Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2025-01-13 00:19:50 -05:00
Code Issues Packages Projects Releases Wiki Activity

brief systemd instructions

Browse Source
This commit is contained in:
tasket 2017-04-21 12:03:15 -04:00 committed by GitHub
parent 99af1038a6
commit 9c720c15cf
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -1,10 +1,26 @@
# Qubes-VM-hardening # Qubes-VM-hardening
Enhancing Qubes VM security and privacy Enhancing Qubes VM security and privacy
## rc.local: Protect sh, bash and GUI init files
### Pre-requisites: ### Pre-requisites:
Enabling authentication for sudo (see link below for Qubes doc). Enabling authentication for sudo (see link below for Qubes doc).
---
## vm-sudo-protect.service
* Protect /home script files
* Remove /rw scripts at VM start
## Testing systemd version...
Install the two files `vm-sudo-protect.sh` and `vm-sudo-protect.service` into template then use `systemctl` to enable the service.
Activate by specifying as a Qubes service for each VM; There are two levels...
1. `vm-sudo-protect` - similar to the rc.local script. Protects scripts within /home and may be used with wide array of VMs including standalone, netVMs and Whonix.
2. `vm-sudo-protect-root` - new feature which **erases** /rw/config, /rw/usrlocal and /rw/bind-dirs. Use with caution! This feature can also replace files on a global or per-VM basis... see script for details. Not recommended for standalone or VMs that rely on /rw root dirs such as netVMs or Whonix.
---
## rc.local (old version)
### Description: ### Description:
Placed in /etc/rc.local (or equivalent) of a template VM, this makes the shell init files immutable so PATH and alias cannot be used to hijack commands like su and sudo, nor can impostor apps autostart whenever a VM starts. I combed the dash and bash docs -- as well as Gnome, KDE, Xfce and X11 docs -- to address all the user-writable startup files that apply. Feel free to comment or create an issue if you see an omission or other problem. Placed in /etc/rc.local (or equivalent) of a template VM, this makes the shell init files immutable so PATH and alias cannot be used to hijack commands like su and sudo, nor can impostor apps autostart whenever a VM starts. I combed the dash and bash docs -- as well as Gnome, KDE, Xfce and X11 docs -- to address all the user-writable startup files that apply. Feel free to comment or create an issue if you see an omission or other problem.