Re: [qubes-users] How well does Qubes OS actually protect against key lockers ?

[Sven Semmler]

On Wed, Feb 19, 2020 at 04:19:07AM -0800, A wrote:
> How well does Qubes OS actually protect against key lockers ?

Through compartmentalization: this means if someone has a successful
exploit and installs a key logger only that qube will be affected.

Example:

- web qube
- email qube
- project 1 qube (offline)


If by clicking on something in the web qube, you end up having a
keylogger there, everything you do in the email and project 1 qube
should still be invisible for that keylogger

Of course, if you got somehow tricked into installing tainted software
in dom0 the game is over.

An additional level of defense can be achieved by having e.g. your web
qube be disposable (not storing state through reboot). That way if you
get infected in one session, after you stop/start the qube you are clean
again.


/Sven

-- 
 public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200219152445.GA1130%40app-email-private.


signature.asc
Description: PGP signature

Re: [qubes-users] Re: How to set the screensaver to either show keyboard language or not to lock screen ?

[A E]

ons. 19. feb. 2020 kl. 11.16 skrev Eva Star :

> Solution:
> https://unix.stackexchange.com/a/135098
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/qubes-users/uMl6_djER5E/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/d700e686-86fc-445e-9f2d-47273cc48242%40googlegroups.com
> 
> .



I gave up after trying to install a KDE desktop as I didn’t know how to
make it work. Which was before I received suggestions on this.

Instead I chose to reinstall Qubes and use a password that only consist of
ASCII signs (as the xscreensaver doesn’t seem to be able to handle other
signs in the installed version that Qubes OS 4.0.3 comes with) and use an
easy way to shift the keyboard layout to the language I used to enter the
password with.

That works fine.

But I would prefer a screensaver that also could handle other signs than
just ASCII. As it would make it possible to construct a password that
consist of letters from a non latin alphabet. Which would mean that a
sentence in one language, would end up being rather random letters in
another language. And thereby make it more difficult to use online
wordbooks to break the code in case someone would try to do so.

And it would also make it possible to construct a password that consist of
letters from more than one type of alphabet to make it even more difficult
to break the code.

But of cause, with a key locker that can be overcome.

How well does Qubes OS actually protect against key lockers ?

I’ll make a new thread with that question...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABRRaUHq3_g4EMLEbVszci4N371fYiOYEDkuS1OdMFHn-xPcgw%40mail.gmail.com.

[qubes-users] How well does Qubes OS actually protect against key lockers ?

[A]

How well does Qubes OS actually protect against key lockers ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/418aea73-f8b8-44bc-9152-b644e3ad2551%40googlegroups.com.

Re: [qubes-users] Re: qvm-create-windows-qube 2.0

[A E]

tor. 13. feb. 2020 kl. 00.24 skrev M E :

> søn. 26. jan. 2020 kl. 23.12 skrev 'Elliot Killick' via qubes-users <
> qubes-users@googlegroups.com>:
>
>>
>> On 2020-01-26 12:37, Claudio Chinicz wrote:
>> > ׁHi Elliot,
>> >
>> > I've downloaded again and succeeded creating the HVM.
>> >
>> > I had a Windows 10 HVM I built manually just booting from the ISO and
>> where
>> > I did not succeed installing the QWT (boot after the QWT install would
>> > freeze).
>> >
>> > Would you recommend building a Template from this HVM?
>> >
>> > The big advantage I saw in this implementation was that I can
>> confortably
>> > run my applications with 2GB (minimum) vs 6GB in my previous HVM.
>> Another
>> > advantage of the QWT is that I can send files from Windows to any other
>> > PV/HPV VM using qrexec.
>> >
>> > What's intriguing me is that copy/paste between VMs is not working.
>> When I
>> > ctl+shift+C on my Windows VM I see the popup saying I can ctl+shift+V
>> on
>> > another VM but when I do so nothing is pasted. Any ideas?
>> >
>> > Thank you very much for this scripts/Windows VM builder.
>> >
>> > Regards
>>
>> By freeze do you mean it stops on the part where QWT tries to create the
>> private disk? This is documented in the QWT Known Issues section of the
>> README. Just exit that window with the error message and the
>> installation will proceed as normal. Besides that for Windows 10/Windows
>> Server 2019, you should not have to interact with any window or part of
>> the installation. Sometimes, QWT may also just crash upon boot causing
>> Windows to crash. This doesn't happen often, however, it is also
>> documented in the README. This is more likely to happen if you installed
>> Windows manually as you said because unstable QWT features like Qubes
>> Memory Manager (qmemman) are enabled by default which we disable in the
>> qvm-create-windows-qube.sh script (Thanks to @brendanhoar for that one).
>>
>> Due to that bug in making the private disk required, it's not possible
>> to create templates for Windows 10/Windows Server 2019 anyway.
>> Otherwise, I would recommend for must users to build a template with the
>> software they want pre-installed and make AppVMs from that.
>>
>> Regarding copy/paste not working, it appears to work fine for others so
>> I would just suggest you restart the Windows qube or possibly make a new
>> one. If it's copying the data out correctly then there should be a
>> notification saying "Copied X bytes to the clipboard".
>>
>> You're welcome, Claudio!
>>
>>
>> Regards,
>>
>> Elliot
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/qubes-users/2de7254e-c22c-3275-cdfd-30cdacd86a67%40zohomail.eu
>> .
>
>
>
> I want to install Windows 10 from a DVD in a new HVM and have begun
> following this guide: https://www.qubes-os.org/doc/windows-vm/
>
> It says:
>
> “Create a new Qube:
> Name: Win10, Color: red
> Standalone Qube not based on a template
> Networking: sys-firewall (default)
> Launch settings after creation: check
> Click “OK”.”
>
> As I’m going to install Win 10 from a DVD, shall I then just follow the
> guide and choose “Launch settings after creation” or shall I choose
> “Install from device” ?
>


