Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix formatting

Browse Source
This commit is contained in:
Christopher Laprise 2023-05-01 13:39:26 -04:00
parent 1b9b0ce529
commit b85fac0282
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
1 changed files with 17 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -16,28 +16,26 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-
### Installing ### Installing
1. In dom0, enter the following commands to [enable](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt) `sudo` prompts:
``` ```
1. In dom0, enter the following commands to enable `sudo` prompts:
sudo su - sudo su -
echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
chmod +x /etc/qubes-rpc/qubes.VMAuth chmod +x /etc/qubes-rpc/qubes.VMAuth
echo "@anyvm dom0 ask,default_target=dom0" >/etc/qubes-rpc/policy/qubes.VMAuth echo "@anyvm dom0 ask,default_target=dom0" >/etc/qubes-rpc/policy/qubes.VMAuth
```
2. In a template VM, install and configure 2. In a template VM, install and configure
```
cd Qubes-VM-hardening cd Qubes-VM-hardening
sudo bash install sudo bash install
sudo bash configure-sudo-prompt sudo bash configure-sudo-prompt
```
As an alternative, you can skip _'configure-sudo-prompt'_ and Step 1 and instead uninstall the `qubes-core-agent-passwordless-root` package from the template. After doing this, you will have to use `qvm-run -u root` from dom0 to run any VM commands as root. As an alternative, you can skip _'configure-sudo-prompt'_ and Step 1 and instead uninstall the `qubes-core-agent-passwordless-root` package from the template. After doing this, you will have to use `qvm-run -u root` from dom0 to run any VM commands as root.
3. Activate by specifying one of the following Qubes services for your VM(s)... 3. Activate by specifying one of the following Qubes services for your VM(s)...
- `vm-boot-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, appVMs, netVMs, Whonix, etc. - `vm-boot-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, appVMs, netVMs, Whonix, etc.
- `vm-boot-protect-root` - Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_. - `vm-boot-protect-root` - Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_.
```
CAUTION: The -root option by default **removes** prior copies of /rw/config, /rw/usrlocal and /rw/bind-dirs. This can delete data! CAUTION: The -root option by default **removes** prior copies of /rw/config, /rw/usrlocal and /rw/bind-dirs. This can delete data!
@ -126,6 +124,10 @@ Some useful configurations have been supplied in /etc/default/vms:
* The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall` * The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall`
### Links
- Qubes VM sudo [page](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt)
## Releases ## Releases
- v0.9.4 Revise dom0 instructions for sudo prompt - v0.9.4 Revise dom0 instructions for sudo prompt
- v0.9.3 Protect against suid and device nodes - v0.9.3 Protect against suid and device nodes