On 7/28/19 4:55 PM, Jon deps wrote:
On 7/28/19 7:52 PM, Jon deps wrote:
On 7/28/19 1:36 AM, Chris Laprise wrote:
On 7/27/19 8:27 PM, Jon deps wrote:
pardon my non-sysadmin query :
any chance of some real world examples? quite a few new terms
there .
so install into Debian-9
but step 2 am already lost
eg how and where amd I "activating" vm-boot-protect in the
templatevm ?
or during install there is going to appear a choice of which
service to start , then when one opens a TBAVM based on the
specified Deb-9 template the protection work at that point ?
Go to the VM's Settings / Services tab, and add "vm-boot-protect" as
a service.
Can I install it in a fresh Deb-9 , and if its breaking things,
just delete the fresh Deb-9 template, or is it touching dom0 ?
It has a second-stage installation step that changes sudo/root access
inside the template. And for that new root config to work, you have
to add a couple dom0 config lines (it shows you the dom0 lines at the
end of the install process).
If you remove the altered Deb-9, the dom0 config lines will stay
unless you change them back. However, in practice there is really no
impact on your unmodified templates, so whether or not to remove the
dom0 lines is a question of tidiness.
As an alternative, per the Readme step 3, you can sidestep the whole
sudo auth reconfiguration.
I guess once installed there is no un-installing ?
Currently there is no "purge everything" function or uninstall. You
can remove the service manually by deleting the following:
/lib/systemd/system/vm-boot-protect.service
/usr/lib/qubes/init/vm-boot-protect.sh
/etc/default/vms
I just ended up using vm-boot-protect-root for the sys-net and
sys-usb in qube settings services
per the "Where to use basic examples"
and vm-boot-protect for regular appVMs
think I'll skip it for anything else
sys-net is working (I am using fedora-30: because of the past clock
sync issue) otherwise Deb-9 but just curious what the "additional
networks VMs would be here" proxyVPNVMs ?
"The sys-net VM should work 'out of the box' with the
vm-boot-protect-root service via the included whitelist file.
Additional network VMs may require configuration, such as cp
sys-net.whitelist sys-net2.whitelist."
PS: the appVMs seem a bit slower to boot, but could be my imagination
? :)
as expected, since my sys-net was not based on the template I installed
the script to ....
I installed it to a deb-9-clone and the disp-qubes-manager method
seems to be failing to update so typically when that happens I go to
a terminal in the template and do it manually usually it seems to
want -dist-upgrade , which presumably the disp-update has issues
with but after installing the script *
in the deb-9 template
$sudo apt-get update
fails with what looks like a script of having entered it incorrectly 3
times
so sorry, but am I supposed to add vm-protect-root to the template
services as well or how to fix this ?
'vm-protect-root' doesn't match any service created by Qubes-VM-hardening.
Adding vm-boot-protect or vm-boot-protect-root to the services of the
template is optional. You can use either one, but it will always behave
like plain vm-boot-protect in the template (the -root functions don't
make sense in templates).
I'm not clear on when/where you're using fedora-30. Note that install
step 3 is different for fedora.
With debian-9, if you're getting immediate errors from every 'sudo'
command, this would be expected if you chose to uninstall
'qubes-core-agent-passwordless-root' in install step 3 (this means no
more sudo!). But if you chose to auto-configure sudo, you will still
need to add the config lines to dom0 for sudo to work correctly
(otherwise, sudo will just give you errors); these lines are printed in
the shell at the end of the install process.
hence, my original query about 'examples' thanks in advance
Not sure what example you're looking for. In debian, the installer asks
you one question: 'Configure sudo authentication prompt now? (y/n)'.
After installing Qubes-VM-hardening with sudo auth configured, running a
command like 'sudo apt-get update' will cause a dom0 auth prompt window
to appear, at which point you can hit 'Enter' or click 'OK'. Then the
command will run normally.
At the vm-boot-protect level, you should see 'bin' automatically added
to your home dir, and doing an 'lsattr -a' will show a number of
files/dirs in home with the 'i' flag set.
At vm-boot-protect-root level, you should see a new dir
'/rw/vm-boot-protect' and it should contain 'BAK' and/or 'ORIG' versions
of config, bind-dirs and usrlocal.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/53da1341-b314-47c5-abac-cf75c55a5b3f%40posteo.net.