I have made a Windows domain and downloaded and installed Windows 7 and
Qubes Windows Tools by executing this script in dom0 according to this
guide (link: https://github.com/elliotkillick/qvm-create-windows-qube ):

chmod +x install.sh && ./install.sh

And now I would like to know how to get further.

I have made a thread here about making a Win10 HVM, so you are welcome to
answer there instead (I have just made this post in attempt to get a
quicker response):

https://groups.google.com/forum/m/#!topic/qubes-users/78DgmWxZf80

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABRRaUGiB98HmgZ8Pm9%2B1qbn-SzZn55uBHuD9sXr4pj9R%2BDD%2BA%40mail.gmail.com.

Re: [qubes-users] Help please recover boot of my Qubes

[haaber]

Strange this that I do at bios is visiting "boot options" bios menu. It
give access to navidate to qubes xen.efi file, but not edit. Anyway, not
something is broken. First I through that I broke "xen.efi", but I
investigate it from other distro live usb and it is on it own place and
not empty.  <... snip ...>


My first advise if you run in such kind of trouble is to backup your
data. You can use your favourite live-linux on usb to do that ("tails"
is a good idea). After that, play around. I am not an expert on differnt
boot <-> bios configs, but "legacy" is "old-style" meaning that there is
a pre-1980 partition table in sector 0 of your disk. The setor ends with
55FF and the 4 times 0x10 byte give the partition data. That is easy to
check by hand, and with any kind of software (fdisk, etc). UEFI is
different, I never looked at byte structure on disc. You will find a
partition in VFAT that you can mount. It contains a folder EFI which
contains a folder qubes .. etc. Checking that, you know which install
you have.  Then you can go back to bios & configure it to match your
disc structure.  Good luck!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e59f18d9-b4e7-2478-b56a-9a7eabbf%40web.de.

Re: [qubes-users] Help please recover boot of my Qubes

[evastar]

Success! Fixed! It was EFI problem and efibootmgr help to fix it (from 
UEFI troubleshooting)



On 2020-02-19 20:22, evas...@firemail.cc wrote:

Hello,

After I changed some BIOS settings to boot from flash card on my Qubes
system. Qubes never boot again even though I changed all back.

Strange this that I do at bios is visiting "boot options" bios menu.
It give access to navidate to qubes xen.efi file, but not edit.
Anyway, not something is broken. First I through that I broke
"xen.efi", but I investigate it from other distro live usb and it is
on it own place and not empty.

I guess my system use UEFI to load? Or maybe I'm wrong and I'm at
Legacy boot mode? How to check it and how to recover my boot
partition? As mentioned before I have linux live CD and it's possible
to install Qubes Live(installed) usb flash if it will help...

What to check? How to recover? Please help!


BTW, in my bios I have "CMS support" enabled (and it was before as I
remember). Looks like it is legacy boot and not efi... I'm really not
sure what kind of mode system used to boot before :(

Thanks!


