--
On 1/20/20 9:02 PM, tortuga verde wrote:20.01.2020, 16:27, "Chris Laprise" <tas...@posteo.net>:
On 1/20/20 6:02 AM, fiftyfourthparal...@gmail.com
<mailto:fiftyfourthparal...@gmail.com> wrote:
If I were looking to maximize security, which would you say is
better--Debian, Fedora, or some other distro, like Gentoo or Arch? If
you've changed your sys-net, sys-usb, or other templates to something
other than Fedora, why? And to what?
IMO, Debian is the best choice for secure templates. Its security focus
is at least "normal" while Fedora's philosophy is haphazard "test the
new stuff quick". Essentially all the worst systemd bugs will show up in
a current Fedora release, for example. OTOH, my experience with systemd
in Debian has been much smoother.
I think a good choice here is the distro you are most familiar with, as
you change given defaults to a more secure setting - and you have to
know about those settings in the first place. For debian I know all the
bells and whistles to switch but not I don't have much idea about fedora.
Imho the best choice here would be:
OpenBSD: Paranoid by design - sadly no working template (or is there by
now?!? :) )
Gentoo: Reduce attack surface by only installing (compiling) what you
actually need, plus compiling into the programs only what you actually
need. Downside: Time consuming to maintain.
Personally I'd love to see https://github.com/CLIPOS in a qube :) But
I'm not sure how much work that is... When ClipOS was released to the
public I've been playing around with it and didn't get it running, but
maybe that changed. From what I understand it can be "installed" on top
of Debian
Personally I use the debian-10-minimal template in Qubes and install
only what I need exactly for each Qube. Then on top of that, I apply
regular hardening... But I'm sure that something like OpenBSD or ClipOS
would be a better approach as they are build for the paranoid. I think
ClipOS would be "a" really good solution to run in a qube.
I think this is a good point in time to emphasize that we (the Qubes
community) should put some effort into actually creating a hardened OS
template for the qubes VMs (Please OpenBSD or ClipOS) :) as that is kind
of missing from the project. Something with preferably a host and
network IDS :P But I realize that this is lots of work too ofc..
We could make that better by providing a template for example hardened
with "thunderbird" pre-installed.
Fedora is also the only major distro that doesn't cryptographically sign
its top-level repo metadata, allowing a MITM attacker to selectively
prevent individual packages from updating. I interpret this as a
decision forced on Fedora project from Redhat's marketing dept. so they
can easily scare mission-critical Fedora users into purchasing RHEL
licenses. There is no other possible explanation, IMO, as even CentOS
fully signs their repos.
Debian is also more flexible: There are many more packages, and for the
very latest stuff Debian lets you grab from the testing, unstable and
experimental repos.
I'd like to add that for this you can also use qubes-builder to build a
ubuntu template.
And you get to choose whether you want shorter or
longer upgrade cycles; with Fedora its always short which is a cause of
disruption.
Finally, Debian templates are produced via Qubes official channels. That
means something at least in terms of the level of oversight for
building, distributing and updating the templates. OTOH, if this isn't
so important to you, then Ubuntu and CentOS templates are alternatives
to consider.
I've read that Debian is generally considered more secure than Fedora
because of, among other things, AppArmor and tighter oversight of
packages. This makes me wonder why it is that Fedora is the default
template for basically everything while Debian has its default AppArmor
disabled. Are there any downsides to basically removing Fedora from my
Qubes?
I have done this - replaced everything including sys-net and stuff for
templates based on debian-10-minimal. Works lovely.
Now I only have fedora in dom0 ofc... I think there was some guy who was
trying to get this running with debian but not sure.. I don't do $things
in dom0 so I'm not sure how much it matters. If this would be debian, it
would be very cool though.
IIRC, the choice of Fedora was sort of an accident; it was what the
Qubes core developer was most familiar with at the time.
There is an open issue about moving away from Fedora to another distro
like Debian.
Note: Debian does come with the Qubes install media (and Whonix
templates are based on Debian as well) so at least its easy to choose.
Sidenode: whonix has its own very interesting hardening guide on the
whonix wiki.
I've also considered that the nature of Qubes makes this discussion seem
moot to some, but my stance is that I should increase security where
feasible.
:thumbsup:
I think its not the best idea to say "we have Xen so we can do whatever
we want in the VM - lets get rid of passwords for sudo". Something I
never liked about qubes.. I realize that by doing this, Qubes is easy to
use for most people, but I think templates should be created by the
community which serve the more paranoid power-users.
There is one thing I don't use Debian for: The Update VM (which may be
sys-net or sys-firewall, but you can assign it to a separate VM). The
reason is that dom0 uses rpm/dnf and Fedora template is needed to handle
it properly.
Yeah... I've had my fair share of trouble with that update thingy ;)
So as I only use debian here is what I found:
https://github.com/rickysarraf/apt-offline
This fancy tool allows you to install / update apt packages on airgaps -
which are, in a way, kinda like qubes VMs themselves.
I've written some bash / qvm-run magic to:
- Download packages in "sys-apt"
- Package them into an archive using apt-offline
- Copying and installing this archive on the target template VM
This way:
- you only download things once, not 20 times if you have multiple VMs
where all VMs need "cmatrix" installed
- for me it fixed me somehow breaking the updateVM all the time for
$reasons (the updateVM is then only required for dom0)
- you can create new qubes with packages you have downloaded already
while offline
At the moment my bash script around all that for qubes is a bit hacky
but I'll see to finishing it and putting it on github.
Also, Fedora template is currently required for building Qubes itself
and Qubes templates.
--
Chris Laprise, tas...@posteo.net <mailto:tas...@posteo.net>
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
I have considered changing from fedora templates to debian templates, but this
is what holds me back:
https://www.qubes-os.org/doc/templates/debian/#starting-services
I'm not a linux expert, so I don't know what/if services are starting, and if
after an update new services are introduced or begin starting. It just seems
like it would be an ongoing concern that doesn't exist on fedora. Is it easily
remedied?
I'm a basic user, I'm not running any servers. However, I certainly would like
to have templates that are more secure by default. I would use the debian
minimal template for all sys and vpn VMs. I would clone it and expand it to
include libreoffice, rhythmbox and all the other things for a more full-featured
template, that is still smaller than the default template. Any insight/feedback
would be appreciated.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com
<mailto:qubes-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/1345411579539750%40sas1-30406100349c.qloud-c.yandex.net
<https://groups.google.com/d/msgid/qubes-users/1345411579539750%40sas1-30406100349c.qloud-c.yandex.net?utm_medium=email&utm_source=footer>.--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0c94552-e03f-78cf-8170-4bef7666012d%40blunix.org.
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6612141579803940%40myt5-2a1eccb4c218.qloud-c.yandex.net.