Hello! I have been a Qubes user for 3+ years and adopted its separation-of-concern model deeply into my day to day activities.
A year ago I started to work for a cloud company that is seeking/re-certifying several security certifications, and among the requirement of these certifications are strict policies that require any organization member accessing any company resource to have a certified antivirus solution installed on their computer(s), including Linux. That is a very common requirement for corporate work. Unfortunately, these policies leave much room for interpretation, and companies tend to lean on the safe side to avoiding corner cases that may "upset" the certification auditing teams. Long story short, as Qubes cannot run (and does not make any sense to run) a self-updating, status reporting antivirus on dom0, it is not compliant. Sad times, as I will be having to go back many, many steps back in terms of real security and data protection in order to use one of the main distributions. My managers are ok for me to to use xen (or other hypervisor, for that matter) and a compliant distribution as dom0 which would make the whole thing almost indistinguishable from a regular endpoint to any auditor. Now finally the question: How difficult would be to have a Xen-based Fedora (or better, Debian) dom0 and then install the libvirt and qubes middleware for template handling, inter VM communications, etc? I know that would require a cumbersome install process, but does seem feasible. At the same time, it could be a nice experience in terms of testing Qubes middleware into multiple dom0 environments. I know there are security implications to this: All the hardening on non-connected dom0 would be lost, the use of a off-the-shelf dom0 may bring lots of attack vectors, all installation-time setup of sys-* VMs would have to be redone manually, etc. But the final product would have the isolation-by-nature workflow I grew to love. Thanks for any advice about feasibility of this. Cheers, ///Pablo -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/282a9871-cd1a-421e-86cb-c4bdc263ff8b%40googlegroups.com.
