Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix formatting

Browse Source
This commit is contained in:
Christopher Laprise 2023-05-01 13:39:26 -04:00
parent 1b9b0ce529
commit b85fac0282
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
1 changed files with 17 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -16,28 +16,26 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-
### Installing
1. In dom0, enter the following commands to [enable](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt) `sudo` prompts:
```
1. In dom0, enter the following commands to enable `sudo` prompts:
sudo su -
echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
chmod +x /etc/qubes-rpc/qubes.VMAuth
echo "@anyvm dom0 ask,default_target=dom0" >/etc/qubes-rpc/policy/qubes.VMAuth
```
2. In a template VM, install and configure
```
cd Qubes-VM-hardening
sudo bash install
sudo bash configure-sudo-prompt
```
As an alternative, you can skip _'configure-sudo-prompt'_ and Step 1 and instead uninstall the `qubes-core-agent-passwordless-root` package from the template. After doing this, you will have to use `qvm-run -u root` from dom0 to run any VM commands as root.
3. Activate by specifying one of the following Qubes services for your VM(s)...
- `vm-boot-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, appVMs, netVMs, Whonix, etc.
- `vm-boot-protect-root` - Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_.
```
CAUTION: The -root option by default **removes** prior copies of /rw/config, /rw/usrlocal and /rw/bind-dirs. This can delete data!
@ -126,6 +124,10 @@ Some useful configurations have been supplied in /etc/default/vms:
* The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall`
### Links
- Qubes VM sudo [page](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt)
## Releases
- v0.9.4 Revise dom0 instructions for sudo prompt
- v0.9.3 Protect against suid and device nodes