Enhancing Template security?
91 views
Skip to first unread message
vel...@tutamail.com
Mar 25, 2018, 8:14:12 PM3/25/18
to qubes-users
I am trying to harden my Fedora and Debian templates and was hoping for some basic help and commands to do the following:
How would I enable sudo authentication in a Template?
How would I add a service like Qubes-VM-hardening ?
Should I enable AppArmor in a template and VM?
Any other hardening best practices?
Thanks you in advance...I am hoping these are easy for the layperson!
V
sevas
Mar 25, 2018, 11:38:10 PM3/25/18
to qubes-users
On Sunday, March 25, 2018 at 8:14:12 PM UTC-4, vel...@tutamail.com wrote:
> I am trying to harden my Fedora and Debian templates and was hoping for some basic help and commands to do the following:
> I am trying to harden my Fedora and Debian templates and was hoping for some basic help and commands to do the following:
> How would I add a service like Qubes-VM-hardening ?
Look at Tresnor.
> Should I enable AppArmor in a template and VM?
One or the other, I think...
Chris Laprise
Mar 26, 2018, 1:05:49 AM3/26/18
to vel...@tutamail.com, qubes-users
On 03/25/2018 08:14 PM, vel...@tutamail.com wrote:
> I am trying to harden my Fedora and Debian templates and was hoping for some basic help and commands to do the following:
>
> How would I enable sudo authentication in a Template?
There are two ways to do this now:
> I am trying to harden my Fedora and Debian templates and was hoping for some basic help and commands to do the following:
>
> How would I enable sudo authentication in a Template?
1. Follow this Qubes doc to get the yes/no auth prompts for sudo:
https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt
2. Remove the 'qubes-core-agent-passwordless-root' package.
This second way means that sudo no longer works for a normal user.
Instead, any root access in the VM must be done from dom0 with a command
like 'qvm-run -u root vmname command'.
I like the first method better because I'm used to sudo.
>
> How would I add a service like Qubes-VM-hardening ?
The instructions are pretty vague - I should rewrite them soon. For now
the version in the 'systemd' branch (linked above) is much more robust.
You start by copying the two files (as root/sudo) to:
/lib/systemd/system/vm-sudo-protect.service
/usr/lib/qubes/init/vm-sudo-protect.sh
After you copy them set execute bit and enable the service:
$ sudo chmod +x /usr/lib/qubes/init/vm-sudo-protect.sh
$ sudo systemctl daemon-reload
$ sudo systemctl enable vm-sudo-protect.service
The final step is adding either 'vm-sudo-protect' or
'vm-sudo-protect-root' as a Qubes service to each VM you want to
protect. (Qubes services are added in the VM settings window on the
Services tab.) The latter offers the most protection because it prevents
rootkits from running when your VM starts.
>
> Should I enable AppArmor in a template and VM?
are, it may prevent some of your apps from running properly. A long time
ago I created a custom profile for Firefox with limited success but I
doubt it works with FF 57+.
AppArmor was supposed to be a way to pre-package security profiles along
with apps. But it didn't work out that way and so users were left to
themselves to guess what settings required changes in an app's profile
whenever an app had an update.
IIRC there is a GUI app called 'firejail' that can limit Firefox and
other apps in a similar way. If they are more focused on keeping their
limited repertoire of apps correctly profiled then it may work better
than AppArmor.
Also, Whonix keeps AppArmor profiles of Torbrowser, etc. but I don't
think they enable it by default.
>
> Any other hardening best practices?
'hardening'. FWIW the regular Debian template is slightly less 'minimal'
than Fedora-minimal.
Overall I recommend Debian 9 because (like almost all other distros) it
has a more secure update configuration than Fedora. That's because
Fedora doesn't know if an attacker is trying to hold back some packages
from being updated. So just switching to Debian is a type of hardening.
There are other options that try to harden the VM kernels by patching
them. My take on this is they're fraught with controversy, left
unmaintained and/or difficult to install. At this point I don't think
its worth it even for most Qubes users, and it may be better to wait for
these features to be incorporated into the main kernel.
You can also research 'unikernels' on Qubes as a way to harden the
firewall. (Again, may not be worth it for most people at this point.)
Other ways to increase safety include subscribing to a reputable VPN
service and setup a VPN qube, and/or use Whonix with onion sites, and
also add safety-oriented extensions to your web browser. In Firefox I
recommend uBlock Origin and HTTPS Everywhere.
>
> Thanks you in advance...I am hoping these are easy for the layperson!
>
> V
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Reply all
Reply to author
Forward
0 new messages