-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathusage.html
More file actions
170 lines (136 loc) · 9.44 KB
/
usage.html
File metadata and controls
170 lines (136 loc) · 9.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<link rel="stylesheet" href="styles.css">
<title>Obscurix - Usage</title>
</head>
<body>
<h1>Usage</h1>
<p>
Obscurix is very easy to use. It uses XFCE as a desktop environment that is pre-configured to look nice. It uses the Adapta-Nokto-Eta theme and Papirus icon theme. The background comes from this <a href="https://www.reddit.com/comments/caiad9">Reddit post</a>. <br>
<br>
Once you have booted into Obscurix, it will ask you if you want to use a Tor bridge or not. If you select "No", you will connect directly to the Tor network. If you select "Yes", it will ask you for the bridge information which can be gotten from <a href="https://bridges.torproject.org">https://bridges.torproject.org</a>. Once you have entered the correct information, you will connect to Tor through a bridge. This hides Tor usage from your ISP and will help bypass Tor blocks. If you enter the wrong information, Tor will fail to start and you will have to reboot and enter the information in again. <br>
<br>
After you have been prompted for bridges, it will ask if you want to change the keyboard layout. <br>
<br>
Web browsing can be done via the Tor Browser which is specially configured to protect your privacy and anonymity. Downloads can only be stored in /home/user/tor-browser_en-US/Browser/Downloads due to the application confinement. <br>
<br>
It is recommended to use the <span class="code">scurl</span> or <span class="code">scurl-download</span> programs in a terminal for downloads. This a wrapper around <span class="code">curl</span> that prevents https downgrade attacks. Credit to Whonix for this <a href="https://github.com/Whonix/scurl">https://github.com/Whonix/scurl</a>. <br>
<br>
Hexchat is installed by default for IRC chats. It is configured for privacy and security as per <a href="https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/XChat">https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/XChat</a>. <br>
<br>
VLC is installed by default for watching videos. <br>
<br>
Thunderbird is installed for emails and other chats. It uses a configuration (a user.js file) hardened for privacy and security. <br>
<br>
Evince is installed for viewing documents such as PDFs. evince-thumbnailer and evince-previewer are disabled to reduce attack surface and evince itself is sandboxed. Some functionality such as automatically opening links in browsers is broken. <br>
<br>
Gedit is installed for editing files. You cannot edit files outside of your home directory due to the restrictions. <br>
<br>
Eog is installed for image viewing. You cannot view images outside of your home directory. <br>
<br>
Electrum is installed for cryptocurrencies. <br>
<br>
Keepassxc is installed for secure password management.
</p>
<h2>Boot Parameters</h2>
<p>
WARNING: Don't use these unless you know what you're doing. <br>
<br>
Certain things can be configured via boot parameters. These are things you can tell the kernel to do. They are configured at the boot loader. When the screen pops up and asks you to boot into Obscurix, enter "tab" to be able to edit the boot parameters and hit enter to boot. Don't remove any or you will break things or worsen security. <br>
<br>
Obscurix has a few custom boot parameters that can be used to configure certain things. They are documented below.
</p>
<h3>nonet</h3>
<p>
Specifying the <span class="code">nonet</span> boot parameter will disable all network access. <br>
<br>
It does this by getting a list of network interfaces, setting them all down, disabling Tor so the firewall blocks outgoing traffic, disabling NetworkManager and adding iptables rules to block all outgoing traffic.
</p>
<h3>rootpw</h3>
<p>
Specifying the <span class="code">rootpw</span> boot parameter will allow you to gain root access. It adds the user to the "wheel" group, allows the wheel group to use <span class="code">sudo</span> and sets the user's password to "password". This allows you to run any command as root by putting <span class="code">sudo</span> before it and entering the password. <br>
<br>
Using <span class="code">su</span> to switch to the root user or logging in as root from a tty is still not possible. <br>
<br>
This boot parameter will greatly decrease security by allowing any program easy root access. It is highly recommended to restrict root access after you've done whatever you needed root for.
