On 18-04-20 01:14:56, Thierry Laurion wrote:
> I think the best would be per example. That would help me, and I'm pretty
> sure it would help others.
>
> QubesOS decided to document changes for specific threat models/needs. Here
> are some examples:
I was thinking some about those, and they are somewhat tricky to
automate.
>1. randomized mac configuration for NetworkManager is not deployed per
>under sys-net. It requires a simple file drop in. See here:
>https://www.qubes-os.org/doc/anonymizing-your-mac-address/
This requires modification to a template that sys-net is based on. I
don't know how to automate the detection of that. Ways to go about it
that I see is either allowing user to configure which template to act
on, or placing this file in ALL templates.
>2. Discard flush was not implemented per default, which consumes spaces
>without reasons. Making sure it is deployed would be awesome.
>https://www.qubes-os.org/doc/disk-trim/
This one's a bit tricky for another reason:
"Add (...) to kernel cmdline (follow either GRUB2 or EFI, not both):"
I don't know how to detect which way the system was booted, so again it
would be up to the user to configure where the change is to happen.
> Going around and implementing the examples given in configuration guides
> and creating salt formulas for them would be awesome. I haven't wrapped my
> head about the best way to do this. Enabling a top file would make it
> deployed next run? So it is better to compartmentalize changes by needs?
Yeah, currently the approach seems to be to enable particular formulas
is the master_tops system, and then a highstate will ensure that all are
true.
Which also ties in with another thing I was thinking about. Currently a
lot of states use file.prepend[1] to put text in a file. My sysadmin
experience keeps yelling at me to use instead file.accumulated[2] to
combine together all the pieces, and then manage the whole file with
file.managed[3] - but that would wipe any manual modifcations. Which for
me is a good thing, but not everyone may agree.
> Any insight would be helpful! Providing a pull request in either
> SkyLab/QubesOS giving links to Qubes applied examples would help the larger
> community for sure!
[1]
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.prepend
[2]
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.accumulated
[3]
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.managed
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/20180507203046.75237vrlizejcogb%40hirauchi.
For more options, visit https://groups.google.com/d/optout.