subject:"\[qubes\-users\] Re\: Question\(s\) regarding Qubes minimal templates"

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

2017-06-16 Thread Unman

On Thu, Jun 15, 2017 at 11:00:31AM +0200, Noor Christensen wrote:
> On Wed, Jun 14, 2017 at 10:50:10PM +, Qubed One wrote:
> > 'Tomei Ningen' via qubes-users:
> > >> I'm a strong advocate of using minimal (or smaller) templates,
> > >> customised for specific use cases. Some people HATE this approach.
> > >> 
> > >> unman
> > > 
> > > Really? Coming from the sort of people with the patience for an OS
> > > like Qubes? I'd think anyone who's involved enough to have an opinion
> > > would be in favor of that -- that's kind of the idea here, isn't it?
> > > One thing I wish I could change would be the visual clutter it
> > > produces; anybody know of a means to flag these VMs as internal so I
> > > can hide the ones I'm not interested in seeing regularly?
> > 
> > In dom0, type this from the command line:
> > 
> >  qvm-prefs -s  internal True
> 
> Does the internal flag affect the VM in any other way than how it is
> displayed in the GUI manager? Like, are they automatically started at
> boot or similar?

No, nothing like that - setting that flag does also affect the display
in Menus, as I said in another thread.Otherwise, I dont think there is
any change.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170616220624.GA21693%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

2017-06-15 Thread Noor Christensen

On Wed, Jun 14, 2017 at 10:50:10PM +, Qubed One wrote:
> 'Tomei Ningen' via qubes-users:
> >> I'm a strong advocate of using minimal (or smaller) templates,
> >> customised for specific use cases. Some people HATE this approach.
> >> 
> >> unman
> > 
> > Really? Coming from the sort of people with the patience for an OS
> > like Qubes? I'd think anyone who's involved enough to have an opinion
> > would be in favor of that -- that's kind of the idea here, isn't it?
> > One thing I wish I could change would be the visual clutter it
> > produces; anybody know of a means to flag these VMs as internal so I
> > can hide the ones I'm not interested in seeing regularly?
> 
> In dom0, type this from the command line:
> 
>  qvm-prefs -s  internal True

Does the internal flag affect the VM in any other way than how it is
displayed in the GUI manager? Like, are they automatically started at
boot or similar?

-- noor

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170615090031.spfjd4ar5etw6ipj%40mail.local.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

2017-06-14 Thread Vít Šesták

Fedora 23 has EOLed, Fedora 24 should EOL in about two months. When Fedora is 
EOLed, it receives no security updates. So, looking to near future, I'd upgrade 
to Fedora 25 rather than to Fedora 24.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a03aaed0-c8ab-418f-b779-5d4393e77f43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

2017-06-14 Thread Qubed One

'Tomei Ningen' via qubes-users:
>> I'm a strong advocate of using minimal (or smaller) templates,
>> customised for specific use cases. Some people HATE this approach.
>> 
>> unman
> 
> Really? Coming from the sort of people with the patience for an OS
> like Qubes? I'd think anyone who's involved enough to have an opinion
> would be in favor of that -- that's kind of the idea here, isn't it?
> One thing I wish I could change would be the visual clutter it
> produces; anybody know of a means to flag these VMs as internal so I
> can hide the ones I'm not interested in seeing regularly?

In dom0, type this from the command line:

 qvm-prefs -s  internal True

> That being
> said, I'm definitely in agreement with you, unman. Would you
> recommend any particular setup for a more granular approach? My
> current arrangement of VMs [work in progress; suggestions welcome!]
> is structured like this as of now:
> 
> - dom0 - fedora-24
> 
> - dispVM(s) - fedora-24-minimal ( ... > derivative templates > appVM
> > packages*)
> 
> - fedora-24-min-net
> 
> - sys-net**
> 
> - General-purpose: gnome-keyring, less, man, pciutils, psmisc, sudo,
> vim-minimal, xterm - Template-specific: dbus-x11, dejavu-sans-fonts,
> NetworkManager, NetworkManager-wifi, network-manager-applet,
> notification-daemon, tinyproxy - fedora-24-min-frwll
> 
> - sys-firewall
> 
> - No additional packages; effectively a clone of the
> Fedora-24-minimal template. - fedora-24-min-vpn
> 
> - sys-vpn
> 
> - G.P.: sudo, xterm - T.S.: [TBD; trying out some different VPNs
> atm] - fedora-24-min-usb
> 
> - sys-usb
> 
> - G.P.: sudo, xterm - T.S.: qubes-input-proxy-sender -
> fedora-24-min-pen
> 
> - pentest
> 
> - G.P.: sudo, xterm - T.S.: aircrack-ng, ettercap, kismet, nmap,
> nmap-telcat, tcpdump, wireshark***, [remaining packages TBD]
> 
> * The concomitant dependencies aren't included in these lists (n.b.
> packages are installed in the respective templateVM) ** Can't quite
> get this one to run properly yet; I presume I need to install a
> proprietary driver in the template to make this work for my
> machine(?) *** Very interested in trying out v6ak's split-wireshark"
> idea but haven't found the time yet. Thanks for sharing that idea,
> v6ak!
> 
> - TN
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a32d0613-2e00-33db-33f3-7740ed820949%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

