From 0745b42fab8b6aa3cb5f29f63d124a68d67d53e5 Mon Sep 17 00:00:00 2001 From: Christopher Laprise Date: Tue, 20 Feb 2018 17:40:29 -0500 Subject: [PATCH] Readme and add local dir --- README.md | 31 ++++++++++++++++++--------- install | 11 ++++++++++ usr/lib/qubes/init/vm-sudo-protect.sh | 4 ++-- 3 files changed, 34 insertions(+), 12 deletions(-) create mode 100644 install diff --git a/README.md b/README.md index e8e6173..e950e7a 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,37 @@ # Qubes-VM-hardening Enhancing Qubes VM security and privacy -### Pre-requisites: - Enabling authentication for sudo (see link below for Qubes doc). --- ## vm-sudo-protect.service - * Protect /home script files - * Remove /rw scripts at VM start + * Protect /home (user) executable files as immutable + * Deactivate /rw (root) executables + * Whitelisting for specifying persistent files + * SHA256 checksumming guards against unwanted changes + * Deploy custom defaut files + * Runs at VM start before /rw mounts -## Testing systemd version... -Install the two files `vm-sudo-protect.sh` and `vm-sudo-protect.service` into template then use `systemctl` to enable the service. +## Installing +### Pre-requisites: + Re-enable sudo authentication (see notes below). -Activate by specifying as a Qubes service for each VM; There are two levels... - 1. `vm-sudo-protect` - similar to the rc.local script. Protects scripts within /home and may be used with wide array of VMs including standalone, netVMs and Whonix. - 2. `vm-sudo-protect-root` - new feature which **erases** /rw/config, /rw/usrlocal and /rw/bind-dirs. Use with caution! This feature can also replace files on a global or per-VM basis... see script for details. Not recommended for standalone or VMs that rely on /rw root dirs such as netVMs or Whonix. +1. In a template VM, install the two service files +``` +$ sudo sh ./install +``` +2. Activate by specifying as a Qubes service for each VM; There are two levels... + - `vm-sudo-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, netVMs and Whonix. + - `vm-sudo-protect-root` - Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_. + + + **removes** dirs specified in $privdirs. Default is /rw/config, /rw/usrlocal and /rw/bind-dirs. Use with caution! This feature can also replace files on a global or per-VM basis... see script for details. Not recommended for standalone or VMs that rely on /rw root dirs such as netVMs or Whonix. --- -## rc.local (old version) +## Releases +- v0.2.0 Protects /home/user files and dirs only ### Description: Placed in /etc/rc.local (or equivalent) of a template VM, this makes the shell init files immutable so PATH and alias cannot be used to hijack commands like su and sudo, nor can impostor apps autostart whenever a VM starts. I combed the dash and bash docs -- as well as Gnome, KDE, Xfce and X11 docs -- to address all the user-writable startup files that apply. Feel free to comment or create an issue if you see an omission or other problem. diff --git a/install b/install new file mode 100644 index 0000000..3d0a29b --- /dev/null +++ b/install @@ -0,0 +1,11 @@ +#!/bin/sh +[ `id -u` -eq 0 ] || exit + +cp vm-sudo-protect.sh /usr/lib/qubes/init +chmod +x /usr/lib/qubes/init/vm-sudo-protect.sh +cp vm-sudo-protect.service /lib/systemd/system +systemctl daemon-reload +systemctl enable vm-sudo-protect.service + +echo vm-sudo-protect installed! + diff --git a/usr/lib/qubes/init/vm-sudo-protect.sh b/usr/lib/qubes/init/vm-sudo-protect.sh index d895786..0102162 100644 --- a/usr/lib/qubes/init/vm-sudo-protect.sh +++ b/usr/lib/qubes/init/vm-sudo-protect.sh @@ -11,7 +11,7 @@ # to be protected chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \ .xprofile .xinitrc .xserverrc .xsession" -chdirs="bin .config/autostart .config/plasma-workspace/env \ +chdirs="bin .local/bin .config/autostart .config/plasma-workspace/env \ .config/plasma-workspace/shutdown .config/autostart-scripts" vmname=`qubesdb-read /name` rw=/mnt/rwtmp @@ -24,7 +24,7 @@ make_immutable() { touch $chfiles chattr -R -f +i $chfiles $chdirs cd /root - touch $rw/home/user/FIXED #debug + #touch $rw/home/user/FIXED #debug } # Mount private volume in temp location