Stumpy: > I was reminded about qubes hardening that Chris L has been working on > and also noticed that Patrick/Whonix is now basing whonix on thier > kicksecure distro and was trying (not so successfully) to absorb all of > this. I got the impression that Chris's work wouldnt jive so well with > kicksecure (fair enough, can just use it on non-whoinx setups) but wasnt > sure. Also there is the idea of DVM sys-* (net/usb/firewall/etc) vms > sounded like they would add an extra layer of security, maybe based on > centos (I have seen conversations about how fedora doesnt sign or > something apps in their repos? please dont troll me, i am not trying to > pretend like i understand that) and some other things that i am sure i > have missed (maybe a iptable/firewall gui [apart from whats built into > qubes settings... i just dont find that intuitive).
Just running Qubes by itself is already more hardened than 99% of people out there, so if your main concern is standard/driveby attacks against mainstream OSes, you shouldn't be very much so. You cover multiple points: - There is something in the works to allow custom kernels inside AppVMs. Whonix and others can use them for additional hardening and/or additional drivers. Don't think it's released yet. - Chris's VM hardening works on regular qubes. Not sure if it will on Whonix ones. - DVM sys-* is pretty straight-forward, just follow the docs. - Centos is unrelated. If you're concerned about Fedora's lack of signing, switch to Debian templates, or some other that has signing. - Mirage can be used as a sys-firewall replacement. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5fd60ae4-f73b-7392-8ef9-53a2e361a8e8%40danwin1210.me.
