Qubes VM Hardening v0.8.2 Released!
182 views
Skip to first unread message
Chris Laprise
Apr 15, 2018, 3:52:05 PM4/15/18
to qubes-users
Leverage Qubes template non-persistence to fend off malware. Lock-down,
quarantine and check contents of /rw private storage that affect the VM
execution environment.
vm-boot-protect.service:
* Acts at VM startup before private volume /rw mounts
* User: Protect /home desktop & shell startup executables
* Root: Quarantine all /rw configs & scripts, with whitelisting
* Re-deploy custom or default files to /rw on each boot
* SHA256 hash checking against unwanted changes
* Provides rescue shell on error or request
* Works with template-based AppVMs, sys-net and sys-vpn
Also included is the 'configure-sudo-prompt' tool which restores
authorization for sudo on Debian. vm-boot-protect isn't effective with
"passwordless sudo" Qubes default -- this tool restores VM internal
security using a dom0 yes/no prompt in place of passwords.
Project link: https://github.com/tasket/Qubes-VM-hardening
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
quarantine and check contents of /rw private storage that affect the VM
execution environment.
vm-boot-protect.service:
* Acts at VM startup before private volume /rw mounts
* User: Protect /home desktop & shell startup executables
* Root: Quarantine all /rw configs & scripts, with whitelisting
* Re-deploy custom or default files to /rw on each boot
* SHA256 hash checking against unwanted changes
* Provides rescue shell on error or request
* Works with template-based AppVMs, sys-net and sys-vpn
Also included is the 'configure-sudo-prompt' tool which restores
authorization for sudo on Debian. vm-boot-protect isn't effective with
"passwordless sudo" Qubes default -- this tool restores VM internal
security using a dom0 yes/no prompt in place of passwords.
Project link: https://github.com/tasket/Qubes-VM-hardening
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Chris Laprise
Apr 15, 2018, 4:05:37 PM4/15/18
to qubes-users
On 04/15/2018 03:51 PM, Chris Laprise wrote:
> Project link: https://github.com/tasket/Qubes-VM-hardening
TL;dr : This closes the obvious loopholes that malware can use in Qubes
AppVMs to escalate privileges, impersonal real apps (to steal
credentials), and persist after shutdown/restart.
VMs' own internal security has a chance to work and even shake-off
rootkits and other malware when VMs are restarted or the template
receives security updates.
> Project link: https://github.com/tasket/Qubes-VM-hardening
TL;dr : This closes the obvious loopholes that malware can use in Qubes
AppVMs to escalate privileges, impersonal real apps (to steal
credentials), and persist after shutdown/restart.
VMs' own internal security has a chance to work and even shake-off
rootkits and other malware when VMs are restarted or the template
receives security updates.
Stumpy
Apr 15, 2018, 4:30:57 PM4/15/18
to Chris Laprise, qubes-users
Thanks Chris!!!
Chris Laprise
Apr 15, 2018, 4:41:16 PM4/15/18
to qubes-users
On 04/15/2018 04:05 PM, Chris Laprise wrote:
> On 04/15/2018 03:51 PM, Chris Laprise wrote:
>> Project link: https://github.com/tasket/Qubes-VM-hardening
>
> TL;dr : This closes the obvious loopholes that malware can use in Qubes
> AppVMs to escalate privileges, _impersonate_ real apps (to steal
> On 04/15/2018 03:51 PM, Chris Laprise wrote:
>> Project link: https://github.com/tasket/Qubes-VM-hardening
>
> TL;dr : This closes the obvious loopholes that malware can use in Qubes
> credentials), and persist after shutdown/restart.
^FIXED :)
awokd
Apr 15, 2018, 6:39:44 PM4/15/18
to Chris Laprise, qubes-users
On Sun, April 15, 2018 8:41 pm, Chris Laprise wrote:
> On 04/15/2018 04:05 PM, Chris Laprise wrote:
>
>> On 04/15/2018 03:51 PM, Chris Laprise wrote:
>>
>>> Project link: https://github.com/tasket/Qubes-VM-hardening
>>>
>>
>> TL;dr : This closes the obvious loopholes that malware can use in Qubes
>> AppVMs to escalate privileges, _impersonate_ real apps (to steal
>> credentials), and persist after shutdown/restart.
>
> ^FIXED :)
>
>
>>
>> VMs' own internal security has a chance to work and even shake-off
>> rootkits and other malware when VMs are restarted or the template
>> receives security updates.
