From aff10f8e4851902bd077ef47e9a92ed3f1d0092e Mon Sep 17 00:00:00 2001 From: Christopher Laprise Date: Mon, 10 Apr 2017 10:39:15 -0400 Subject: [PATCH] Extend coverage to GUI. Update readme. --- README.md | 15 ++++++++++++--- rc.local | 19 +++++++++++++------ 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index a4d50a9..7839e76 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,19 @@ # Qubes-VM-hardening -Files for enhancing Qubes VM security and privacy +Enhancing Qubes VM security and privacy -## rc.local: Protect sh and bash init files +## rc.local: Protect sh, bash and GUI init files -Placed in /etc/rc.local of a template VM, this makes the shell init files immutable so PATH and alias cannot be used to hijack commands like su and sudo. I combed the dash and bash docs to address all the user-writable files. Feel free to comment or create issue if you see an omission or other problem. +### Pre-requisites: + Enabling authentication for sudo (see link below for Qubes doc). +### Description: +Placed in /etc/rc.local (or equivalent) of a template VM, this makes the shell init files immutable so PATH and alias cannot be used to hijack commands like su and sudo, nor can impostor apps autostart whenever a VM starts. I combed the dash and bash docs -- as well as Gnome, KDE, Xfce and X11 docs -- to address all the user-writable startup files that apply. Feel free to comment or create an issue if you see an omission or other problem. + +Although protecting init/autostart files should result in Qubes template-based VMs that boot 'cleanly' with much less chance of being affected by malware initially, it should be noted that subsequent running of some apps such as Firefox could conceivably allow malware to persist in a VM; this is because not only of the complexity of the formats handled by apps like Firefox and other browsers, but also because of settings contained in javascript code. Even if malware persists in a VM, it should be possible to run other apps and terminals without interference if sudo authentication is enabled and malware has not escalated to root via an exploit (admittedly, a big 'if'). + +All in all, this is one of the easy steps a Qubes user can take to make their VMs much less hospitable to intrusion and malware. Security can be further enhanced by enabling AppArmor or similar controls. + +Note this sets the Linux immutable flag on files and directories, so intended modifications to the target files and dirs will require the extra step of disabling the flag using `sudo chattr -i`. Immutable is necessary because normal read-write permissions cannot prevent a normal user from removing other users' files (even root) from a dir they own; once removed, an init file like .bashrc can be re-created by the user process which opens the door to hijacking. diff --git a/rc.local b/rc.local index 77dfd4b..fc1217a 100644 --- a/rc.local +++ b/rc.local @@ -1,13 +1,20 @@ #!/bin/sh -e # Debian: /etc/rc.local -## Protect sh and bash init scripts ## -## to prevent privilege escalation attacks ## -chfiles="/home/user/.bashrc /home/user/.bash_profile /home/user/.bash_login /home/user/.bash_logout /home/user/.profile" -touch $chfiles || true -chown -f root:root $chfiles || true -chattr -f +i $chfiles || true + ######################################################### +## Protect sh, bash, X and desktop init scripts ## +## to prevent privilege escalation attacks ## +## and malware persistence - for Qubes Linux templates ## +chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \ +.xprofile .xinitrc .xserverrc .xsession" +chdirs=".config/autostart .config/plasma-workspace/env .config/plasma-workspace/shutdown \ +.config/autostart-scripts" +cd /home/user +mkdir -p $chdirs ||true +touch $chfiles || true +chattr -R -f +i $chfiles $chdirs || true +#touch /home/user/FIXED || true # end of script exit 0