Although <code>systemcheck</code> already has AppArmor and systemd hardening, some marginal security benefits are gained by reducing: the number of network connections, the amount of code running, and [[Advanced_Host_Security#Attack_Surface_Reduction|unnecessary functionality]]. This is not the default configuration, since that would come at the cost of decreased usability for the entire {{project_name_long}} population.
= Hardening Steps =
== Prevent Autostart ==
To prevent <code>systemcheck</code> from automatically starting, run.
{{Anchor|Prevent {{project_name_short}} User Census Counting}}
== Prevent {{project_name_short}} Warrant Canary Check and User Census Counting ==
Refer to the following [[systemcheck]] chapters:
* [[systemcheck#Warrant_Canary_Check|Warrant Canary Check]]; and
* [[systemcheck#Disable_Warrant_Canary_Check|Disable Warrant Canary Check]].
== Prevent Polluting TransPort ==
{{whonix_only}}
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = <br />
* This is only useful when running <code>systemcheck --leak-tests</code>. However, running this command with the Tor <code>TransPort</code> test disabled makes little sense; in that case it would be useful as a Tor <code>SocksPort</code> connectivity test.
}}
Deactivate the <code>TransPort</code> Test for better {{whonix_wiki
|wikipage=Stream_Isolation
|text=Stream Isolation
}}.
{{Open with root rights|filename=
/etc/systemcheck.d/50_user.conf
}}
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Complete these steps on ''both'' {{project_name_gateway_long}} and {{project_name_workstation_long}}.
}}
This prevents the running of APT by systemcheck.
{{Open with root rights|filename=
/etc/systemcheck.d/50_user.conf
}}