Thanks, tasket!
> On 04/15/2018 04:05 PM, Chris Laprise wrote:
>
>> On 04/15/2018 03:51 PM, Chris Laprise wrote:
>>
>>> Project link: https://github.com/tasket/Qubes-VM-hardening
>>>
>>
>> TL;dr : This closes the obvious loopholes that malware can use in Qubes
>> AppVMs to escalate privileges, _impersonate_ real apps (to steal
>> credentials), and persist after shutdown/restart.
>
> ^FIXED :)
>
>
>>
>> VMs' own internal security has a chance to work and even shake-off
>> rootkits and other malware when VMs are restarted or the template
>> receives security updates.
none
Apr 17, 2018, 12:25:39 AM4/17/18
to qubes-users
Is there some official opinion on this from whomever the Qubes
developers are ?
Looks like it's a bit non trivial, and interacts with dom0 ; hence I'm
likely to break Q4.0 trying to 'harden' it :)
I was thinking I could clone the Deb-9 Template, and all would be OK, if
I failed however .......
Am a bit curious who is officially a dev on here, I have a few guess,
besides Marek, but maybe its folks with the PGP sigs , shrug.....
developers are ?
Looks like it's a bit non trivial, and interacts with dom0 ; hence I'm
likely to break Q4.0 trying to 'harden' it :)
I was thinking I could clone the Deb-9 Template, and all would be OK, if
I failed however .......
Am a bit curious who is officially a dev on here, I have a few guess,
besides Marek, but maybe its folks with the PGP sigs , shrug.....
Chris Laprise
Apr 17, 2018, 12:47:36 PM4/17/18
to none, qubes-users
On 04/17/2018 12:25 AM, none wrote:
> Is there some official opinion on this from whomever the Qubes
> developers are ?
This is the closest to an official opinion I guess:
> Is there some official opinion on this from whomever the Qubes
> developers are ?
https://github.com/QubesOS/qubes-issues/issues/2748
Patrick/adrelanos (also on the Qubes team) has expressed positive
interest: https://github.com/tasket/Qubes-VM-hardening/issues/2
>
> Looks like it's a bit non trivial, and interacts with dom0 ; hence I'm
> likely to break Q4.0 trying to 'harden' it :)
>
>
> I was thinking I could clone the Deb-9 Template, and all would be OK, if
> I failed however .......
identical to the related Qubes doc about enabling sudo prompts:
https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt
You can skip the sudo prompt configuration and use the alternative for
restoring internal VM security: Just remove the
qubes-core-agent-passwordless-root package from the template.
The main risk with the vm-boot-protect-root service is that any settings
or scripts that are subsequently added to VMs in /rw/config,
/rw/usrlocal, and /rw/bind-dirs may be deleted (although the first time
it backs up those dirs and those copies are kept indefinitely).
>
> Am a bit curious who is officially a dev on here, I have a few guess,
> besides Marek, but maybe its folks with the PGP sigs , shrug.....
Qubes core team is listed here:
https://www.qubes-os.org/team/
Andrew David Wong
Apr 17, 2018, 10:58:16 PM4/17/18
to none, Chris Laprise, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2018-04-17 11:47, Chris Laprise wrote:
> On 04/17/2018 12:25 AM, none wrote:
>> Is there some official opinion on this from whomever the Qubes
>> developers are ?
>
> This is the closest to an official opinion I guess:
>
> https://github.com/QubesOS/qubes-issues/issues/2748
>
Just to clarify: The current status of that issue means that the core
devs have not yet reviewed the package. We're at step 4 of the
package contribution procedure:
https://www.qubes-os.org/doc/package-contributions/#contribution-procedure
> [...]
1. "However, anyone on the list can choose to sign their messages, so
the presence of a PGP signature does not indicate authority."
