These features have a high security cost, and I prefer to disable them. * Deny /etc/qubes-rpc/policy/qubes.InputMouse . Rationale: BadUSB can use the mouse to open a terminal and copy-paste existing characters to build a malicious command. * Deny /etc/qubes-rpc/policy/qubes.VMShell for DispVMs. Rationale: I want to use DispVMs for their non-persistent aspect, but want to still be able to store confidential data in their base private.img. * Set "Default DispVM" to "(none)" for most VMs. Rationale: see previous point. Most VMs have a specific purpose and do not need to open third-party documents in a DispVM anyway. * Prevent focus stealing (there are several discussions about this on GitHub, but no perfect solution so far). * Let the installation create sys-usb and reboot immediately (USB is still enabled in Dom0 until the next reboot).
Some other features are covered by the Security Guides (NetVM = none, firewall, Anti Evil Maid, possibly disable passwordless sudo) Are there any other settings that one should change after installation to improve Qube's security? Cheers, Georges Dupéron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAKQnwqZfhr6BqcW63mGaYczqN3SebNFDNLRB6v9tRdCW6q_zKw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
