[qubes-users] Issues after Installation
I'm not quite sure why however after transferring qubes to my hp probook 11 it will not start any domains at all and every time I get an error message that says: "Qube Status: sys-net Domain sys-net failed to start: invalid argument: could not find capabilities for arch=x86_64" Also, when clicking the Applications button in the top left corner of the screen and hovering over a domain or template my only option available is Qube Settings. Please help! -- This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. This communication may contain material protected by HIPAA legislation (45 CFR, Parts 160 & 164). If you are not the intended recipient or the person responsible for delivering this email to the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error, please notify the sender by replying to this email and then delete the email from your computer. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fa32f480-91e9-4795-834e-81ea80a757ee%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
Als with so many vms in Qubes its just not practical. Maybe something in this thread will help you. I gave up myself. https://groups.google.com/forum/#!msg/qubes-users/RsptaCZLDnc/NqZegFafKQAJ;context-place=topic/qubes-users/MUIxSRy-jbc -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fafa8afb-c948-40ae-b037-c9bafa2e7015%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
Als with so many vms in Qubes its just not practical. Maybe something in this thread will help you. https://groups.google.com/forum/#!msg/qubes-users/RsptaCZLDnc/NqZegFafKQAJ;context-place=topic/qubes-users/MUIxSRy-jbc -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6a484f10-fc94-4090-bd5a-4e4e1dece495%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
I use to log everything in linux with iptables. outoing and incoming. Alot of linux users to say that practice uses too much hdd or space, which was simply not true when limiting rates. Then I would use programs to parse it and eyeball it myself. But in Qubes its just not possible. Those scripts will only log some things not everything, and even then its too complicated. Was one of the biggest gripes I had when first using Qubes. I want to know what every connection is doing at all times. ITL believes that you would never really find an attacker by doing these things, but I've begged to differ. But I do agree you definitely won't be stopping one. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/278eb189-9939-40f3-9776-32b9bdcab7c7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
I use to log everything in linux before using Qubes. In Qubes its just not possible. Those scripts will only log some things not everything. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b07f4a9e-2e0d-4cc6-9f31-5c0d4f5a34c6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] [OT] Evil Maid - OMG cable
I think it would be interesting to some to know about this malicious USB cable with wifi capability https://twitter.com/_MG_/status/1094389042685259776 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ccad8e7e-02e4-9a5e-1618-b4ba5fd33945%40elude.in. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
On Fri, Mar 08, 2019 at 08:07:46PM +0100, Zrubi wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 3/8/19 3:28 PM, cmsch...@gmail.com wrote: > > I'm trying to setup an appvm like this: > > > > appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > > > I want to tighten the firewall rules and do a deny policy. How can > > I get a log of dropped firewall packet logs from appvm_firewall or > > vpn_firewall? I've tried a few different iptables commands but I > > haven't really had any success. > > unfortunately, the Qubes firewall do not support any kind of custom > rules, including logging. > > Moreover it is using a mixed set of iptables and nftables which makes > it much more complicated. > > > I had a proposal about this exact issue before, by extending the > action with the log type of rules, but as I do not have time to check > and/or implement it, I guess it is just dropped. > > Now if you want this feature, you have to replace the whole default > firewall set, which is not trivial. > > - -- > Zrubi Why do you say this? It's far from my experience. If you use a minimal Debian template for firewall, then there are only iptables rules. It's trivial in that case to add logging. You can also implement this by use of appropriate scripts in rc.local and /rw/config if you want logging from the start. Where the firewall is implemented using a nftables qubes-firewall, then its even easier to add logging by prepending the instruction as needed in reject rules. You can do this easily for test logging, (which is what cmschube wants), by adding the rule manually, but it's also possible to script it to add logging as new chains are added. I find the Qubes firewall very customisable, and relatively easy to manipulate as needed. Let's see if we can get a working solution that OP can use. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190309015853.ss4hy7kno7yz57x5%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't set default_target to @dispvm:foo in policy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 08, 2019 at 01:36:51PM -0800, Ryan Tate wrote: > I was trying to have a qubes.OpenInVM policy that would pre-fill a target in > the permission dialog when the destination was an inside of a certain dispvm. > > Specifying the destination vm (#2 entry) in the policy works fine to specify > a dispvm instance. > > But specifying the default_target (part of #3 entry) in the policy as a > dispvm instance fails. > > For example, this WORKS: > > $anyvm @dispvm:dvm-print ask,default_target=work > > ...but is not what I want. > > What I want is this, but it does NOT WORK: > > $anyvm @dispvm:dvm-print ask,default_target=@dispvm:dvm-print > > The resulting dom0 prompt at the top says "Domain '@dispvm:dvm-print' doesn't > exist". > > What I expected is the dom0 prompt would have "Disposable VM (dvm-print)" > entry pre selected. > > Seems like a bug? Indeed. Could you report it at https://github.com/QubesOS/qubes-issues/issues ? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyDAuQACgkQ24/THMrX 1yw38AgAjaUCJl41T2Es03HEhGWkcIH3attyJ2rKcqup5omzxiyTdr5gHWrsDP+3 2bLyP/P2em71tcbE0Pu5yzqDBAhJtVA8kUZuCqvQdyScMpPgPGhI2di1FY8zsAsH AuFBFn9SJfpxANfZAp7dKUjKQ3bg8CKVVNL6cTOSmHwyUHIOdz3ClH9rd02PhJKT ZV5bLTogDua5V4xrGvEFDrfHMnxdwsUUSjIWuQmqI4x9lmVfOlxExTZDcXRewz8h evij5cDIl7O1lXW1YFXQd87VOfJJldbLmHvqV1QN8jPrbuR+0kQft0IgpmOcAcgT C1iILR0UxBwo/+77rfJk2BB5CFT64w== =i/lY -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190309000348.GJ9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] having to Install and run software twice?
Hi Stuart, Just a guess, but perhaps this is it. I assume you are using dnf install in the usual way, not anything exotic. When you install software in the template, the AppVm doesn't "notice" until you restart it. Furthermore, it won't see the new software unless you shut down the template before you restart the appvm. So the procedure is: install software in the template, then shut down the template, then restart the appvm. This can be troublesome if you are in the middle of something and don't want to restart the appvm, but need some package. In that case you can go ahead and install in the appvm too. Just understand that the installation in the appvm will be wiped out when the appvm is shut down. (Although you won't notice, if it is installed in the template.) Daniel On Fri, 8 Mar 2019 13:40:32 -0600 Stuart Perkins wrote: > On Fri, 8 Mar 2019 09:45:36 -0800 (PST) > chris.boscarin...@gmail.com wrote: > > >Hi, > >Just a quick question. I install software into my template (Fedora, > >in this case) but when I try to run it from my "personal" qube, I > >must install it again in that qube, as well as run the program once > >in the template, then again in the "personal" qube. I don't see > >anything in the documentation about having to do this, so I > >wondered if I was doing something incorrectly, or that's the correct > >procedure. Thanks. Chris > > > > Depends on the software installation path. Some software installs > under the user directories, which would NOT be copied from the > template to the appvm. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190308163148.5f45bbcb%40allcock.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Can't set default_target to @dispvm:foo in policy
I was trying to have a qubes.OpenInVM policy that would pre-fill a target in the permission dialog when the destination was an inside of a certain dispvm. Specifying the destination vm (#2 entry) in the policy works fine to specify a dispvm instance. But specifying the default_target (part of #3 entry) in the policy as a dispvm instance fails. For example, this WORKS: $anyvm @dispvm:dvm-print ask,default_target=work ...but is not what I want. What I want is this, but it does NOT WORK: $anyvm @dispvm:dvm-print ask,default_target=@dispvm:dvm-print The resulting dom0 prompt at the top says "Domain '@dispvm:dvm-print' doesn't exist". What I expected is the dom0 prompt would have "Disposable VM (dvm-print)" entry pre selected. Seems like a bug? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f82233f6-0736-4c05-8c81-69ffc12eb7d6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] networked dvm for vault?
On Thursday, March 7, 2019 at 7:24:11 PM UTC-5, unman wrote: > The fact that you don't see a prompt suggests that you have a policy se > to "allow" - you can check this in /etc/qubes-rpc/policy/qubes.OpenInVM > If you change that so that it reads: > vault $dispvm ask > then you should see a prompt. Thanks for this. I ended up just switching it to a vaulted dvm (which, in turn, I also had to set to use a vaulted dvm (itself)!) Intrigued by your other idea of setting some strict policies on the vault(s) explicitly in the policy dir. Will explore. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2ab30fcd-e62a-4068-91d7-5e9953c34f13%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] having to Install and run software twice?
On Fri, 8 Mar 2019 09:45:36 -0800 (PST) chris.boscarin...@gmail.com wrote: >Hi, >Just a quick question. I install software into my template (Fedora, in this >case) but when I try to run it from my "personal" qube, I must install it >again in that qube, as well as run the program once in the template, then >again in the "personal" qube. >I don't see anything in the documentation about having to do this, so I >wondered if I was doing something incorrectly, or that's the correct procedure. >Thanks. >Chris > Depends on the software installation path. Some software installs under the user directories, which would NOT be copied from the template to the appvm. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190308134032.72863d3b%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/8/19 3:28 PM, cmsch...@gmail.com wrote: > I'm trying to setup an appvm like this: > > appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > I want to tighten the firewall rules and do a deny policy. How can > I get a log of dropped firewall packet logs from appvm_firewall or > vpn_firewall? I've tried a few different iptables commands but I > haven't really had any success. unfortunately, the Qubes firewall do not support any kind of custom rules, including logging. Moreover it is using a mixed set of iptables and nftables which makes it much more complicated. I had a proposal about this exact issue before, by extending the action with the log type of rules, but as I do not have time to check and/or implement it, I guess it is just dropped. Now if you want this feature, you have to replace the whole default firewall set, which is not trivial. - -- Zrubi -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlyCvXsACgkQVjGlenYH FQ0wmA/+MIoylSBSYbkrztGdPdJTlCGN83cnE9+xnuv/oE3dPXai0r7jKSVCxqq+ bZqLXVFh32O/hBZQKlpV3dGmU9q1ZPYys/S6NZl2WW1pGQ/+zdrrC1wHSQtVIoB7 AuuFpIU088QFvY6J0Vw8QlQWMKgx26/PlP0i6qHIZR8Vc7SwpUqcMcrv36E5DGwA YZ59Cq9i2IsUgiirPzCtmz5jL7OsQqcOS5cGKqtFhfu5YqYQMhnED98EvlaAqP9l HD23klqSWWpDyJsQ9TY1NvdEENwf6hwKGV3J2T0tRdVCvOXjrcfgbp+KCCc7WAGL mXkBSv6TjRPJiAwI4kpn5fCj2Z+j8FQjGaDNoTUBFoOp9a1MJs9XBc5m9qAxIv3S ua2HxTCnwlH8twHE66bdBtCX+Izd+MJbFwrBuVll7f/G8gF2crVrj/ipu2vd4/0v wc7qKjoIQ1YayKgB4J9iRr3XNNKgJ9XF7TYPFFodYaPXUNYtxRzrU/H+02yIdyoJ ZZ3MPc6hC2cC8eXmx9ke3zXaXnSifh8l6r6vCk60eW5nCf1TxE1mwYH1cZaKPIhO SvuTf3RCcFB5PIVbyPuRjjcaKUgFZco634GlZj1bbOIbLeXtqe2FfcjLUUajoXMh 7iLtJxvn9nv2mxBxv6xHT2lOMyVbTbxMt+7pkXti8jMguxUMB0I= =WqkH -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/09b8ae77-c1fa-e79c-b02e-fc4a939ced8c%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
[qubes-users] having to Install and run software twice?
Hi, Just a quick question. I install software into my template (Fedora, in this case) but when I try to run it from my "personal" qube, I must install it again in that qube, as well as run the program once in the template, then again in the "personal" qube. I don't see anything in the documentation about having to do this, so I wondered if I was doing something incorrectly, or that's the correct procedure. Thanks. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9932d31f-c983-47af-9ccc-4f5f701b03ef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
On Fri, Mar 08, 2019 at 06:28:51AM -0800, cmsch...@gmail.com wrote: > I'm trying to setup an appvm like this: > > appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > I want to tighten the firewall rules and do a deny policy. How can I get a > log of dropped firewall packet logs from appvm_firewall or vpn_firewall? I've > tried a few different iptables commands but I haven't really had any success. > > Thanks in advance. > Depends whether you have a "DROP" policy set or a final rule that says "-j DROP" In iptables, have a rule immediately BEFORE that rule( so if policy, have it as last rule, otherwise, penultimate). iptables -j LOG --log-prefix "DROP " You can put this in any firewall chain. You could make it more complex by creating a log/drop chain and breaking down the descriptors, but I doubt that is necessary in this case. If you are using nftables, (check in your sys-firewall), then you can get the same effect by adding to your DROP statement. You don't need a separate rule for this. HTH unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190308165127.324vdae5jf6zmib3%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Logging Drop Packets
I'm trying to setup an appvm like this: appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net I want to tighten the firewall rules and do a deny policy. How can I get a log of dropped firewall packet logs from appvm_firewall or vpn_firewall? I've tried a few different iptables commands but I haven't really had any success. Thanks in advance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3bed1d69-7fc4-48db-869e-16011f1197ef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] QSB #048: Multiple Xen vulnerabilities
On Thu, Mar 07, 2019 at 04:27:34AM +, AJ Jordan wrote: > If anyone wants to double-check that they haven't accidentally created > a PV domain vulnerable to these XSAs, this command: > > % qvm-ls --fields NAME | tail -n +2 | xargs -n 1 -I % qvm-prefs % virt_mode | > grep -ve pvh -e hvm | wc -l > > should do the trick. It reports how many vulnerable VMs are on your > system. > > -AJ > It's somewhat easier to access the mode directly: qvm-ls -O NAME,virt_mode |grep -iw pv will show you the names of any pv qubes. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190308112953.h3eiqcgtqjxt5tbg%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.