On 2/24/19 3:26 PM, 799 wrote:
> Hello Chris,
>
> On Sun, 24 Feb 2019 at 00:22, Chris Laprise <
tas...@posteo.net
> <mailto:
tas...@posteo.net>> wrote:
>
> [...]
> As you may already know, I created a Qubes service that provides
> most of
> the benefits of a dispVM by removing, hash checking, repopulating or
> whitelisting the contents of a VM's private volume:
>
>
https://github.com/tasket/Qubes-VM-hardening
> [...]
>
>
> I'd like to test your script, but I need some more information how to start.
> As far as I understand, I need to deploy your scripts in a template VM
> and your script will do some magic, that the AppVM (made from this
> template) starty in a fresh way (like a disposable VM) but it is
> possible to add changes which survives between reboots?
Its installed in a template VM, and any VM based on that template can
use it.
Where a dispVM destroys/creates a new private volume for each run, Qubes
VM Hardening keeps the same volume but can remove or check any/all files
before the VM has a chance to access them.
>
> Can you give some more details for a complete walkthrough?
> For example how to I enable a service? Via the Qubes Settings > Services
> Tab?
Yes. It creates a Qubes service, and that's where you enable it for
individual VMs (otherwise it does nothing, even if it was installed).
The service name to use in your case is 'vm-boot-protect-root' because
that has the "/rw executable deactivation, whitelisting, checksumming"
etc. You can think of it as an automatic "file wiper" that cleans /rw
before the VM has a chance to access it.
>
> Also I haven't fully understand what happens when I enable the
> /vm-boot-protect service
Its all the same service, but using "vm-boot-protect" tells it to only
make /home scripts immutable. This only protects against unprivileged
malware, which is not really the threat model for 'sys-net'.
Using "vm-boot-protect-root" can wipeout malware even if it got root
access in the VM at some point. So if you were using a public wifi
router that successfully attacked your 'sys-net' and installed
persistent malware files in one of the privileged (root-accessible)
paths that are executed by Qubes on startup, this would automatically
quarantine them the next time 'sys-net' was started.
Here's a rundown of its actions at startup:
1. Mount private volume in an 'offline' area so it is not recognized by
the system.
2. Move everything in the /rw privileged directories to
'/rw/vm-boot-protect', effectively a quarantine. By default these dirs
are /rw/config, /rw/bind-dirs, /rw/usrlocal.
Anything defined in a whitelist is exempted. The only default whitelist
is for 'sys-net' and contains:
/rw/config/NM-system-connections/
3. Run hash checks if any were configured by the user. These are just
SHA256 checksum listings. If any check fails, normal VM startup will be
halted and a rescue shell will appear.
4. Copy any files that were configured for deployment. This allows you
to automatically place pristine or special files into /rw at each boot.
5. Dismount the private volume and allow normal VM startup to resume
(e.g. private volume will be re-mounted in the normally recognized place
at /rw).