Question(s) regarding Qubes minimal templates

[Tomei Ningen]

Hey all,

Thanks in advance to those kind enough to entertain these questions!

• Given that more installed applications generally create a larger attack surface, why aren't the minimal templates set as the default templates for sensitive VMs such as the SysVMs?
  
• Is this just a matter of convenience and/or usability?
  
• Presuming this is planned for future releases, are there any particular changes or precautions that should be made/taken by those who opt to use a 'raw' minimal template as their TemplateVM for the aforementioned VMs?
  
• Are there any significant protections afforded by the full-featured VM images that are absent in the appropriately configured minimal VMs [going by the current Qubes documentation]? Any pitfalls exposed by the latter?
  

Best,

TN

Sent with ProtonMail Secure Email.

[Vít Šesták]

> Given that more installed applications generally create a larger attack surface, why aren't the minimal templates set as the default templates for sensitive VMs such as the SysVMs?

* Having an extra app installed might add some attack surface, but not always. Having app like Firefox in sys-firewall adds zero attack surface until you (either accidentally or on purpose) run it.
* With minimal Template without installing anything else, you might be unable to use Wi-Fi etc. So, this might be viable for sys-firewall, but not for sys-net. (Not sure about sys-usb.)

> Are there any significant protections afforded by the full-featured VM images that are absent in the appropriately configured minimal VMs [going by the current Qubes documentation]? Any pitfalls exposed by the latter?

The only (sort of) protection I am aware about is haveged – a RNG that feeds kernel RNG.

Regards,
Vít Šesták 'v6ak'

[Unman]

On Thu, Jun 08, 2017 at 02:03:34AM -0700, Vít Šesták wrote:
> > Given that more installed applications generally create a larger attack surface, why aren't the minimal templates set as the default templates for sensitive VMs such as the SysVMs?
>
> * Having an extra app installed might add some attack surface, but not always. Having app like Firefox in sys-firewall adds zero attack surface until you (either accidentally or on purpose) run it.

There's been discussion on this before - in my opinion, it isnt the
application itself but the assorted libraries and helpers that are
installed along with it. And that has nothing to do with whether an
application is run or not.
If you look at the packages installed when you install firefox, for
example, you may be surprised at what comes in, and how much the
potential for attack has been widened (Firewire anyone? With Firefox?)

> * With minimal Template without installing anything else, you might be unable to use Wi-Fi etc. So, this might be viable for sys-firewall, but not for sys-net. (Not sure about sys-usb.)

In most cases it requires very little to be installed to get a working
netVM. (See www.qubes-os.org/doc/templates/fedora-minimal/)
sys-usb works as expected on a minimal template.

>
> > Are there any significant protections afforded by the full-featured VM images that are absent in the appropriately configured minimal VMs [going by the current Qubes documentation]? Any pitfalls exposed by the latter?
>
> The only (sort of) protection I am aware about is haveged – a RNG that feeds kernel RNG.

haveged is installed in the minimal templates too.

>
> Regards,
> Vít Šesták 'v6ak'

I'm a strong advocate of using minimal (or smaller) templates,
customised for specific use cases. Some people HATE this approach.

unman

[Tomei Ningen]

> I'm a strong advocate of using minimal (or smaller) templates, customised for specific use cases. Some people HATE this approach.

>

> unman

     Really? Coming from the sort of people with the patience for an OS like Qubes? I'd think anyone who's involved enough to have an opinion would be in favor of that -- that's kind of the idea here, isn't it?  One thing I wish I could change would be the visual clutter it produces; anybody know of a means to flag these VMs as internal so I can hide the ones I'm not interested in seeing regularly?

     That being said, I'm definitely in agreement with you, unman. Would you recommend any particular setup for a more granular approach? My current arrangement of VMs [work in progress; suggestions welcome!] is structured like this as of now:

• dom0
  
• fedora-24
  
• dispVM(s)
  
• fedora-24-minimal ( ... > derivative templates > appVM > packages*)
  
• fedora-24-min-net
  
• sys-net**
  
• General-purpose: gnome-keyring, less, man, pciutils, psmisc, sudo, vim-minimal, xterm
  
• Template-specific: dbus-x11, dejavu-sans-fonts, NetworkManager, NetworkManager-wifi, network-manager-applet, notification-daemon, tinyproxy
  
• fedora-24-min-frwll
  
• sys-firewall
  
• No additional packages; effectively a clone of the Fedora-24-minimal template.
  
• fedora-24-min-vpn
  
• sys-vpn
  
• G.P.: sudo, xterm
  
• T.S.: [TBD; trying out some different VPNs atm]
  
• fedora-24-min-usb
  
• sys-usb
  
• G.P.: sudo, xterm
  
• T.S.: qubes-input-proxy-sender
  
• fedora-24-min-pen
  
• pentest
  
• G.P.: sudo, xterm
  
• T.S.: aircrack-ng, ettercap, kismet, nmap, nmap-telcat, tcpdump, wireshark***, [remaining packages TBD]
  

* The concomitant dependencies aren't included in these lists (n.b. packages are installed in the respective templateVM)

** Can't quite get this one to run properly yet; I presume I need to install a proprietary driver in the template to make this work for my machine(?)