</p>
<h4>Restricting Root Access Again</h4>
<p>
If you have used the <span class="code">rootpw</span> boot parameter then you should restrict root access again once you've done what you needed root for. This isn't too hard and is documented below. <br>
<br>
Open a terminal and run <span class="code">sudo su</span> to get a root shell. Remove the user from the "wheel" group by running
</p>
<div class="code">
gpasswd -d user wheel
</div>
<p>
Now prevent users of the wheel group from using <span class="code">sudo</span> by running <span class="code">visudo</span> and adding a # before <span class="code">%wheel ALL=(ALL) ALL</span>. So now it should say,
</p>
<div class="code">
#%wheel ALL=(ALL) ALL
</div>
<p>
Close the terminal and now root access will be restricted again. You can test this if you want to.
</p>
<h3>nomacspoof</h3>
<p>
Specifying <span class="code">nomacspoof</span> as a boot parameter will disable MAC address spoofing. This can be useful if the network you are connecting to only allows connections from certain MAC addresses.
</p>
<h3>ipfs/cjdns</h3>
<p>
Specifying <span class="code">ipfs</span> or <span class="code">cjdns</span> as boot parameters will enable IPFS or cjdns. See <a href="anonymity-networks.html">Non-Anonymous Networks</a> for more details.
</p>
<h3>nozeronet/noi2p/nofreenet/notor</h3>
<p>
Specifying <span class="code">nozeronet</span>, <span class="code">noi2p</span>, <span class="code">nofreenet</span> or <span class="code">notor</span> as boot parameters will disable Zeronet, I2P, Freenet or Tor. This can be useful if you don't use them and want to disable them to free up system resources or reduce attack surface. <br>
<br>
Disabling Tor will mess up networking.
</p>
<h3>cow_spacesize</h3>
<p>
The <span class="code">cow_spacesize</span> boot parameter controls the size of the root filesystem. The default is 3G which should be enough for most but some users may want to increase this. For example, to set it at 4G use <span class="code">cow_spacesize=4G</span> as a boot parameter.
</p>
<h2>Installing New Software</h2>
<p>
If you wish to install new software, there are two ways you can do it.
</p>
<ul>
<li>Modify the source code to include it (the most secure way)</li>
<li>Install it with pacman or manually install it (the least secure way)</li>
</ul>
<h3>Installing New Software with Pacman</h3>
<p>
To install new software with pacman you will need root privileges (see the <span class="code">rootpw</span> boot parameter above). First, update the system. This can be done by running
</p>
<div class="code">
sudo pacman -Syu
</div>
<p>
Now install the software with pacman
</p>
<div class="code">
sudo pacman -S (package)
</div>
<p>
Replace (package) with the package name. This can take a long time, depending on the speed of your internet connection and how old the iso is.
</p>
<h3>Modifying the source code to include new software</h3>
<p>
To modify the source code to include new software, follow the building instructions at <a href="download.html">Downloading and Installing</a> but before building, edit the packages.x86_64 file to include the name of the new software. Make sure the software is in the Arch Linux repositories before doing this.
</p>
<h2>Bug Reports</h2>
<p>
As Obscurix is new software, it is not uncommon for there to be bugs. If you find a bug, please report it at the issues section on <a href="https://github.com/Obscurix/Obscurix/issues">Github</a>. <br>
<br>
Before creating a new issue, check if the same bug has already been reported. <br>
<br>
When reporting, please give a detailed description of the error. Just saying "X thing doesn't work" is not enough information to help me fix the problem. Please also provide any relevant logs. <br>
<br>
You will likely need to give the systemd logs which are very detailed. To get these, you will need to have booted Obscurix with the <span class="code">rootpw</span> boot parameter and run <span class="code">journalctl</span> in a terminal. Copy/paste the output and hide any sensitive information if there is any. If you are worried about there being sensitive information there and do not know how to hide it, you can email the logs to me in private. Likely, the most sensitive information would be what hardware you use which isn't that useful to an adversary. <br>
<br>
When sending large logs, please do not stick the whole thing in the Github issue. Use a pastebin such as <a href="https://pastebin.com">Pastebin</a> or <a href="https://privatebin.net">PrivateBin</a>.
</p>
</body>
</html>