mirror of
https://github.com/tasket/Qubes-VM-hardening.git
synced 2024-10-01 06:35:42 -04:00
makefile and debian
This commit is contained in:
parent
05d8649e05
commit
bcd840c318
7
Makefile
Normal file
7
Makefile
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
VERSION := $(shell cat version)
|
||||||
|
|
||||||
|
install: install-vm
|
||||||
|
|
||||||
|
install-vm:
|
||||||
|
bash ./install
|
||||||
|
bash ./configure-sudo-prompt --force
|
@ -16,10 +16,11 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-
|
|||||||
|
|
||||||
### Installing
|
### Installing
|
||||||
|
|
||||||
1. In a template VM, install the service files
|
1. In a template VM, install and configure
|
||||||
```
|
```
|
||||||
cd Qubes-VM-hardening
|
cd Qubes-VM-hardening
|
||||||
sudo bash install
|
sudo bash install
|
||||||
|
sudo bash configure-sudo-prompt
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Activate by specifying one of the following Qubes services for your VM(s)...
|
2. Activate by specifying one of the following Qubes services for your VM(s)...
|
||||||
|
5
debian/changelog
vendored
Normal file
5
debian/changelog
vendored
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
qubes-vm-hardening (0.9.3-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* Initial release
|
||||||
|
|
||||||
|
-- Christopher Laprise <tasket@protonmail.com> Mon, 2 Sep 2018 08:01:15 -0400
|
1
debian/compat
vendored
Normal file
1
debian/compat
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
10
|
18
debian/control
vendored
Normal file
18
debian/control
vendored
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
Source: Qubes-VM-hardening
|
||||||
|
Section: admin
|
||||||
|
Priority: optional
|
||||||
|
Maintainer: Christopher Laprise <tasket@protonmail.com>
|
||||||
|
Build-Depends: debhelper (>= 10)
|
||||||
|
Standards-Version: 4.1.2
|
||||||
|
Homepage: https://www.qubes-os.org
|
||||||
|
|
||||||
|
Package: qubes-vm-hardening
|
||||||
|
Architecture: all
|
||||||
|
Depends: ${misc:Depends} qubes-core-agent
|
||||||
|
Description: Prevent malware persistence in Qubes virtual machines.
|
||||||
|
Reconfigures Qubes VM templates to block casual sudo access,
|
||||||
|
protects user startup scripts, and includes a service that can
|
||||||
|
quarantine, whitelist and check file hashes at startup before
|
||||||
|
the /rw volume comes online.
|
||||||
|
|
||||||
|
See https://www.github.com/tasket/Qubes-VM-hardening for more info.
|
18
debian/copyright
vendored
Normal file
18
debian/copyright
vendored
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
Files: debian/*
|
||||||
|
Copyright: 2018-2019 Christopher Laprise <tasket@protonmail.com>
|
||||||
|
License: GPL-3
|
||||||
|
This package is free software; you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation; either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
.
|
||||||
|
This package is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
.
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <https://www.gnu.org/licenses/>
|
||||||
|
.
|
||||||
|
On Debian systems, the complete text of the GNU General
|
||||||
|
Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
|
1
debian/install
vendored
Normal file
1
debian/install
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
|
48
debian/postinst
vendored
Normal file
48
debian/postinst
vendored
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# postinst script for qubes-tunnel
|
||||||
|
#
|
||||||
|
# see: dh_installdeb(1)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### TODO:
|
||||||
|
### Fix postinst and install files in 'debian' folder.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# summary of how this script can be called:
|
||||||
|
# * <postinst> `configure' <most-recently-configured-version>
|
||||||
|
# * <old-postinst> `abort-upgrade' <new version>
|
||||||
|
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
|
||||||
|
# <new-version>
|
||||||
|
# * <postinst> `abort-remove'
|
||||||
|
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
|
||||||
|
# <failed-install-package> <version> `removing'
|
||||||
|
# <conflicting-package> <version>
|
||||||
|
# for details, see https://www.debian.org/doc/debian-policy/ or
|
||||||
|
# the debian-policy package
|
||||||
|
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
configure)
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl enable vm-boot-protect.service
|
||||||
|
;;
|
||||||
|
|
||||||
|
abort-upgrade|abort-remove|abort-deconfigure)
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "postinst called with unknown argument \`$1'" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# dh_installdeb will replace this with shell code automatically
|
||||||
|
# generated by other debhelper scripts.
|
||||||
|
|
||||||
|
#DEBHELPER#
|
||||||
|
|
||||||
|
exit 0
|
25
debian/rules
vendored
Executable file
25
debian/rules
vendored
Executable file
@ -0,0 +1,25 @@
|
|||||||
|
#!/usr/bin/make -f
|
||||||
|
# See debhelper(7) (uncomment to enable)
|
||||||
|
# output every command that modifies files on the build system.
|
||||||
|
#export DH_VERBOSE = 1
|
||||||
|
|
||||||
|
|
||||||
|
# see FEATURE AREAS in dpkg-buildflags(1)
|
||||||
|
#export DEB_BUILD_MAINT_OPTIONS = hardening=+all
|
||||||
|
|
||||||
|
# see ENVIRONMENT in dpkg-buildflags(1)
|
||||||
|
# package maintainers to append CFLAGS
|
||||||
|
#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic
|
||||||
|
# package maintainers to append LDFLAGS
|
||||||
|
#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
|
||||||
|
|
||||||
|
|
||||||
|
%:
|
||||||
|
dh $@
|
||||||
|
|
||||||
|
|
||||||
|
# dh_make generated override targets
|
||||||
|
# This is example for Cmake (See https://bugs.debian.org/641051 )
|
||||||
|
#override_dh_auto_configure:
|
||||||
|
# dh_auto_configure -- # -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH)
|
||||||
|
|
1
debian/source/format
vendored
Normal file
1
debian/source/format
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
3.0 (quilt)
|
Loading…
Reference in New Issue
Block a user