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8e4106f140d25b1c21790f8e1fc1bc87%40firemail.cc.

[qubes-users] Help please recover boot of my Qubes

[evastar]

Hello,

After I changed some BIOS settings to boot from flash card on my Qubes 
system. Qubes never boot again even though I changed all back.


Strange this that I do at bios is visiting "boot options" bios menu. It 
give access to navidate to qubes xen.efi file, but not edit. Anyway, not 
something is broken. First I through that I broke "xen.efi", but I 
investigate it from other distro live usb and it is on it own place and 
not empty.


I guess my system use UEFI to load? Or maybe I'm wrong and I'm at Legacy 
boot mode? How to check it and how to recover my boot partition? As 
mentioned before I have linux live CD and it's possible to install Qubes 
Live(installed) usb flash if it will help...


What to check? How to recover? Please help!


BTW, in my bios I have "CMS support" enabled (and it was before as I 
remember). Looks like it is legacy boot and not efi... I'm really not 
sure what kind of mode system used to boot before :(


Thanks!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c020f3c1ef7b0fac6ead9cd98ff19e7f%40firemail.cc.

Re: [qubes-users] feature request

[Foppe de Haan]

On Saturday, January 25, 2020 at 2:53:53 PM UTC+1, Chris Laprise wrote:
>
> On 1/25/20 7:15 AM, haaber wrote: 
> > Hello, I have several virtual screens; I guess many user have. Is it 
> > possible to reserve one of them exclusively for dom0 and templateVM 
> > terminals -sort of a separated "admin screen"-  to avoid other 
> > appVM-windows popping up and being able to capture input from keyboard? 
> >Bernhard 
> > 
>
> KDE lets you confine windows to certain screens or virtual desktops 
> under System Settings / Desktop Management / Window Rules. You can 
> specify how it matches the window, such as pattern matching on the 
> window title. 
>
> For example, if you set Window Title to 'Regular expression' and the 
> text to '^\[personal', then under Size/Position select 'Desktop', 'Apply 
> Initially' and 'Desktop 2' ... that will make windows from any VM 
> beginning with "personal" open only on Desktop 2. You can also use 
> 'Force' instead of 'Apply Initially' and that will prevent you from 
> moving those windows to a different desktop. 
>
> I think the regular expression matching is probably powerful enough to 
> do what you want. For example, a rule for any window title NOT beginning 
> with '[' and NOT having also ']' would be a dom0 window. Another rule 
> could have the names of all your templates. 
>
> -- 
> Chris Laprise, tas...@posteo.net  
> https://github.com/tasket 
> https://twitter.com/ttaskett 
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886 
>
Thanks for pointing that out. Currently trying KDE in Qubes 4.1 beta, and 
it's quite a change from xfce 4.14 even (which was already preferable to 
previous iterations). 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/de32ccc0-ca2c-4c52-8479-153731e060aa%40googlegroups.com.

Re: [qubes-users] Re: failed Qubes 4.0.3 install on Dell Inspiron 14 5485

[Foppe de Haan]

