{{Header}}
{{Title|title=
systemcheck Hardening
}}
{{#seo:
|description=systemcheck attack surface reduction.
|image=whonixcheckhard.jpg
}}
[[File:whonixcheckhard.jpg|240px|thumb]]
{{intro|
systemcheck attack surface reduction.
}}
= Rationale =

Although <code>systemcheck</code> already has AppArmor and systemd hardening, some marginal security benefits are gained by reducing the number of network connections, the amount of code running, and [[Advanced_Host_Security#Attack_Surface_Reduction|unnecessary functionality]]. This is not the default configuration, since that would come at the cost of decreased usability for the entire {{project_name_long}} population.

= Hardening Steps =

== Prevent Autostart ==

{{IconSet|h1|1}} {{sysmaint_notice}}

{{IconSet|h1|1}} To prevent <code>systemcheck</code> from automatically starting, run.

{{CodeSelect|code=
sudo systemctl mask systemcheck
}}

{{IconSet|h1|2}} Learn about, consider disabling [[Systemcheck#Update_Notifications_by_updatecheck|Update Notifications by updatecheck]].

<u>Optional.</u>

Do not use <u>sudo</u>/root.

{{CodeSelect|code=
systemctl --user mask updatecheck.service
}}

{{IconSet|h1|2}} Done.

Autostart for <code>systemcheck</code> has been prevented.

{{Anchor|Prevent Downloading {{project_name_short}} News}}

{{Anchor|Prevent_Downloading_Whonix_News_and_Whonix_User_Census_Counting}}

{{Anchor|Prevent {{project_name_short}} User Census Counting}}

== Prevent {{project_name_short}} Warrant Canary Check and User Census Counting ==

{{IconSet|h1|1}} Refer to the following [[systemcheck]] chapters:

* [[systemcheck#Warrant_Canary_Check|Warrant Canary Check]]; and
* [[systemcheck#Disable_Warrant_Canary_Check|Disable Warrant Canary Check]].

{{IconSet|h1|2}} Done.

The relevant <code>systemcheck</code> chapters have been referenced.

== Prevent Polluting TransPort ==
{{whonix_only}}

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = This is only useful when running <code>systemcheck --leak-tests</code>. However, running this command with the Tor <code>TransPort</code> test disabled makes little sense; in that case, it would be useful as a Tor <code>SocksPort</code> connectivity test.
}}

Deactivate the <code>TransPort</code> test for better {{whonix_wiki
|wikipage=Stream_Isolation
|text=Stream Isolation
}}.

{{IconSet|h1|1}} Open the following file with root rights.

{{Open with root rights|filename=
/etc/systemcheck.d/50_user.conf
}}

{{IconSet|h1|2}} Add the following content.

{{CodeSelect|code=
SYSTEMCHECK_DISABLE_TRANS_PORT_TEST="1"
}}

{{IconSet|h1|3}} Save.

{{IconSet|h1|4}} Done.

The <code>TransPort</code> test has been disabled for <code>systemcheck</code>.

== Prevent Running APT ==

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = Complete these steps on ''both'' {{project_name_gateway_long}} and {{project_name_workstation_long}}.
}}

This prevents the running of APT by systemcheck.

{{IconSet|h1|1}} Open the following file with root rights.

{{Open with root rights|filename=
/etc/systemcheck.d/50_user.conf
}}

{{IconSet|h1|2}} Add the following content.

{{CodeSelect|code=
systemcheck_skip_functions+=" check_operating_system "
}}

{{IconSet|h1|3}} Consider disabling <code>updatecheck</code>.

Learn about, consider disabling [[Systemcheck#Update_Notifications_by_updatecheck|Update Notifications by updatecheck]].

{{IconSet|h1|4}} Done.

APT checks by <code>systemcheck</code> have been prevented.

== Prevent torproject.org Connections ==

{{IconSet|h1|1}} Connections to The Tor Project are prevented by default; therefore, no action is required.

<code>systemcheck</code> only connects to <code>torproject.org</code> if the command <code>systemcheck --leak-tests</code> is manually run.

{{IconSet|h1|2}} Done.

It has been confirmed that no additional steps are required by default.

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]