*** Very interested in trying out v6ak's split-wireshark" idea but haven't found the time yet. Thanks for sharing that idea, v6ak!

- TN

[P R]

Hello,

Are there any reasons to migrate from fedora-23 to fedora-24 regarding:

- features

- security

(...)

Regards

- P

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/QOUCXs5Owf4_vFzLV8tj0-YlBHu981vPYZYllxyjhEEUARUYol1xXRAHwNTExkDU0O9iMVo0_fWuy4AlV4-AlAT_GSEpbXPcDbfw6jw_GYw%3D%40protonmail.ch.
For more options, visit https://groups.google.com/d/optout.

[Qubed One]

'Tomei Ningen' via qubes-users:

>> I'm a strong advocate of using minimal (or smaller) templates,
>> customised for specific use cases. Some people HATE this approach.
>>
>> unman
>
> Really? Coming from the sort of people with the patience for an OS
> like Qubes? I'd think anyone who's involved enough to have an opinion
> would be in favor of that -- that's kind of the idea here, isn't it?
> One thing I wish I could change would be the visual clutter it
> produces; anybody know of a means to flag these VMs as internal so I
> can hide the ones I'm not interested in seeing regularly?

In dom0, type this from the command line:

qvm-prefs -s <vm-name> internal True

> That being
> said, I'm definitely in agreement with you, unman. Would you
> recommend any particular setup for a more granular approach? My
> current arrangement of VMs [work in progress; suggestions welcome!]
> is structured like this as of now:
>

> - dom0 - fedora-24
>
> - dispVM(s) - fedora-24-minimal ( ... > derivative templates > appVM
> > packages*)
>
> - fedora-24-min-net
>
> - sys-net**
>
> - General-purpose: gnome-keyring, less, man, pciutils, psmisc, sudo,
> vim-minimal, xterm - Template-specific: dbus-x11, dejavu-sans-fonts,
> NetworkManager, NetworkManager-wifi, network-manager-applet,
> notification-daemon, tinyproxy - fedora-24-min-frwll
>
> - sys-firewall
>
> - No additional packages; effectively a clone of the
> Fedora-24-minimal template. - fedora-24-min-vpn
>
> - sys-vpn
>
> - G.P.: sudo, xterm - T.S.: [TBD; trying out some different VPNs
> atm] - fedora-24-min-usb
>
> - sys-usb
>
> - G.P.: sudo, xterm - T.S.: qubes-input-proxy-sender -
> fedora-24-min-pen
>
> - pentest
>
> - G.P.: sudo, xterm - T.S.: aircrack-ng, ettercap, kismet, nmap,

> nmap-telcat, tcpdump, wireshark***, [remaining packages TBD]
>
> * The concomitant dependencies aren't included in these lists (n.b.
> packages are installed in the respective templateVM) ** Can't quite
> get this one to run properly yet; I presume I need to install a
> proprietary driver in the template to make this work for my
> machine(?) *** Very interested in trying out v6ak's split-wireshark"
> idea but haven't found the time yet. Thanks for sharing that idea,
> v6ak!
>
> - TN
>

> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>

[Vít Šesták]

Fedora 23 has EOLed, Fedora 24 should EOL in about two months. When Fedora is EOLed, it receives no security updates. So, looking to near future, I'd upgrade to Fedora 25 rather than to Fedora 24.

Regards,
Vít Šesták 'v6ak'

[Noor Christensen]

On Wed, Jun 14, 2017 at 10:50:10PM +0000, Qubed One wrote:
> 'Tomei Ningen' via qubes-users:
> >> I'm a strong advocate of using minimal (or smaller) templates,
> >> customised for specific use cases. Some people HATE this approach.
> >>
> >> unman
> >
> > Really? Coming from the sort of people with the patience for an OS
> > like Qubes? I'd think anyone who's involved enough to have an opinion
> > would be in favor of that -- that's kind of the idea here, isn't it?
> > One thing I wish I could change would be the visual clutter it
> > produces; anybody know of a means to flag these VMs as internal so I
> > can hide the ones I'm not interested in seeing regularly?
>
> In dom0, type this from the command line:
>
> qvm-prefs -s <vm-name> internal True

Does the internal flag affect the VM in any other way than how it is
displayed in the GUI manager? Like, are they automatically started at
boot or similar?

-- noor

[Unman]

No, nothing like that - setting that flag does also affect the display
in Menus, as I said in another thread.Otherwise, I dont think there is
any change.