layout]] if necessary. '''2.''' Review [[#Test Keyboard Layout|Test Keyboard Layout]] before proceeding further. '''3.''' Open a terminal (such as Xfce Terminal Emulator). Start menuApplicationsSystemTerminal '''4.''' Run a test command as root by using sudo. Run. Type the command in the terminal and press . {{CodeSelect|code= sudo systemd-detect-virt }} '''5.''' Read the note below regarding the username and password. {{Default_Passwords}} '''6.''' Read the note below regarding the password change procedure. When typing the password it will not appear on the screen, nor will the asterisk sign (*) be visible. It is necessary to type blindly and trust the procedure. '''7.''' Change the user (and sudo) password. * To change the user ({{project_name_short}} default user account) password, run the following command. * This will also be the password when running sudo from Linux user account user. * This is the usual Debian / sudo default and [[Unspecific|Unspecific to {{project_name_short}}]]. * Using [https://github.com/Kicksecure/usability-misc/blob/master/man/pwchange.8.ronn pwchange]. * [https://github.com/Kicksecure/usability-misc/blob/master/usr/sbin/pwchange /usr/sbin/pwchange] source code. * Alternatively, Debian standard command: {{CodeSelect|code= sudo passwd user }} {{CodeSelect|code= sudo pwchange }} pwchange will prompt. 
What user's password do you want to change?
Type user and then press . '''8.''' Root password. No changes required. Optional, for details, see [[Root#Root_Account|root account in {{project_name_short}}]]. '''9.''' Done. The procedure of changing passwords is complete. }}
If issues appear when gaining root, consider using [[Root#dsudo_-_default_password_sudo|dsudo]]. Another option is to [[Recovery#Recovery_Mode|boot into recovery mode]] and change passwords there. === Changing auto login === Based on the threat model, users might want to change the auto login after changing the user's password. Please be aware that a password in the login / display manager might protect against unsophisticated, simple access - however, an attacker capable of basic linux commands can with ease change the password if no full disk encryption is used. {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = '''Warning:''' Therefore it is recommended always to use full disk encryption, otherwise the system can be easily chrooted to gain access. https://wiki.debian.org/chroot }} To change the auto login behavior, we have to edit the config file of lightdm which is the default display manager used by kicksecure. If you use another display manager, please look up in the manual of your display manager on how to change auto login behavior, for lightdm in kicksecure it is: 
cd /etc/lightdm/lightdm.conf.d/
sudo cp 40_autologin.conf 40_autologin.conf.bak  # creating a backup file
sudo sed -i 's/^/#/' 40_autologin.conf
Reboot now. On the next boot the user should be asked in addition to full disk encryption, also for a login password in lightdm. == Security Updates == Regularly check for security updates and apply them in a timely fashion; see [[Operating_System_Software_and_Updates#Updates|Operating System Updates]]. = Appendix = == How do I Check the Current {{project_name_short}} Version? == See /etc/*_version. {{Open_a__product_gw_terminal}} {{CodeSelect|code= cat /etc/*_version }} Should show. {{Stable project version based on Debian version short}}.1
{{VersionShort}} The first line shows the version of the major and minor version of Debian. The second line shows the version of the derivative ({{project_name_short}}). = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]