On Sunday, February 16, 2020 at 12:07:51 PM UTC+1, aihey wrote:
>
> > Looks like your Dell is a Ryzen with integrated AMD graphics, correct? 
>
> that's right: it's a AMD Ryzen 5 3500U with Radeon Vega Mobile 
>
> > Don't think the kernel included Qubes 4.0.3 has video drivers for it. To 
> confirm, you could try to install in text mode and see if you get further. 
> You should be able to switch to a terminal session (ctrl-alt-F2?) during 
> install to see the temporary logs. 
>
> I'm only able to get a bit further with a bunch of different tricks which 
> I've described in my original post. The ctrl-alt-F2 during install has not 
> worked for me. 
>
> > If text mode does get further, you might need to build a custom ISO with 
> the latest 5.x kernel to get the video drivers. There are also test builds 
> of Qubes 4.1 you can try. Believe they include 5.x as well. 
>
> I spent a yesterday afternoon looking into this. I built Qubes 4.1 (stable 
> version) following the instructions in 
> https://www.qubes-os.org/doc/qubes-builder/. I did this on the actual 
> machine and had to re-install the OS with Fedora 31 as the building tool 
> didn't support my original OS (Linux Mint 19.3, debian based). I was able 
> to build and generate the ISO file successfully using the standard 
> configuration. Loaded the ISO file into an USB using dd and it booted fine 
> up to GRUB. 
> Unfortunately, I was not able to go further from GRUB and got identical 
> behaviour as before. Tried standard install, USB testing and 
> troubleshooting mode but non of these worked. 
>
> You mention that the video drivers might be included in Qubes 5.x- would 
> you be able to point me to building instructions for this? I was not able 
> to find any information on how to configure the building tool for version 
> 5. I've only followed the standard+stable configuration- do you know how to 
> add the necessary drivers as part of the building process? 
>
> I came across this post 
> https://www.qubes-os.org/doc/install-nvidia-driver/ which suggests a fix 
> to issues with NVIDIA/AMD video drivers. I was hoping to use this to 
> built-in the necessary drivers into the Qubes 4.1 OS build but was not able 
> to get that far. Any ideas on how to do this? 
>
> Many thanks for your suggestions! 
>
>
> ‐‐‐ Original Message ‐‐‐ 
> On Wednesday, 12 February 2020 15:58, 'awokd' via qubes-users <
> qubes...@googlegroups.com > wrote: 
>
> > 'aihey' via qubes-users: 
> > 
> > > Unfortunately this has not worked for me but thanks for your 
> suggestion. 
> > > Does anyone happen to know if the installation messages are saved 
> somewhere? I would like to find out what triggers the installation to 
> freeze (it all happens very quickly before it goes blank). 
> > > ‐‐‐ Original Message ‐‐‐ 
> > > On Tuesday, 11 February 2020 13:11, fiftyfour...@gmail.com 
>  wrote: 
> > > 
> > > > My Dell is newer and simply doesn't have legacy boot. I know that 
> the altered parameter is used during boot because it was the only thing I 
> changed to make my installations turn from failures to successes. 
>
> you can download a build from here 
-> 
https://openqa.qubes-os.org/tests/6161/asset/iso/Qubes-4.1-20200214-x86_64.iso 
btw, you're sure that iommu, svm are both enabled in the bios?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a81e8d53-844e-4913-84f4-7f4bbfe542a6%40googlegroups.com.

[qubes-users] Looking at replacing WiFi on a Lenovo X230

[ggg397]

I notice that on Ifixit:

The X230 has a WiFi whitelist, so a Lenovo card on the whitelist must be 
used. If you do not do this, the laptop will fail with an 1802 POST error.

If you are not happy with the current wireless card, you will need to find 
a Lenovo variant of these cards:

   - Intel Centrino Advanced-N + WiMAX 6250 - FRU 60Y3195
   - Intel Centrino Ultimate-N 6300 - FRU 60Y3233
   - Intel Centrino Advanced-N 6205 - FRU 04W3769 and 60Y3253
   - ThinkPad b/g/n Wireless (1x1 BGN) - FRU 60Y3247 and 60Y3249

I notice that the Insurgo Privacy Beast changes the WiFi to:

WiFi controller: Atheros AR5BHB116 a/b/g/n 300Mbps MINI PCI-E

Is this because the ROM in the Insurgo has been reprogrammed?

Can I change the WiFi .without using the Prom?

Thanks for any replies?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/97dfe353-0479-478a-8075-15d1a6e4f652%40googlegroups.com.

[qubes-users] Re: Looking at replacing WiFi on a Lenovo X230

[ggg397]

Shucks,  I was surprised to find this is partially answered when I searched.

https://command-tab.com/2006/02/26/thinkpad-1802-error-fix/

I dunno if it works.  I will leave this up in case someone else is thinking 
of converting an IBM computer, and changing the WiFi card.

>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/09f357b9-5805-463c-bff3-410d3b24da5e%40googlegroups.com.

Re: [qubes-users] Re: Scary Systemd Security Report

[AJ Jordan]

tl;dr: if you don't care about the example and just want to know how
the heck to interpret this tool, read the first couple paragraphs, and
then skip to the last paragraph or two.

I think people have a deep misunderstanding of what `systemd-analyze
security` does, and in particular are expecting it to be much more
sophisticated than it is. Per systemd-analyze(1):

> Note that this only analyzes the per-service security features
> systemd itself implements. This means that any additional security
> mechanisms applied by the service code itself are not accounted
> for. The exposure level determined this way should not be
> misunderstood: a high exposure level neither means that there is no
> effective sandboxing applied by the service code itself, nor that
> the service is actually vulnerable to remote or local attacks.

