On Thu, Jun 08, 2017 at 02:03:34AM -0700, Vít Šesták wrote:
> > Given that more installed applications generally create a larger attack 
> > surface, why aren't the minimal templates set as the default templates for 
> > sensitive VMs such as the SysVMs?
> 
> * Having an extra app installed might add some attack surface, but not 
> always. Having app like Firefox in sys-firewall adds zero attack surface 
> until you (either accidentally or on purpose) run it.

There's been discussion on this before - in my opinion, it isnt the
application itself but the assorted libraries and helpers that are
installed along with it. And that has nothing to do with whether an
application is run or not.
If you look at the packages installed when you install firefox, for
example, you may be surprised at what comes in, and how much the
potential for attack has been widened (Firewire anyone? With Firefox?)

> * With minimal Template without installing anything else, you might be unable 
> to use Wi-Fi etc. So, this might be viable for sys-firewall, but not for 
> sys-net. (Not sure about sys-usb.)

In most cases it requires very little to be installed to get a working
netVM. (See www.qubes-os.org/doc/templates/fedora-minimal/)
sys-usb works as expected on a minimal template.

> 
> > Are there any significant protections afforded by the full-featured VM 
> > images that are absent in the appropriately configured minimal VMs [going 
> > by the current Qubes documentation]? Any pitfalls exposed by the latter?
> 
> The only (sort of) protection I am aware about is haveged – a RNG that feeds 
> kernel RNG.

haveged is installed in the minimal templates too.

> 
> Regards,
> Vít Šesták 'v6ak'

I'm a strong advocate of using minimal (or smaller) templates,
customised for specific use cases. Some people HATE this approach. 

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170608103307.GB8560%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to