If you're worried about rootkits, the threat looks somewhat different
for Qubes templates and template-based VMs because the templates
themselves are so well protected (essentially read-only most of the time).
The potential threat lay with configuration files stored in /rw
(private.img) which includes /rw/config and /home/user. I am working on
a tool to help detect and prevent such rootkits:
https://github.com/tasket/Qubes-VM-hardening
https://github.com/tasket/Qubes-VM-hardening/tree/systemd
The first version merely sets all the bash/sh/GUI init scripts in /home
as 'immutable'. This has the benefit of preventing non-priv-escalation
malware from persisting at startup, and prevents alias shims from
stealing passwords, etc.
The next version can also compare file hashes and deactivate root-level
malware at startup before /rw is brought online.
--
Chris Laprise, [email protected]
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/7c072147-d728-61f3-ddf0-26042ca769c4%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