The key takeaway from this is that the tool only considers
security-related systemd service file directives (see
systemd.exec(5)). It does NOT consider *anything* else like:

 * AppArmor or SELinux confinement

 * Service architecture (for example, whether it is composed of
   several mutually-distrusting daemons)

 * Service complexity

 * Whether the service does anything to confine itself, like dropping
   privileges after starting up as root

 * Service vulnerability mitigations (for example, being written in a
   memory-safe language, or being compiled with
   -fstack-protector-strong or something)

and etc.

I case you're not familiar with the directives `systemd-analyze
security` looks at, basically what you need to know is that they can
be turned on in a service's definition and systemd will automatically
restrict the ability of the service's processes to do various things,
like reading other services' temporary files, or mucking with kernel
tunables. (These restrictions are imposed *on top of* any existing
restrictions. For example if the service is not run as root it already
can't muck with kernel tunables, so that systemd restriction does
nothing unless the service either runs as root or can escalate
privileges to root).

As an example of how these work, take the default systemd service file
for Apache httpd from my production Debian 10 machine:

```
% systemctl cat apache2.service
# /lib/systemd/system/apache2.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=https://httpd.apache.org/docs/2.4/

[Service]
Type=forking
Environment=APACHE_STARTED_BY_SYSTEMD=true
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl stop
ExecReload=/usr/sbin/apachectl graceful
PrivateTmp=true
Restart=on-abort

[Install]
WantedBy=multi-user.target
```

If I run `systemd-analyze security apache2.service`, I get a long
detailed listing of things I could add to this unit file to improve
the sandboxing that systemd applies to the service (I'm not including
an example here because it's so long, but you can run this on any
service to get something similar). The score given is 9.2 UNSAFE

Now, Apache has absolutely no business writing to users' home
directories, so let's say I want systemd to enforce that. (Normally it
wouldn't have any business reading from home directories either except
that on my system I have it set up to serve `/home/$USER/public_html`
directories.) Apache also has no business writing to /usr, /boot,
/etc, /sys, /proc. Moreover it does not need most of the devices in
/dev. It would be nice, therefore, if it was not allowed to do these
things if it ever gets compromised.

So, what I can do is tell systemd to restrict these things. I create a
systemd drop-in file (maybe with `systemctl edit apache2.service`)
with the following content:

```
[Service]

ProtectSystem=full
ProtectHome=read-only
PrivateDevices=true
ProtectKernelTunables=true
ProtectControlGroups=true
```

Now if I run `systemd-analyze security apache2.service` again, the
reported score is 7.9 EXPOSED. So it went down 1.3 points because I
added those sandboxing options, which as systemd-analyze(8) mentions,
are the *only* things that systemd considers.

Note in particular that systemd-analyze does *not* know or care that
Apache drops privileges when it starts up and thus can't write to /usr
et. al. anyway. So these options are useful for defense in depth
hardening, but the only time they'll matter is if Apache is
compromised, and *then* the attacker finds a way to escalate to root
privileges. At that point the attacker will not be able to write to
these directories despite having root.

It's probably a good idea to turn these options on for lots and lots
of services, because they're *so* easy to just put in the service file
and they provide defense in depth. But `systemd-analyze security`'s
warnings are much too scary. Instead of UNSAFE a better label honestly
would be NEEDS A LOT OF WORK or something like that. Think of the tool
as treating the service's code like a black box: it doesn't know
anything about what goes on inside the service (in 

Antw: [EXT] [qubes-users] How well does Qubes OS actually protect against key lockers ?

[Ulrich Windl]

>>> A  schrieb am 19.02.2020 um 13:19 in Nachricht
<6060_1582114749_5E4D27BD_6060_305_1_418aea73-f8b8-44bc-9152-b644e3ad2551@google
roups.com>:
> How well does Qubes OS actually protect against key lockers ?

You mean key _loggers_?

> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/418aea73-f8b8-44bc-9152-b644e3a 
> d2551%40googlegroups.com.




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5E4E319C02A1000371F7%40gwsmtp.uni-regensburg.de.