2017-06-14 Thread 'P R' via qubes-users

Hello,

Are there any reasons to migrate from fedora-23 to fedora-24 regarding:

- features
- security
(...)

Regards

- P

Am 14.06.2017 12:30 vorm. schrieb "'Tomei Ningen' via qubes-users" <
qubes-users@googlegroups.com>:

> > I'm a strong advocate of using minimal (or smaller) templates,
> customised for specific use cases. Some people HATE this approach.
> >
> > unman
>
>  Really? Coming from the sort of people with the patience for an OS
> like Qubes? I'd think anyone who's involved enough to have an opinion would
> be in favor of that -- that's kind of the idea here, isn't it?  One thing I
> wish I could change would be the visual clutter it produces; anybody know
> of a means to flag these VMs as internal so I can hide the ones I'm not
> interested in seeing regularly?
>  That being said, I'm definitely in agreement with you, unman. Would
> you recommend any particular setup for a more granular approach? My current
> arrangement of VMs [work in progress; suggestions welcome!] is structured
> like this as of now:
>
>
>- dom0
>- fedora-24
>- dispVM(s)
>   - fedora-24-minimal *( ... > derivative templates > appVM >
>packages*)*
>- fedora-24-min-net
>   - sys-net**
>  - *General-purpose: *gnome-keyring, less, man, pciutils, psmisc,
> sudo, vim-minimal, xterm
> - *Template-specific: *dbus-x11, dejavu-sans-fonts,
> NetworkManager, NetworkManager-wifi, network-manager-applet,
> notification-daemon, tinyproxy
> - fedora-24-min-frwll
>   - sys-firewall
>  - *No additional packages; effectively a clone of the
> Fedora-24-minimal template.*
> - fedora-24-min-vpn
>   - sys-vpn
>  - *G.P.*: sudo, xterm
> - *T.S.*: [TBD; trying out some different VPNs atm]
> - fedora-24-min-usb
>   - sys-usb
>  - *G.P.*: sudo, xterm
> - *T.S.*: qubes-input-proxy-sender
> - fedora-24-min-pen
>   - pentest
>  - *G.P.*: sudo, xterm
> - *T.S.*: aircrack-ng, ettercap, kismet, nmap, nmap-telcat,
> tcpdump, wireshark***, [remaining packages TBD]
>
> * The concomitant dependencies aren't included in these lists (n.b.
> packages are installed in the respective templateVM)
> ** Can't quite get this one to run properly yet; I presume I need to
> install a proprietary driver in the template to make this work for my
> machine(?)
> *** Very interested in trying out v6ak's split-wireshark" idea but haven't
> found the time yet. Thanks for sharing that idea, v6ak!
>
> - TN
>
>
>
> Sent with ProtonMail  Secure Email.
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/QOUCXs5Owf4_vFzLV8tj0-YlBHu981vPYZYllxyjhEEUARUYol1x
> XRAHwNTExkDU0O9iMVo0_fWuy4AlV4-AlAT_GSEpbXPcDbfw6jw_GYw%3D%40protonmail.ch
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAM8xnvKr7us%2BF2SAgM2RCka%2Bm5yDGPmtTtVS3D0zTbLQM5jidw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

2017-06-13 Thread 'Tomei Ningen' via qubes-users

> I'm a strong advocate of using minimal (or smaller) templates, customised for 
> specific use cases. Some people HATE this approach.
>
> unman

Really? Coming from the sort of people with the patience for an OS like Qubes? 
I'd think anyone who's involved enough to have an opinion would be in favor of 
that -- that's kind of the idea here, isn't it? One thing I wish I could change 
would be the visual clutter it produces; anybody know of a means to flag these 
VMs as internal so I can hide the ones I'm not interested in seeing regularly?
That being said, I'm definitely in agreement with you, unman. Would you 
recommend any particular setup for a more granular approach? My current 
arrangement of VMs [work in progress; suggestions welcome!] is structured like 
this as of now:

- dom0
- fedora-24

- dispVM(s)
- fedora-24-minimal ( ... > derivative templates > appVM > packages*)

- fedora-24-min-net

- sys-net**

- General-purpose: gnome-keyring, less, man, pciutils, psmisc, sudo, 
vim-minimal, xterm
- Template-specific: dbus-x11, dejavu-sans-fonts, NetworkManager, 
NetworkManager-wifi, network-manager-applet, notification-daemon, tinyproxy
- fedora-24-min-frwll

- sys-firewall

- No additional packages; effectively a clone of the Fedora-24-minimal template.
- fedora-24-min-vpn

- sys-vpn

- G.P.: sudo, xterm
- T.S.: [TBD; trying out some different VPNs atm]
- fedora-24-min-usb

- sys-usb

- G.P.: sudo, xterm
- T.S.: qubes-input-proxy-sender
- fedora-24-min-pen

- pentest

- G.P.: sudo, xterm
- T.S.: aircrack-ng, ettercap, kismet, nmap, nmap-telcat, tcpdump, 
wireshark***, [remaining packages TBD]

* The concomitant dependencies aren't included in these lists (n.b. packages 
are installed in the respective templateVM)
** Can't quite get this one to run properly yet; I presume I need to install a 
proprietary driver in the template to make this work for my machine(?)
*** Very interested in trying out v6ak's split-wireshark" idea but haven't 
found the time yet. Thanks for sharing that idea, v6ak!

- TN

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/QOUCXs5Owf4_vFzLV8tj0-YlBHu981vPYZYllxyjhEEUARUYol1xXRAHwNTExkDU0O9iMVo0_fWuy4AlV4-AlAT_GSEpbXPcDbfw6jw_GYw%3D%40protonmail.ch.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

2017-06-08 Thread Unman

On Thu, Jun 08, 2017 at 02:03:34AM -0700, Vít Šesták wrote:
> > Given that more installed applications generally create a larger attack 
> > surface, why aren't the minimal templates set as the default templates for 
> > sensitive VMs such as the SysVMs?
> 
> * Having an extra app installed might add some attack surface, but not 
> always. Having app like Firefox in sys-firewall adds zero attack surface 
> until you (either accidentally or on purpose) run it.

There's been discussion on this before - in my opinion, it isnt the
application itself but the assorted libraries and helpers that are
installed along with it. And that has nothing to do with whether an
application is run or not.
If you look at the packages installed when you install firefox, for
example, you may be surprised at what comes in, and how much the
potential for attack has been widened (Firewire anyone? With Firefox?)

> * With minimal Template without installing anything else, you might be unable 
> to use Wi-Fi etc. So, this might be viable for sys-firewall, but not for 
> sys-net. (Not sure about sys-usb.)

In most cases it requires very little to be installed to get a working
netVM. (See www.qubes-os.org/doc/templates/fedora-minimal/)
sys-usb works as expected on a minimal template.

> 
> > Are there any significant protections afforded by the full-featured VM 
> > images that are absent in the appropriately configured minimal VMs [going 
> > by the current Qubes documentation]? Any pitfalls exposed by the latter?
> 
> The only (sort of) protection I am aware about is haveged – a RNG that feeds 
> kernel RNG.

haveged is installed in the minimal templates too.

> 
> Regards,
> Vít Šesták 'v6ak'

I'm a strong advocate of using minimal (or smaller) templates,
customised for specific use cases. Some people HATE this approach. 

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170608103307.GB8560%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Question(s) regarding Qubes minimal templates

2017-06-08 Thread Vít Šesták

> Given that more installed applications generally create a larger attack 
> surface, why aren't the minimal templates set as the default templates for 
> sensitive VMs such as the SysVMs?

* Having an extra app installed might add some attack surface, but not always. 
Having app like Firefox in sys-firewall adds zero attack surface until you 
(either accidentally or on purpose) run it.
* With minimal Template without installing anything else, you might be unable 
to use Wi-Fi etc. So, this might be viable for sys-firewall, but not for 
sys-net. (Not sure about sys-usb.)

> Are there any significant protections afforded by the full-featured VM images 
> that are absent in the appropriately configured minimal VMs [going by the 
> current Qubes documentation]? Any pitfalls exposed by the latter?

The only (sort of) protection I am aware about is haveged – a RNG that feeds 
kernel RNG.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/62f067a7-08e8-4d2e-8773-229a2af5119f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

[qubes-users] Re: Question(s) regarding Qubes minimal templates

8 matches

Site Navigation

Mail list logo

Footer information