On Tue, Feb 11, 2020 at 10:09:38PM -0800, ronp...@riseup.net wrote: > On 2020-02-11 11:39, unman wrote: > > On Tue, Feb 11, 2020 at 01:34:15AM -0800, ronp...@riseup.net wrote: > >> I've been reading a blog from the renowned Daniel Aleksandersen at > >> https://www.ctrl.blog/entry/systemd-service-hardening.html > >> > >> The output from a Debian-10 based Appvm looks a little scary!! Should I > >> be concerned? > >> > >> user@tmp3:~$ systemd-analyze security > >> UNIT EXPOSURE PREDICATE HAPPY > >> ModemManager.service 5.6 MEDIUM ???? <snip> > >> xendriverdomain.service 9.5 UNSAFE ???? > >> > > > > It does look scary. > > The output from a Fedora based qube looks much the same.. > > You should run the analysis against each service and see where you think > > they could be hardened. Post back your conclusions here. > > Also, I see that you have many services that need not be there - some > > of these will be disabled by Qubes- some you do not need in every qube > > (cups-browsed, exim4, tinyproxy etc). > > You need to review what services you are running, and disable those you > > do not want. My list in an ordinary qube looks rather different from > > yours. Those are steps you should be taking in any case. > > Also, bear in mind that the analysis doesn't take in to account any > > security features in the programs themselves, or other mitigations. > > So you need to do a good deal more work before reaching any conclusions > > about your system. > > Look forward to hearing from you > > unman > > As I read it, your suggesting that the output is influence by User > preferences as opposed to default system settings? To test that theory, > I loaded a vanilla version of Qubes 4.0.3 onto a spare box and ran the > command systemd-analyze security against the virgin Debian-10 Template. > The output is identical to the one I originally posted. As you inferred, > the output from Fedora Template is similar. > > I'm not sure if you'll agree, but my conclusion from this experiment is > that the Qubes Team have some work to do in hardening Qubes? Like you > say,"I see that you have many services that need not be there"; so my > question is, why are they present in a vanilla version of Qubes? >
The vanilla templates serve all sorts of purposes, and they are (generally) configured so that you can just drop them in to act as sys-net, sys-usb etc. So there are a number of things that you probably don't want or need in an ordinary qube. This is a trade off to get maximum usability. There are many alternatives - using minimal templates; building your own; customising services on a per qube basis. But for ordinary users Qubes makes it as simple as possible to use the default templates. On the general issue, you're missing my point. Before you can decide whether you should be worried I'm suggesting you need to do some work. That's exactly what that blog post is about. Take one of those services, run an analysis and look at the results. Determine what's needed and what isn't. Look at any mitigations in the programs themselves, or generally within Qubes. Post your conclusions here, or in qubes-issues. You *are* a member of the Qubes Team. We all have work to do in hardening Qubes unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200212121720.GB22552%40thirdeyesecurity.org.