[qubes-users] Re: Scary Systemd Security Report

[ronpunz]

On 2020-02-11 09:34, ronp...@riseup.net wrote:
> I've been reading a blog from the renowned Daniel Aleksandersen at
> https://www.ctrl.blog/entry/systemd-service-hardening.html
> 
> The output from a Debian-10 based Appvm looks a little scary!! Should I
> be concerned?
> 
> user@tmp3:~$ systemd-analyze security
> UNIT EXPOSURE PREDICATE HAPPY
> ModemManager.service  5.6 MEDIUM
> NetworkManager.service7.6 EXPOSED   
> avahi-daemon.service  9.5 UNSAFE
> cron.service  9.5 UNSAFE
> cups-browsed.service  9.5 UNSAFE
> cups.service  9.5 UNSAFE
> dbus.service  9.5 UNSAFE
> dm-event.service  9.5 UNSAFE
> emergency.service 9.5 UNSAFE
> exim4.service 9.5 UNSAFE
> getty@tty1.service9.5 UNSAFE
> haveged.service   5.6 MEDIUM
> lvm2-lvmpolld.service 9.5 UNSAFE
> polkit.service9.5 UNSAFE
> qubes-db.service  9.5 UNSAFE
> qubes-firewall.service9.5 UNSAFE
> qubes-gui-agent.service   9.5 UNSAFE
> qubes-meminfo-writer.service  9.5 UNSAFE
> qubes-qrexec-agent.service9.5 UNSAFE
> qubes-sync-time.service   9.5 UNSAFE
> qubes-updates-proxy.service   9.5 UNSAFE
> rc-local.service  9.5 UNSAFE
> 
> rescue.service9.5 UNSAFE
> rsyslog.service   9.5 UNSAFE
> rtkit-daemon.service  6.9 MEDIUM
> serial-getty@hvc0.service 9.5 UNSAFE
> systemd-ask-password-console.service  9.3 UNSAFE
> systemd-ask-password-wall.service 9.3 UNSAFE
> systemd-fsckd.service 9.5 UNSAFE
> systemd-initctl.service   9.3 UNSAFE
> systemd-journald.service  4.3 OK
> systemd-logind.service4.1 OK
> systemd-networkd.service  2.8 OK
> systemd-timesyncd.service 2.0 OK
> systemd-udevd.service 8.3 EXPOSED   
> tinyproxy.service 8.7 EXPOSED   
> udisks2.service   9.5 UNSAFE
> user@1000.service 9.1 UNSAFE
> wpa_supplicant.service9.5 UNSAFE
> xendriverdomain.service   9.5 UNSAFE


Thanks all for taking time out to respond to this issue.

I have to say I'm still confused as to whether its a "scary" issue or
just a bug in the tool "systemd-analyze security".

I spotted this from Whonix
https://forums.whonix.org/t/using-apparmor-profile-everything-on-debian-buster/8650
- which if I'm not mistaken, claims to utilise a tool;
apparmor-profile-everything, to confine, amongst other things, the
systemd init process and and children it spawns. I thought I'd give it a
try and see if it gave less scary results! Here's the feedback:

Although Apparmor security feature is enabled by default in Debian
Buster (10), it is not, for some inexplicable reason, enabled by default
in the Qubes version of Debian-10. To enable it, issue the command in
Dom0; qvm-prefs -s  "nopat apparmor=1 security=apparmor".
Then follow the link above to install apparmor-profile-everything. Also
install apparmor-utils.

Check if apparmor is running ok:
user@sysemd-test:~$ sudo aa-status
apparmor module is loaded.
18 profiles are loaded.
18 profiles are in enforce mode.
   /**/*-browser/Browser/firefox
   /usr/bin/apt-get
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/haveged
   init-systemd
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
   /usr/sbin/cups-browsed (551) 
   /usr/sbin/cupsd (488) 
   /usr/sbin/haveged (481) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.


We see that the systemd init is loaded and in enforce mode!


However The output from the tool systemd-analyze security still gives
scary results. Is this what you professional developers would expect?

user@sysemd-test:~$ systemd-analyze security
UNIT   

[qubes-users] How to execute some command at sys-net after wakeup?

[Eva Star]

Hello! How to execute some command at sys-net after wakeup? Or after wifi 
reconnect after wakeup. Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/898dcaef-b964-4fe7-a32e-8c5d2205b6cb%40googlegroups.com.

[qubes-users] Re: How to set the screensaver to either show keyboard language or not to lock screen ?

[Eva Star]

Solution:
https://unix.stackexchange.com/a/135098 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d700e686-86fc-445e-9f2d-47273cc48242%40googlegroups.com.