Re: [qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/27/19 8:27 PM, Jon deps wrote: pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Go to the VM's Settings / Services tab, and add "vm-boot-protect" as a service. Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? It has a second-stage installation step that changes sudo/root access inside the template. And for that new root config to work, you have to add a couple dom0 config lines (it shows you the dom0 lines at the end of the install process). If you remove the altered Deb-9, the dom0 config lines will stay unless you change them back. However, in practice there is really no impact on your unmodified templates, so whether or not to remove the dom0 lines is a question of tidiness. As an alternative, per the Readme step 3, you can sidestep the whole sudo auth reconfiguration. I guess once installed there is no un-installing ? Currently there is no "purge everything" function or uninstall. You can remove the service manually by deleting the following: /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0f75bffa-73d0-6868-fb08-faece210723c%40posteo.net.
[qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
On 7/18/19 3:53 PM, Chris Laprise wrote: Description: Qubes-VM-hardening Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-down, quarantine and check contents of /rw private storage that affect the execution environment. * Acts at VM startup before private volume /rw mounts * User: Protect /home desktop & shell startup executables * Root: Quarantine all /rw configs & scripts, with whitelisting * Re-deploy custom or default files to /rw on each boot * SHA256 hash checking against unwanted changes * Provides rescue shell on error or request * Works with template-based AppVMs, sys-net and sys-vpn Version 0.8.4 expands protection to the /home/user systemd directory, and now hides its vms config directory on all VM startups (not just when its enabled). Upgrading is recommended. Github link - https://github.com/tasket/Qubes-VM-hardening pardon my non-sysadmin query : any chance of some real world examples? quite a few new terms there . so install into Debian-9 but step 2 am already lost eg how and where amd I "activating" vm-boot-protect in the templatevm ? or during install there is going to appear a choice of which service to start , then when one opens a TBAVM based on the specified Deb-9 template the protection work at that point ? Can I install it in a fresh Deb-9 , and if its breaking things, just delete the fresh Deb-9 template, or is it touching dom0 ? I guess once installed there is no un-installing ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33117978-ed56-0e09-53fa-76331a057623%40riseup.net.
[qubes-users] Re: Boot Problem
For the Precision, I fortunately had an Intel NIC (Precision M4700 https://groups.google.com/forum/#!topic/qubes-users/-5Vbi5vhbms) but experienced the Broadcom pains too. Here's some ideas: You can get an RTL8187 for about $5 on eBay, works great. I would remove the Broadcom wifi card and swap in a Realtek wifi card, disable the integrated NIC ethernet card in Bios, and install Qubes in legacy mode - not UEFI (in case you need Grub for recovery options later). In Bios, this should be in System configuration, Integrated NIC and uncheck those boxes (check the whole menu for other locations too). If you need ethernet, then after install you can look online on how to install the specific Broadcom drivers into sys-net VM's template (if you can find a safe source). Then reboot into bios and re-enable the ethernet NIC, and after boot in the Qubes sys-net VM settings move the PCI bridge for the ethernet controller into the "selected" column and try restarting the VM and using the ethernet card. If it works reboot to see if everything is still successful. If it won't boot, then just disable ethernet again in Bios and try maybe switching the sys-net VM template to Debian and installing the drivers there in case you get the support. On Wednesday, April 19, 2017 at 4:35:06 PM UTC-4, craig@gmail.com wrote: > > I am having at boot problem with my Qubes OS 3.2. When I boot up I enter > the disk password and the boot process continues until it gets to the > line... > > A start job is running for Qubes NetVM startup (32s / no limit) > > And it hangs. The HDD turns off and the computer will stay here never > booting or shutting down until you force it to turn off. Anyone have an > idea of what is going on and how to fix it? > > Thank you, > > Craig > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cbc291a6-257b-4551-9092-d240f3f238b2%40googlegroups.com.
Re: [qubes-users] Creating and running VMs on a RAM DISK?
On Fri, Jul 26, 2019 at 12:18:26PM -0400, Brendan Hoar wrote: > On Fri, Jul 26, 2019 at 11:31 AM unman wrote: > > > On Fri, Jul 26, 2019 at 05:57:02AM -0700, brendan wrote: > > > Or, should I just utilize the straightforward approach of adding the > > amount > > > of RAM I wish to use as a RAM disk to the baseline dom0 RAM > > configuration, > > > and then set up the RAM disk in dom0? > > > > Straightforward works fine. > > You can use file driver or create thin pool in /dev/shm and register it > > with Qubes as normal. > > > Thanks unman. Hmm tmpfs can swap (though unusual). Hmm...thinking LVM on > ramfs if there is plenty of RAM, maybe, as ramfs isn???t supposed to swap. > > Of course if a randomly keyed encryption layer is involved, i???d lean > towards LVM on tmpfs. > > I???m curious how and when tmpfs knows to release memory. Another rabbit > hole... > > For safety I delete qubes, clean up and deregister... > > > > I too cleanup for various reasons, including that the disk usage widget > doesn???t like registered but missing pools (it reports divide by zero error > and exits). > > Thanks! > Brendan I don't use swap in this scenario. I prefer to use the control that tmpfs offers over ramfs. I'd recommend creating a dedicated ram disk for the purpose. I'm not a widget user so hadn't noticed that bug. Qubes generally is extremely forgiving if pools are missing, and all works fine on reboot without cleanup, in my experience, except the trailing qube needs to be cleaned. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190727134450.4qop7gotxvr5st4z%40thirdeyesecurity.org.