Qubes SoC Project

[Harry Pantazis]

Greetings,

I've gone through the GSoC ideas page and I've found a lot of nice projects. I was supposed to contact in terms of GSoC but since Qubes OS isn't in the organizations I'm contacting anyway :)

The ideas (ordered by preference) that interest me:
* Wayland Support (I like sway)
* In-VM Configuration
* LogVM(s)

If someone is interested in mentoring me in some way, giving me tips or collaborating with me I'm open to discussion.

Harry

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, Apr 08, 2019 at 09:51:53PM -0700, Harry Pantazis wrote:
> Greetings,
>
> I've gone through the GSoC ideas page and I've found a lot of nice projects. I was supposed to contact in terms of GSoC but since Qubes OS isn't in the organizations I'm contacting anyway :)
>
>
> The ideas (ordered by preference) that interest me:
> * Wayland Support (I like sway)
> * In-VM Configuration
> * LogVM(s)

This is a great choice!
Wayland support is IMO the most beneficial for Qubes, but also the most
challenging of those tasks. There are actually two (mostly independent)
parts - support for Wayland in dom0 (in gui-daemon) and support for
Wayland in VM (in gui-agent). It's perfectly fine to focus on one of
them only.

On the other hand, LogVM(s) is probably the simplest one, but still
pretty cool.

> If someone is interested in mentoring me in some way, giving me tips or collaborating with me I'm open to discussion.

I'll be happy to provide any kind of assistance you'll need.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlytKwIACgkQ24/THMrX
1yxlUgf+J1YRt7XENxYWoW138aUY8jbZqaOZexRLtWgD1mFkxeKaQEw2eYk3+lEk
hQ/0OPBHswesFLHs2w2mBIM9ycgmLiiDmPRhNuNcv1CpGMI4glYUxDUUBhn3lIuz
BcIl5F4+zgBwlnZg+j7XR2a22jKlGYGAafBqyBI0C+jJEckmv7O4DvKxxCb6eTZg
UABgk342SIkS2CEOudDPsMGqChScRbnv1l8hk2h/mg9qY++1BRyrXzWYtEqkUlLg
LqUZaPCHoRlhmHa/dHniKsWfRSym1ZVeGlq921aszvYH/r2ejpFXeyq4Ft6Plvey
EdKSHLKROH3WpBZ/8eCm2CkJD9XsSw==
=8ku3
-----END PGP SIGNATURE-----

[Scarpafo Scarpafo]

Hi,

By LogVM(s) you mean, collect the log of the VM and try to detect any compromission state?

--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20190409233010.GA1728%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 4/9/19 6:51 AM, Harry Pantazis wrote:

> The ideas (ordered by preference) that interest me: * Wayland
> Support (I like sway) * In-VM Configuration * LogVM(s)
>
> If someone is interested in mentoring me in some way, giving me
> tips or collaborating with me I'm open to discussion.

I'm happy to collaborate about the LogVM project.

As I really interested to make that happen, and I already played with
log (and traffic) analysis:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
http://zrubi.hu/en/2017/siem-at-home/

I think all of those can be related (and hopefully useful) for Qubes
Log VMs too.
(As I work with enterprise level SIEM solutions for years, I have some
experience on this field)

- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlytl0kACgkQVjGlenYH
FQ0myQ//URPqj9uPERw4ivBN/VtGRLd+RHdofIRjlf363NcRNsLG4gaADGYEMrki
L397f6vXKn09Uv+c1mWvWGFIsFBD4BF5fRWSIrQNNzpwcO/zgLuLPSL7fCbF4kfC
8SiMYLVZgppZ6sgnwMWZfvpTAehBeMYEjnClyrpi0FCkVYzKCuva8wGH4OcXzMyg
OiuUjyPer2OBwMYU4aoYaJahK/4RaB1PKFqEOQP2PzsuyG55qtauomIj1uEpN1Dl
Cup0xN2bKh6vyaCBc4nhC/h8tCo97hc9cprZCbylU+IUlapDDvXOx15ZSor2b7ZG
QdUkv6CoXSeIlBIrQMz0srGCdLh+U/wNHjpfb/VP3c+l7b9yCxpoXztzRQXtw8b2
YeVJRhpYfpJwQobB7Vi7dMkvcViRN5gHkTU6Mv26z177Dgws1cw2LYQpap4Y5xbB
U67UbYz9mV1uVA3wwSKIde90fu/dbbEUnSvDzG/ROeUYp6XrAxLlBQB5pbIEeK+c
ST3mx+Slu3PY43TGL1AVmMMyNM+EWJbr3ZggCS1etZh2VljcHSeoPvjVEgEekJ6F
qqCuu84dMEHhfT0M01JimkOaWq/3AE9r3GjR9ox1S//5Llc/vTtHoOUbL0/mx+J2
UDvVmaoj7ikurVSs9488Pj/9Vgq6L0SfAqwPO15zNUy0Zp4ZXsc=
=H/mE
-----END PGP SIGNATURE-----

[Scarpafo Scarpafo]

Ahah i suggest it to Frederic one years ago.

