Hi Dominique, Thanks for the reply. So I take it you chose Mirage because a unikernel firewall has a smaller attack surface compared to full-blown Linux?
I'm a newbie, so I'm not even sure if these are IDS/IPS, but I'm thinking of installing the tried-and-true trio of rkhunter, lynis, chkrootkit. I see the point in changing your mac address (already did it myself), but why the hostname as well? Since it's not covered in that link, did you just edit the config files of the template? On Wednesday, 10 June 2020 00:26:01 UTC+8, Dominique wrote: > > Hi, > > First step for me was to install the minimal template and use them instead > of the complete template for service qubes (sys-net, sys-USB and > sys-firewall). Information on minimal template can be found here: > https://www.qubes-os.org/doc/templates/minimal/ > > Second step for me was building and using the mirage firewall instead of > sys-firewall. Information on mirage can be found here: > https://github.com/mirage/qubes-mirage-firewall/ > > Third step for me was random mac address and hostname. > https://www.qubes-os.org/doc/anonymizing-your-mac-address/ > > That are things that I do on all my qubes laptop installation. After that, > you can play with firewall rules, apparmor and other things. > > I would love to see a way to add IDS/IPS in qubes easily but did not have > time to even check if someone did try to add IDS/IPS > > Have fun! > > Dominique > > On Tuesday, June 9, 2020 at 11:26:22 AM UTC-4, fiftyfour...@gmail.com > wrote: >> >> Hi all, >> >> I took a break from setting up my Qubes OS machine and now I'm looking to >> finish the job and actually settle in. I am familiar with the overall >> layout and functions of the OS as a whole, but want to shore up the >> security of my individual VMs, with Debian running everything except for >> dom0. I know that isolation should do most of the work, but if further >> hardening my VMs will add more hurdles for attackers while being of minimal >> cost to me, why not? >> >> For now, I plan on proper firewalling, activating apparmor, installing >> taskett-hardening, and reducing attack surfaces where possible. >> >> Specific question: how would one strip down non-app VMs (sys-net, >> sys-USB, sys-firewall, whonix-gw) to minimize their attack surfaces? Aside >> from common-sense hardening and operation of app VMs, these seem to be the >> most exposed and therefore most vulnerable. >> >> More generally: what steps have you taken to harden your VMs? >> > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/470cf3c5-87f7-4637-9819-03532b737f8co%40googlegroups.com.
