{{Header}} {{Title|title= Post-installation Security Advice }} {{#seo: |description=This page provides security advice, steps that can be applied after installation of {{project_name_long}} for better security such as changing passwords. |image=Ball-63527-640.jpg }} [[File:Ball-63527-640.jpg|thumb]] {{intro| This page provides security advice, steps (such as changing passwords) that can be applied after installation of {{project_name_short}} for better security. }} = Introduction = {{security_intro}} This page provides security advice, including steps that can be applied after installation of {{project_name_short}} for better security. = On {{project_name_gateway_long}} = == Increase Virtual Machine RAM == If using a {{Project_name_long}} VM... {{mbox | image = [[File:Ambox_notice.png|40px|alt={{project_name_short}} default password info box]] | text = [[Qubes|{{q_project_name_long}}]] users can skip this section. Qubes has dynamic RAM assignment. }} If enough host RAM is available, ideally the virtual RAM setting of {{project_name_short}} should be increased to 2048 MB RAM. This provides higher performance during upgrades and lowers the likelihood of [https://forums.whonix.org/t/swap-swap-file-whonix-gateway-freezing-during-apt-get-dist-upgrade-encrypted-swap-file-creator/8317 issues]. If it is infeasible to increase the virtual RAM setting, {{project_name_gateway_short}} will still function properly. Although non-ideal, [https://github.com/{{project_name_short}}/swap-file-creator swap-file-creator] will create an encrypted swap file and the [https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278 system is configured to swap as little as possible]. If it is unknown how much RAM is available, follow these steps on the host: https://www.tenforums.com/tutorials/66809-determine-system-memory-size-speed-type-windows-10-a.html https://vitux.com/how-to-check-installed-ram-on-debian/ https://support.apple.com/en-us/HT201191 * Windows 10: Task Manager in More details viewClick/tap on the Performance tabClick/tap on Memory; or Open a command promptRun wmic MemoryChip get /format:list * macOS: Apple menuAbout This Mac * Linux: Open a terminalRun free -h This command works in Red Hat, CentOS, Suse, Ubuntu, Fedora, Debian and other distributions. Alternative commands include: cat /proc/meminfo |grep MemTotal, top, and vmstat -s. Related: * [[Troubleshooting#Low_RAM_Issues|Low RAM Issues]] * [[RAM|Advice for Systems with Low RAM]] === VirtualBox === # To add RAM in VirtualBox the VM must first be powered down. # Virtual machineMenuSettingsAdjust Memory sliderHit: OK === KVM === {{KVM_RAM}} == Change Keyboard Layout == {{mbox | image = [[File:Ambox_notice.png|40px|alt={{project_name_short}}Change Keyboard Layout info box]] | text = [[Qubes|{{q_project_name_short}}]] users can skip this section. By default, Qubes VMs use the same keyboard layout as Qubes dom0. }} If you are using a keyboard layout other than qwerty (US), consider changing the keyboard layout. Refer to the dedicated [[Keyboard Layout]] entry for further details. == Test Keyboard Layout == {{mbox | image = [[File:Ambox_notice.png|40px|alt={{project_name_short}}Test Keyboard Layout info box]] | text = [[Qubes|{{q_project_name_short}}]] users can skip this section. }} * Start menuAccessoriesMousepad; or * {{Open File |filename=~/testfile }} Try typing the words user, changeme and qwerty. Try typing further words to ensure the desired keyboard layout is functional. {{Anchor|Change Passwords}} == Change Password == {{mbox | image = [[File:Ambox_notice.png|40px|alt={{project_name_short}} default password info box]] | text = [[Qubes|{{q_project_name_short}}]] users can skip this section. By default, Qubes does not require a password for superuser access. https://www.qubes-os.org/doc/vm-sudo/ }}
The user can set or change the password for account user in {{project_name_gateway_short}}, if this is useful for the user's threat model based on this [[Default_Passwords|default passwords information]]. {{Box|text= '''1.''' [[#Change Keyboard Layout|Change Keyboard Layout]] if necessary. '''2.''' Review [[#Test Keyboard Layout|Test Keyboard Layout]] before proceeding further. '''3.''' Open a terminal (such as Xfce Terminal Emulator). Start menuApplicationsSystemTerminal '''4.''' Run a test command as root by using sudo. Run. Type the command in the terminal and press . {{CodeSelect|code= sudo systemd-detect-virt }} '''5.''' Read the note below regarding the username and password. {{Default_Passwords}} '''6.''' Read the note below regarding the password change procedure. When typing the password it will not appear on the screen, nor will the asterisk sign (*) be visible. It is necessary to type blindly and trust the procedure. '''7.''' Change the account user (and sudo) password. * To change the user ({{project_name_short}} default user account) password, run the following command. * This will also be the password when running sudo from Linux user account user. * This is the usual Debian / sudo default and [[Unspecific|Unspecific to {{project_name_short}}]]. * Using [https://github.com/Kicksecure/usability-misc/blob/master/man/pwchange.8.ronn pwchange]. * [https://github.com/Kicksecure/usability-misc/blob/master/usr/sbin/pwchange /usr/sbin/pwchange] source code. * Alternatively, Debian standard command: {{CodeSelect|code= sudo passwd user }} {{CodeSelect|code= sudo pwchange }} pwchange will prompt.
What user's password do you want to change?
Type user and then press . '''8.''' Root password. No changes required. Optional, for details, see [[Root#Root_Account|root account in {{project_name_short}}]]. '''9.''' Done. The procedure of changing passwords is complete. }}
If issues appear when gaining root, consider using [[Root#dsudo_-_default_password_sudo|dsudo]]. Another option is to [[Recovery#Recovery_Mode|boot into recovery mode]] and change passwords there. === Auto Login === Based on the threat model, users might want to [[Desktop#Disable_Autologin|disable autologin]] after changing their password. Be aware that requiring a password for [[login]] might protect against unsophisticated, simple access. However, an attacker with physical access and basic Linux knowledge can easily change the password if full disk encryption is not used. See also [[Protection Against Physical Attacks]]. It is strongly recommended to use [[Full Disk Encryption|full disk encryption (FDE)]] on the host {{os}}; otherwise, the system can be easily accessed via chroot. https://wiki.debian.org/chroot == Security Updates == Regularly check for security updates and apply them in a timely fashion; see [[Operating_System_Software_and_Updates#Updates|Operating System Updates]]. = Appendix = == How do I Check the Current {{project_name_short}} Version? == See /etc/*_version. {{Open_a__product_gw_terminal}} {{CodeSelect|code= cat /etc/*_version }} Should show. {{Stable project version based on Debian version short}}.1
The first line shows the version of the major and minor version of Debian. The second line shows the version of the derivative ({{project_name_short}}). = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]