On 05/10/2017 01:07 PM, atlahua wrote:
On 2017-05-10 00:22, Chris Laprise wrote:
On 05/09/2017 10:09 AM, atlahua wrote:
Hi there!
I need to be able to start DVM's from different templates
simultaneously. This feature is not available as far as I know.
For this reason I am trying the next best thing which is to make /home
and /usr/local to make sure that nothing is left when I power down a
standard Template based VM.
How can I achieve that?
Thnx in advance for your contributions,
A.
I've created a detection and control service for VM private volumes
that makes /rw/usrlocal, /rw/config and /rw/bind-dirs non-persistent
to help VMs fend off malware infestation. It acts at boot time before
/rw (and thus /home) is brought online.
Its script could easily be adapted to work with /rw/home as well by
adding that path to "$rootdirs" and a command like "mkdir -p
$rw/home/user" just before the make_immutable part.
https://github.com/tasket/Qubes-VM-hardening/tree/systemd
--
Chris Laprise, [email protected]
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
______________________________________________________________-
Hi Chris.
Thanks for your answer.
There is one thing I do not understand though: by making those files or
folders inmutable you stop them from being modified. What I need is for
them to load from the template every time the template based VM starts.
I am relatively new to linux and to scripting so forgive me if I am
missing some basic and fundamental concepts here.
Regards,
Atlahua
The service does four basic things (in order):
* Checks hashes for any files you specify in .SHA lists; Alerts you and
stops boot process if any checks fail.
* Disables /rw/config, /rw/usrlocal, /rw/bind-dirs to protect against
malware that had gained root access
- Files in these dirs may be white listed
* Copies any files you setup in /etc/default/vms into /rw or anywhere
else in the system.
* Makes /home start scripts immutable, protecting against non-escalating
(non-root) malware
...then it allows the system to mount /rw normally and finish booting.
So its like a management kit for securing and configuring the private
disk image (/rw and /home).
If you want the same files in /home/user every time an appVM starts, you
can add the files to '/etc/default/vms/vms.all/rw/home' and they will be
copied on each VM boot (you can also target VMs by name; replace vms.all
with the VM name). If you also want the other contents of /home/user
removed, you can add '/rw/home' to the $rootdirs= definition.
The overall steps for setup are installing the systemd service to the
template according to the README, then adding any files you desire in
/etc/defualt/vms, shutdown template, assign appVMs to template and also
add the 'vm-sudo-protect-root' service to them in the Qubes Manager
settings.
--
Chris Laprise, [email protected]
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/66be6dbb-7b31-e125-3be7-0deda547179c%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
