Hi all, I took a break from setting up my Qubes OS machine and now I'm looking to finish the job and actually settle in. I am familiar with the overall layout and functions of the OS as a whole, but want to shore up the security of my individual VMs, with Debian running everything except for dom0. I know that isolation should do most of the work, but if further hardening my VMs will add more hurdles for attackers while being of minimal cost to me, why not?
For now, I plan on proper firewalling, activating apparmor, installing taskett-hardening, and reducing attack surfaces where possible. Specific question: how would one strip down non-app VMs (sys-net, sys-USB, sys-firewall, whonix-gw) to minimize their attack surfaces? Aside from common-sense hardening and operation of app VMs, these seem to be the most exposed and therefore most vulnerable. More generally: what steps have you taken to harden your VMs? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a5537196-f8de-4a39-801c-d1d94834786eo%40googlegroups.com.