Re: [qubes-users] Re: Qubes VM Hardening v0.8.2 Released!

Tue, 17 Apr 2018 09:47:49 -0700 

On 04/17/2018 12:25 AM, none wrote:
Is there some official opinion on this from whomever the Qubes developers are ? 

This is the closest to an official opinion I guess:

https://github.com/QubesOS/qubes-issues/issues/2748


Patrick/adrelanos (also on the Qubes team) has expressed positive 
interest: https://github.com/tasket/Qubes-VM-hardening/issues/2





Looks like it's a bit non trivial, and interacts with dom0 ; hence I'm 
likely to break Q4.0  trying to 'harden' it :)




I was thinking I could clone the Deb-9 Template, and all would be OK, if 
I failed however .......



Its pretty benign to the OS itself. The dom0 commands should be 
identical to the related Qubes doc about enabling sudo prompts:


https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt


You can skip the sudo prompt configuration and use the alternative for 
restoring internal VM security: Just remove the 
qubes-core-agent-passwordless-root package from the template.



The main risk with the vm-boot-protect-root service is that any settings 
or scripts that are subsequently added to VMs in /rw/config, 
/rw/usrlocal, and /rw/bind-dirs may be deleted (although the first time 
it backs up those dirs and those copies are kept indefinitely).





Am a bit curious who is officially a dev  on here, I have a few guess, 
besides Marek, but  maybe its folks with the PGP sigs , shrug.....



Just having a PGP sig doesn't indicate status with the project. The 
Qubes core team is listed here:


https://www.qubes-os.org/team/


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d50aba31-12f8-be7d-075e-443dcc916efc%40posteo.net.
For more options, visit https://groups.google.com/d/optout.






















					Reply via email to