Leverage Qubes template non-persistence to fend off malware. Lock-down,
quarantine and check contents of /rw private storage that affect the VM
execution environment.
vm-boot-protect.service:
* Acts at VM startup before private volume /rw mounts
* User: Protect /home desktop & shell startup executables
* Root: Quarantine all /rw configs & scripts, with whitelisting
* Re-deploy custom or default files to /rw on each boot
* SHA256 hash checking against unwanted changes
* Provides rescue shell on error or request
* Works with template-based AppVMs, sys-net and sys-vpn
Also included is the 'configure-sudo-prompt' tool which restores
authorization for sudo on Debian. vm-boot-protect isn't effective with
"passwordless sudo" Qubes default -- this tool restores VM internal
security using a dom0 yes/no prompt in place of passwords.
Project link: https://github.com/tasket/Qubes-VM-hardening
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/8f5524fd-2dc3-ccda-c864-fa80c50c37b3%40posteo.net.
For more options, visit https://groups.google.com/d/optout.