Here's the background, I just sent this mail to coldhak.ca:
---
Referring to https://coldhak.ca/coldkernel/
1.
Please add that error-messages from "sudo update-grub2" can safely be ignored.
As also stated in https://www.qubes-os.org/doc/managing-vm-kernel/ , "Installing PV GRUB2".
2.
Also please add that one needs to change the kernel in appvms to pvgrub2
3.
And related, that one should also install paxtest and run it to confirm that grsecurity is running
As mentioned at https://micahflee.com/2016/01/debian-grsecurity/
4.
And that there is the option to add further to securing the appvm, by using gradm2 in learning mode as explained at https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Full_System_Learning
---
And so I'd like to hear if you have any suggestions for RBAC given the opportunities for compartmentalization that Qubes OS provides.
Cheers,
C-c & C-v
oh dam, thats taking it to the next level. lol. I could be wrong but I think eventually you have to learn how to edit the file manually as the system changes, which is beyond me. It would be easier to manage on sys-vms though I would imagine.
Thank you for your input!
Would you think a sniffing approach, or a tripwire approach, to be better*?
* On a RAM-limited system
what do you mean by sniffing approach?
Tripwire is good to have but it will take alot of fine tuning as well so its not so noisy. The open source version default setups are for outdated operating systems. It also takes strict discipline so you don't miss nothing, don't forget to keep keys separate.
It should tell you what rbac is blocking in dmesg or journal no? it will say gradm I believe. You should also be seeing grsec and pax messages in there as well.
yes you can shut down the system in the middle of training.
well you got further then I ever did, lol, if you get it working let us know.
Sorry for being unclear, I'm not a native speaker.
By "sniffing", I meant to refer to active monitoring of known attack types, a pro-active approach as opposed to a more after-the-fact intrusion detection system.
Kind of like watchdogs for memory, and snort for ports.
Google recently wrote up some advice for hardening KVMs: https://cloudplatform.googleblog.com/2017/01/7-ways-we-harden-our-KVM-hypervisor-at-Google-Cloud-security-in-plaintext.html
Their number one advice is using a pro-active approach.
I think by proactive approach they mean pen testing.