But we need to salt all VM with auditd policy, rsyslog forward, hids, build a repo syslog-ng and the most difficult part... did you know any siem without eating the power? xD. 

Splunk : ko.

Graylog : gpl (as i know)

Elastic? : ko for power saving.

We can use virustotal api for hids check with checksum of file (requiert free account for limited submission but enough i guess for the usb VM)

It is a very tough project by this is what QubesOS need. Absolutly because this is the 1st thing i was thinking when someone show me the project. How do you know this VM is compromise?

Nothing....

But something we can do is :

- build a minimum version for laptop ( it is like a non-sense because of the batterie power ahah)

- build a solution for the server/cloud version of Qubes. This is a very good project! This can be a physical server with OpenSource SOC Base on QubesOS.

--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/2f59a7bb-a3af-fd3d-9b49-cbfe1902c794%40zrubi.hu.

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote:
> Ahah i suggest it to Frederic one years ago. But we need to salt
> all VM with auditd policy, rsyslog forward, hids, build a repo
> syslog-ng and the most difficult part... did you know any siem
> without eating the power? xD.

Well, we should not aim to create a full SIEM in this project, but
"only" a log collecting (and parsing) VM, and the stuff needed for this.

As log collecting (and parsing) is the very first requirement of every
SIEM, we can't skip this part. As I already did (see my blog) it:
basic log parsing can be done by syslog-ng (or maybe rsyslog, or
nxlog) with only very small resources needed.

The Qubes specific part would be the "special" log forwarding, instead
of using TCP/UDP network. But the solution is already here: see the
current template network access method.

Then, if we have the architecture and the Qubes specific log
collecting solution we can start extending it by defining what kind
of logs we need, and what we can do with them...

But to jump ahead, and answer your question:
As you may read on my blog, I started a tiny SIEM like project which
runs on my home NAS. And this thing has only 512Mb RAM total. :)

Of course it is not works like the big huge ELK/Splunk/Qradar, but
something like well defined daily statistics instead. I would say that
is a good start by seeing what happened in our home network. And I
think the same should apply for a Qubes box.

- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAly0NJIACgkQVjGlenYH
FQ2vig/9GTvDEqmbIPIAk4d/WMZm3rqFiqNhjoYTw4ECFW0BSNxy1d9wsgRpCw+G
mhUPX1twgznzkHPuNTrxrAuynlTO5NUgrA/tTcOxuAzrYHbdDOA5TOgcXmkWJ3GE
Fm0RWTuJYt4XnGmz43mPPdXtKv8gJ76AkjnYvOfhSySjxE659v5AfbOeNre5Raz1
+OvasfUMxnlpzAwS/wUNauSU7zqWGy4adBDR3H6l4aoVV1N3A4fg78kFdG33TO5J
CD8MaCiLOF4UmJwsDY0dt8gT3CERzwR+x/4qlu/9eHBykNBs9J9Gc1zTyvbm04Bb
dnCc/0O+W/sS/jBAXiAEOipWhOWmr62klnBHKaVXP8MW2rzysAB484Cw9R3IFbrQ
jNOVa3BbZzPrptqjD1uyfkYUxXicRdWrNLEO9Tb3X9Z0EYXJQFTPab58Qn6M3hmT
2crtjcPpNAjq7Zi+5LIce4zqTaAg1bdqlJLwkioOa0MI2g2SJxxJ+SBdXOBYWs2U
O4g13Tiw6vgM5J48qAx116OebZLWNIuheBI9sC+63oMV/AU3/ioZAIZty75KSUrp
pu0cXhlCh+3ntD5Jx1kcYDT+o5advbMpI9uKXEM6P9frkAKTa5EpC2Gqa9CZknJQ
qcPFvGw76nqGrFU6rm13vDqtux4b8c1uW4tjSMw7t4JjPD+mfwA=
=8k6w
-----END PGP SIGNATURE-----

[Scarpafo Scarpafo]

Ok i will check your blog to night.

rsyslog is already inside each system. Better to use it instead of install syslog-ng. Event if ng is better :)

[Scarpafo Scarpafo]

Ok,

Read your blog. Nice.

I think before everything of technique we have to define the Supervision Policy.

What we are facing?

Where?

.....

[Scarpafo Scarpafo]

https://simple-evcorr.github.io

[unman]

Please don't top post. It makes it much more difficult to follow the
thread.

[Harry Pantazis]

Wow!

It's really nice this post got that much attention :D

Since Laszlo has some pre-existing knowledge on the LogVM idea I will try to focus on the other two and keep communications with him to test and coordinate.

To reply in total, I know the Wayland support is the hardest of the three, but I'd like to give it a shot.

Within the next days I'll instrument my research on both In-VM configurations and Wayland support and create a standalone post on the idea details for feedback.

Regards,

Harry

--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20190415133201.lkzmpwppancfyhwp%40thirdeyesecurity.org.