https://www.qubes-os.org/support/#staying-safe
2. The core devs are the developers in this list:
https://www.qubes-os.org/team/#core-team
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlrWtBgACgkQ203TvDlQ
MDC6HxAAsjMZLDgpnVfJd5rj4HMQ8j1vZ2i+yrL1CEo2TjFNpHAaLD95Yx1SHv8d
3OmV+o6yUKciqwSvu+uY2+snIKYaNc/X9O+OiCiKQ98waaIYaHhcs8Jnk+BxY+yF
xvHTR6xWKh80oZPSfgq446D53ydqWsdYe6/D+6vLqMy5nS2sZncJi3r375ZZwH+Z
5erIK09d5ojEUbqbHZbpJSQK9D2CRSHufleYhNPQkFR9yn2CkQHHrFJZTSyTjLmD
3VOgh8Yfy9a5vcW6olypWPL+JpRyYXmWieJ7K/6zhFJ9/JDFkzQUbVFRHfry8hTE
ltkggfly/ACluziEWqAIBl/nOvUnbTKzUp4tae8wRtFqQOTUbtJ2Nv3nUL571Jhr
9DWttsHmi4oaEyHmuFFpOHM1dtOlCMpLzo7r8AxQatp+LyWLvbMVliOWSc12Srru
oN7LLDt/EFquSuPh0umVPcsymXWxkiCduvaWbZ7h+p8ylAAUep+JFqRAs1jn2nux
QSTvAzeo3XsnPhDKP5+Hq2BanYhIg9YMPQX2i3QtEnRCvuztyFy1UXuOnjA2waXH
ptG1jub/ib0CXgWz0Ztao0z1Vzk2bRfFufGtJC1to85u8nLH8+93zmnn4LViH/81
pLtpl19nxcbAXkA7LZUUiPseQssfzn1G+tSrmVQ6hFxMCc3cvrU=
=0RHt
-----END PGP SIGNATURE-----
Hash: SHA512
On 2018-04-17 11:47, Chris Laprise wrote:
> On 04/17/2018 12:25 AM, none wrote:
>> Is there some official opinion on this from whomever the Qubes
>> developers are ?
>
> This is the closest to an official opinion I guess:
>
> https://github.com/QubesOS/qubes-issues/issues/2748
>
devs have not yet reviewed the package. We're at step 4 of the
package contribution procedure:
https://www.qubes-os.org/doc/package-contributions/#contribution-procedure
> [...]
>
>> Am a bit curious who is officially a dev on here, I have a few guess,
>> besides Marek, but maybe its folks with the PGP sigs , shrug.....
>
> Just having a PGP sig doesn't indicate status with the project. The
> Qubes core team is listed here:
>
> https://www.qubes-os.org/team/
>
Chris is correct on both counts:
>> Am a bit curious who is officially a dev on here, I have a few guess,
>> besides Marek, but maybe its folks with the PGP sigs , shrug.....
>
> Just having a PGP sig doesn't indicate status with the project. The
> Qubes core team is listed here:
>
> https://www.qubes-os.org/team/
>
1. "However, anyone on the list can choose to sign their messages, so
the presence of a PGP signature does not indicate authority."
https://www.qubes-os.org/support/#staying-safe
2. The core devs are the developers in this list:
https://www.qubes-os.org/team/#core-team
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlrWtBgACgkQ203TvDlQ
MDC6HxAAsjMZLDgpnVfJd5rj4HMQ8j1vZ2i+yrL1CEo2TjFNpHAaLD95Yx1SHv8d
3OmV+o6yUKciqwSvu+uY2+snIKYaNc/X9O+OiCiKQ98waaIYaHhcs8Jnk+BxY+yF
xvHTR6xWKh80oZPSfgq446D53ydqWsdYe6/D+6vLqMy5nS2sZncJi3r375ZZwH+Z
5erIK09d5ojEUbqbHZbpJSQK9D2CRSHufleYhNPQkFR9yn2CkQHHrFJZTSyTjLmD
3VOgh8Yfy9a5vcW6olypWPL+JpRyYXmWieJ7K/6zhFJ9/JDFkzQUbVFRHfry8hTE
ltkggfly/ACluziEWqAIBl/nOvUnbTKzUp4tae8wRtFqQOTUbtJ2Nv3nUL571Jhr
9DWttsHmi4oaEyHmuFFpOHM1dtOlCMpLzo7r8AxQatp+LyWLvbMVliOWSc12Srru
oN7LLDt/EFquSuPh0umVPcsymXWxkiCduvaWbZ7h+p8ylAAUep+JFqRAs1jn2nux
QSTvAzeo3XsnPhDKP5+Hq2BanYhIg9YMPQX2i3QtEnRCvuztyFy1UXuOnjA2waXH
ptG1jub/ib0CXgWz0Ztao0z1Vzk2bRfFufGtJC1to85u8nLH8+93zmnn4LViH/81
pLtpl19nxcbAXkA7LZUUiPseQssfzn1G+tSrmVQ6hFxMCc3cvrU=
=0RHt
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages