[qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/29/19 1:54 PM, Chris Laprise wrote: On 7/28/19 10:23 PM, Jon deps wrote: On 7/29/19 12:02 AM, Chris Laprise wrote: On 7/28/19 4:55 PM, Jon deps wrote: On 7/28/19 7:52 PM, Jon deps wrote: On 7/28/19 1:36 AM, Chris Laprise wrote: On 7/27/19 8:27 PM, Jon deps wrote: pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Go to the VM's Settings / Services tab, and add "vm-boot-protect" as a service. Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? It has a second-stage installation step that changes sudo/root access inside the template. And for that new root config to work, you have to add a couple dom0 config lines (it shows you the dom0 lines at the end of the install process). If you remove the altered Deb-9, the dom0 config lines will stay unless you change them back. However, in practice there is really no impact on your unmodified templates, so whether or not to remove the dom0 lines is a question of tidiness. As an alternative, per the Readme step 3, you can sidestep the whole sudo auth reconfiguration. I guess once installed there is no un-installing ? Currently there is no "purge everything" function or uninstall. You can remove the service manually by deleting the following: /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms I just ended up using vm-boot-protect-root for the sys-net and sys-usb in qube settings services per the "Where to use basic examples" and vm-boot-protect for regular appVMs think I'll skip it for anything else sys-net is working (I am using fedora-30: because of the past clock sync issue) otherwise Deb-9 but just curious what the "additional networks VMs would be here" proxyVPNVMs ? "The sys-net VM should work 'out of the box' with the vm-boot-protect-root service via the included whitelist file. Additional network VMs may require configuration, such as cp sys-net.whitelist sys-net2.whitelist." PS: the appVMs seem a bit slower to boot, but could be my imagination ? :) as expected, since my sys-net was not based on the template I installed the script to I installed it to a deb-9-clone and the disp-qubes-manager method seems to be failing to update so typically when that happens I go to a terminal in the template and do it manually usually it seems to want -dist-upgrade , which presumably the disp-update has issues with but after installing the script * in the deb-9 template $sudo apt-get update fails with what looks like a script of having entered it incorrectly 3 times so sorry, but am I supposed to add vm-protect-root to the template services as well or how to fix this ? 'vm-protect-root' doesn't match any service created by Qubes-VM-hardening. Adding vm-boot-protect or vm-boot-protect-root to the services of the template is optional. You can use either one, but it will always behave like plain vm-boot-protect in the template (the -root functions don't make sense in templates). I'm not clear on when/where you're using fedora-30. Note that install step 3 is different for fedora. With debian-9, if you're getting immediate errors from every 'sudo' command, this would be expected if you chose to uninstall 'qubes-core-agent-passwordless-root' in install step 3 (this means no more sudo!). But if you chose to auto-configure sudo, you will still need to add the config lines to dom0 for sudo to work correctly (otherwise, sudo will just give you errors); these lines are printed in the shell at the end of the install process. hence, my original query about 'examples' thanks in advance Not sure what example you're looking for. In debian, the installer asks you one question: 'Configure sudo authentication prompt now? (y/n)'. After installing Qubes-VM-hardening with sudo auth configured, running a command like 'sudo apt-get update' will cause a dom0 auth prompt window to appear, at which point you can hit 'Enter' or click 'OK'. Then the command will run normally. At the vm-boot-protect level, you should see 'bin' automatically added to your home dir, and doing an 'lsattr -a' will show a number of files/dirs in home with the 'i' flag set. At vm-boot-protect-root level, you should see a new dir '/rw/vm-boot-protect' and it should contain 'BAK' and/or 'ORIG' versions of config, bind-dirs and usrlocal. 1) So, I chose 'yes' at the end of the script, for 'configure sudo authentication prompt. a) somehow I miss
Re: [qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/28/19 10:23 PM, Jon deps wrote: On 7/29/19 12:02 AM, Chris Laprise wrote: On 7/28/19 4:55 PM, Jon deps wrote: On 7/28/19 7:52 PM, Jon deps wrote: On 7/28/19 1:36 AM, Chris Laprise wrote: On 7/27/19 8:27 PM, Jon deps wrote: pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Go to the VM's Settings / Services tab, and add "vm-boot-protect" as a service. Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? It has a second-stage installation step that changes sudo/root access inside the template. And for that new root config to work, you have to add a couple dom0 config lines (it shows you the dom0 lines at the end of the install process). If you remove the altered Deb-9, the dom0 config lines will stay unless you change them back. However, in practice there is really no impact on your unmodified templates, so whether or not to remove the dom0 lines is a question of tidiness. As an alternative, per the Readme step 3, you can sidestep the whole sudo auth reconfiguration. I guess once installed there is no un-installing ? Currently there is no "purge everything" function or uninstall. You can remove the service manually by deleting the following: /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms I just ended up using vm-boot-protect-root for the sys-net and sys-usb in qube settings services per the "Where to use basic examples" and vm-boot-protect for regular appVMs think I'll skip it for anything else sys-net is working (I am using fedora-30: because of the past clock sync issue) otherwise Deb-9 but just curious what the "additional networks VMs would be here" proxyVPNVMs ? "The sys-net VM should work 'out of the box' with the vm-boot-protect-root service via the included whitelist file. Additional network VMs may require configuration, such as cp sys-net.whitelist sys-net2.whitelist." PS: the appVMs seem a bit slower to boot, but could be my imagination ? :) as expected, since my sys-net was not based on the template I installed the script to I installed it to a deb-9-clone and the disp-qubes-manager method seems to be failing to update so typically when that happens I go to a terminal in the template and do it manually usually it seems to want -dist-upgrade , which presumably the disp-update has issues with but after installing the script * in the deb-9 template $sudo apt-get update fails with what looks like a script of having entered it incorrectly 3 times so sorry, but am I supposed to add vm-protect-root to the template services as well or how to fix this ? 'vm-protect-root' doesn't match any service created by Qubes-VM-hardening. Adding vm-boot-protect or vm-boot-protect-root to the services of the template is optional. You can use either one, but it will always behave like plain vm-boot-protect in the template (the -root functions don't make sense in templates). I'm not clear on when/where you're using fedora-30. Note that install step 3 is different for fedora. With debian-9, if you're getting immediate errors from every 'sudo' command, this would be expected if you chose to uninstall 'qubes-core-agent-passwordless-root' in install step 3 (this means no more sudo!). But if you chose to auto-configure sudo, you will still need to add the config lines to dom0 for sudo to work correctly (otherwise, sudo will just give you errors); these lines are printed in the shell at the end of the install process. hence, my original query about 'examples' thanks in advance Not sure what example you're looking for. In debian, the installer asks you one question: 'Configure sudo authentication prompt now? (y/n)'. After installing Qubes-VM-hardening with sudo auth configured, running a command like 'sudo apt-get update' will cause a dom0 auth prompt window to appear, at which point you can hit 'Enter' or click 'OK'. Then the command will run normally. At the vm-boot-protect level, you should see 'bin' automatically added to your home dir, and doing an 'lsattr -a' will show a number of files/dirs in home with the 'i' flag set. At vm-boot-protect-root level, you should see a new dir '/rw/vm-boot-protect' and it should contain 'BAK' and/or 'ORIG' versions of config, bind-dirs and usrlocal. 1) So, I chose 'yes' at the end of the script, for 'configure sudo authentication prompt. a) somehow I missed the 'several commands' to manually conf
[qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/29/19 12:02 AM, Chris Laprise wrote: On 7/28/19 4:55 PM, Jon deps wrote: On 7/28/19 7:52 PM, Jon deps wrote: On 7/28/19 1:36 AM, Chris Laprise wrote: On 7/27/19 8:27 PM, Jon deps wrote: pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Go to the VM's Settings / Services tab, and add "vm-boot-protect" as a service. Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? It has a second-stage installation step that changes sudo/root access inside the template. And for that new root config to work, you have to add a couple dom0 config lines (it shows you the dom0 lines at the end of the install process). If you remove the altered Deb-9, the dom0 config lines will stay unless you change them back. However, in practice there is really no impact on your unmodified templates, so whether or not to remove the dom0 lines is a question of tidiness. As an alternative, per the Readme step 3, you can sidestep the whole sudo auth reconfiguration. I guess once installed there is no un-installing ? Currently there is no "purge everything" function or uninstall. You can remove the service manually by deleting the following: /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms I just ended up using vm-boot-protect-root for the sys-net and sys-usb in qube settings services per the "Where to use basic examples" and vm-boot-protect for regular appVMs think I'll skip it for anything else sys-net is working (I am using fedora-30: because of the past clock sync issue) otherwise Deb-9 but just curious what the "additional networks VMs would be here" proxyVPNVMs ? "The sys-net VM should work 'out of the box' with the vm-boot-protect-root service via the included whitelist file. Additional network VMs may require configuration, such as cp sys-net.whitelist sys-net2.whitelist." PS: the appVMs seem a bit slower to boot, but could be my imagination ? :) as expected, since my sys-net was not based on the template I installed the script to I installed it to a deb-9-clone and the disp-qubes-manager method seems to be failing to update so typically when that happens I go to a terminal in the template and do it manually usually it seems to want -dist-upgrade , which presumably the disp-update has issues with but after installing the script * in the deb-9 template $sudo apt-get update fails with what looks like a script of having entered it incorrectly 3 times so sorry, but am I supposed to add vm-protect-root to the template services as well or how to fix this ? 'vm-protect-root' doesn't match any service created by Qubes-VM-hardening. Adding vm-boot-protect or vm-boot-protect-root to the services of the template is optional. You can use either one, but it will always behave like plain vm-boot-protect in the template (the -root functions don't make sense in templates). I'm not clear on when/where you're using fedora-30. Note that install step 3 is different for fedora. With debian-9, if you're getting immediate errors from every 'sudo' command, this would be expected if you chose to uninstall 'qubes-core-agent-passwordless-root' in install step 3 (this means no more sudo!). But if you chose to auto-configure sudo, you will still need to add the config lines to dom0 for sudo to work correctly (otherwise, sudo will just give you errors); these lines are printed in the shell at the end of the install process. hence, my original query about 'examples' thanks in advance Not sure what example you're looking for. In debian, the installer asks you one question: 'Configure sudo authentication prompt now? (y/n)'. After installing Qubes-VM-hardening with sudo auth configured, running a command like 'sudo apt-get update' will cause a dom0 auth prompt window to appear, at which point you can hit 'Enter' or click 'OK'. Then the command will run normally. At the vm-boot-protect level, you should see 'bin' automatically added to your home dir, and doing an 'lsattr -a' will show a number of files/dirs in home with the 'i' flag set. At vm-boot-protect-root level, you should see a new dir '/rw/vm-boot-protect' and it should contain 'BAK' and/or 'ORIG' versions of config, bind-dirs and usrlocal. 1) So, I chose 'yes' at the end of the script, for 'configure sudo authentication prompt. a) somehow I missed the 'several commands' to manually configure in dom0 ; could you please tell m
Re: [qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/28/19 4:55 PM, Jon deps wrote: On 7/28/19 7:52 PM, Jon deps wrote: On 7/28/19 1:36 AM, Chris Laprise wrote: On 7/27/19 8:27 PM, Jon deps wrote: pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Go to the VM's Settings / Services tab, and add "vm-boot-protect" as a service. Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? It has a second-stage installation step that changes sudo/root access inside the template. And for that new root config to work, you have to add a couple dom0 config lines (it shows you the dom0 lines at the end of the install process). If you remove the altered Deb-9, the dom0 config lines will stay unless you change them back. However, in practice there is really no impact on your unmodified templates, so whether or not to remove the dom0 lines is a question of tidiness. As an alternative, per the Readme step 3, you can sidestep the whole sudo auth reconfiguration. I guess once installed there is no un-installing ? Currently there is no "purge everything" function or uninstall. You can remove the service manually by deleting the following: /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms I just ended up using vm-boot-protect-root for the sys-net and sys-usb in qube settings services per the "Where to use basic examples" and vm-boot-protect for regular appVMs think I'll skip it for anything else sys-net is working (I am using fedora-30: because of the past clock sync issue) otherwise Deb-9 but just curious what the "additional networks VMs would be here" proxyVPNVMs ? "The sys-net VM should work 'out of the box' with the vm-boot-protect-root service via the included whitelist file. Additional network VMs may require configuration, such as cp sys-net.whitelist sys-net2.whitelist." PS: the appVMs seem a bit slower to boot, but could be my imagination ? :) as expected, since my sys-net was not based on the template I installed the script to I installed it to a deb-9-clone and the disp-qubes-manager method seems to be failing to update so typically when that happens I go to a terminal in the template and do it manually usually it seems to want -dist-upgrade , which presumably the disp-update has issues with but after installing the script * in the deb-9 template $sudo apt-get update fails with what looks like a script of having entered it incorrectly 3 times so sorry, but am I supposed to add vm-protect-root to the template services as well or how to fix this ? 'vm-protect-root' doesn't match any service created by Qubes-VM-hardening. Adding vm-boot-protect or vm-boot-protect-root to the services of the template is optional. You can use either one, but it will always behave like plain vm-boot-protect in the template (the -root functions don't make sense in templates). I'm not clear on when/where you're using fedora-30. Note that install step 3 is different for fedora. With debian-9, if you're getting immediate errors from every 'sudo' command, this would be expected if you chose to uninstall 'qubes-core-agent-passwordless-root' in install step 3 (this means no more sudo!). But if you chose to auto-configure sudo, you will still need to add the config lines to dom0 for sudo to work correctly (otherwise, sudo will just give you errors); these lines are printed in the shell at the end of the install process. hence, my original query about 'examples' thanks in advance Not sure what example you're looking for. In debian, the installer asks you one question: 'Configure sudo authentication prompt now? (y/n)'. After installing Qubes-VM-hardening with sudo auth configured, running a command like 'sudo apt-get update' will cause a dom0 auth prompt window to appear, at which point you can hit 'Enter' or click 'OK'. Then the command will run normally. At the vm-boot-protect level, you should see 'bin' automatically added to your home dir, and doing an 'lsattr -a' will show a number of files/dirs in home with the 'i' flag set. At vm-boot-protect-root level, you should see a new dir '/rw/vm-boot-protect' and it should contain 'BAK' and/or 'ORIG' versions of config, bind-dirs and usrlocal. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" grou
[qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/28/19 7:52 PM, Jon deps wrote: On 7/28/19 1:36 AM, Chris Laprise wrote: On 7/27/19 8:27 PM, Jon deps wrote: pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Go to the VM's Settings / Services tab, and add "vm-boot-protect" as a service. Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? It has a second-stage installation step that changes sudo/root access inside the template. And for that new root config to work, you have to add a couple dom0 config lines (it shows you the dom0 lines at the end of the install process). If you remove the altered Deb-9, the dom0 config lines will stay unless you change them back. However, in practice there is really no impact on your unmodified templates, so whether or not to remove the dom0 lines is a question of tidiness. As an alternative, per the Readme step 3, you can sidestep the whole sudo auth reconfiguration. I guess once installed there is no un-installing ? Currently there is no "purge everything" function or uninstall. You can remove the service manually by deleting the following: /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms I just ended up using vm-boot-protect-root for the sys-net and sys-usb in qube settings services per the "Where to use basic examples" and vm-boot-protect for regular appVMs think I'll skip it for anything else sys-net is working (I am using fedora-30: because of the past clock sync issue) otherwise Deb-9 but just curious what the "additional networks VMs would be here" proxyVPNVMs ? "The sys-net VM should work 'out of the box' with the vm-boot-protect-root service via the included whitelist file. Additional network VMs may require configuration, such as cp sys-net.whitelist sys-net2.whitelist." PS: the appVMs seem a bit slower to boot, but could be my imagination ? :) as expected, since my sys-net was not based on the template I installed the script to I installed it to a deb-9-clone and the disp-qubes-manager method seems to be failing to update so typically when that happens I go to a terminal in the template and do it manually usually it seems to want -dist-upgrade , which presumably the disp-update has issues with but after installing the script * in the deb-9 template $sudo apt-get update fails with what looks like a script of having entered it incorrectly 3 times so sorry, but am I supposed to add vm-protect-root to the template services as well or how to fix this ? hence, my original query about 'examples'thanks in advance -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/14704167-16e9-5294-6f87-d454c9028726%40riseup.net.
[qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/28/19 1:36 AM, Chris Laprise wrote: On 7/27/19 8:27 PM, Jon deps wrote: pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Go to the VM's Settings / Services tab, and add "vm-boot-protect" as a service. Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? It has a second-stage installation step that changes sudo/root access inside the template. And for that new root config to work, you have to add a couple dom0 config lines (it shows you the dom0 lines at the end of the install process). If you remove the altered Deb-9, the dom0 config lines will stay unless you change them back. However, in practice there is really no impact on your unmodified templates, so whether or not to remove the dom0 lines is a question of tidiness. As an alternative, per the Readme step 3, you can sidestep the whole sudo auth reconfiguration. I guess once installed there is no un-installing ? Currently there is no "purge everything" function or uninstall. You can remove the service manually by deleting the following: /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms I just ended up using vm-boot-protect-root for the sys-net and sys-usb in qube settings services per the "Where to use basic examples" and vm-boot-protect for regular appVMs think I'll skip it for anything else sys-net is working (I am using fedora-30: because of the past clock sync issue) otherwise Deb-9 but just curious what the "additional networks VMs would be here" proxyVPNVMs ? "The sys-net VM should work 'out of the box' with the vm-boot-protect-root service via the included whitelist file. Additional network VMs may require configuration, such as cp sys-net.whitelist sys-net2.whitelist." PS: the appVMs seem a bit slower to boot, but could be my imagination ? :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0b50d07-c98b-6230-6ca9-85bc1b5c3843%40riseup.net.
Re: [qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/27/19 8:27 PM, Jon deps wrote: pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Go to the VM's Settings / Services tab, and add "vm-boot-protect" as a service. Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? It has a second-stage installation step that changes sudo/root access inside the template. And for that new root config to work, you have to add a couple dom0 config lines (it shows you the dom0 lines at the end of the install process). If you remove the altered Deb-9, the dom0 config lines will stay unless you change them back. However, in practice there is really no impact on your unmodified templates, so whether or not to remove the dom0 lines is a question of tidiness. As an alternative, per the Readme step 3, you can sidestep the whole sudo auth reconfiguration. I guess once installed there is no un-installing ? Currently there is no "purge everything" function or uninstall. You can remove the service manually by deleting the following: /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0f75bffa-73d0-6868-fb08-faece210723c%40posteo.net.
[qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/18/19 3:53 PM, Chris Laprise wrote: Description: Qubes-VM-hardening Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-down, quarantine and check contents of /rw private storage that affect the execution environment. * Acts at VM startup before private volume /rw mounts * User: Protect /home desktop & shell startup executables * Root: Quarantine all /rw configs & scripts, with whitelisting * Re-deploy custom or default files to /rw on each boot * SHA256 hash checking against unwanted changes * Provides rescue shell on error or request * Works with template-based AppVMs, sys-net and sys-vpn Version 0.8.4 expands protection to the /home/user systemd directory, and now hides its vms config directory on all VM startups (not just when its enabled). Upgrading is recommended. Github link - https://github.com/tasket/Qubes-VM-hardening pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? I guess once installed there is no un-installing ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33117978-ed56-0e09-53fa-76331a057623%40riseup.net.
[qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
Thank you, this is a great tool. Everything is working perfectly as far as I can tell. It also works with fish shell by adding .config/fish to $chdirs. I was thinking about what kinds of files, not present in the default installation but possibly added to a user's system, might need to be added to $chdirs and $chfiles manually. Perhaps such a list could go in the documentation. Some examples: 1. Any files sourced by your shell startup scripts that are in the persistent private volume, e.g., files that provide completion information for your shell but that aren't in the template. 2. Executables installed by other package managers that don't use the normal paths. For example, go uses $HOME/go/bin by default; cabal uses $HOME/.cabal/bin. Probably not worth trying to list all of these, but rather just noting the risk. Of courses, users that make regular use of these package managers might not want to enable this kind of hardening for convenience reasons. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/746d4255-ab3d-4a70-847b-690700bcbff3%40googlegroups.com.