Fix formatting

This commit is contained in:
Christopher Laprise 2023-05-01 13:39:26 -04:00
parent 1b9b0ce529
commit b85fac0282
No known key found for this signature in database
GPG Key ID: 448568C8B281C952

View File

@ -16,28 +16,26 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-
### Installing
1. In dom0, enter the following commands to [enable](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt) `sudo` prompts:
```
1. In dom0, enter the following commands to enable `sudo` prompts:
```
sudo su -
echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
chmod +x /etc/qubes-rpc/qubes.VMAuth
echo "@anyvm dom0 ask,default_target=dom0" >/etc/qubes-rpc/policy/qubes.VMAuth
```
sudo su -
echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
chmod +x /etc/qubes-rpc/qubes.VMAuth
echo "@anyvm dom0 ask,default_target=dom0" >/etc/qubes-rpc/policy/qubes.VMAuth
2. In a template VM, install and configure
```
cd Qubes-VM-hardening
sudo bash install
sudo bash configure-sudo-prompt
```
2. In a template VM, install and configure
cd Qubes-VM-hardening
sudo bash install
sudo bash configure-sudo-prompt
As an alternative, you can skip _'configure-sudo-prompt'_ and Step 1 and instead uninstall the `qubes-core-agent-passwordless-root` package from the template. After doing this, you will have to use `qvm-run -u root` from dom0 to run any VM commands as root.
3. Activate by specifying one of the following Qubes services for your VM(s)...
3. Activate by specifying one of the following Qubes services for your VM(s)...
- `vm-boot-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, appVMs, netVMs, Whonix, etc.
- `vm-boot-protect-root` - Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_.
```
CAUTION: The -root option by default **removes** prior copies of /rw/config, /rw/usrlocal and /rw/bind-dirs. This can delete data!
@ -126,6 +124,10 @@ Some useful configurations have been supplied in /etc/default/vms:
* The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall`
### Links
- Qubes VM sudo [page](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt)
## Releases
- v0.9.4 Revise dom0 instructions for sudo prompt
- v0.9.3 Protect against suid and device nodes