Dom0 compromized? Just swap it with an uncompromized version from the repository

Libertad · June 2, 2021, 7:39pm

Keep preaching the Ops sec gospel, hopefully we can all learn from this. Thanks,

catacombs · June 2, 2021, 10:36pm

What is the recommendation of just re-installing everything -every ??? months?

Just to be sure.

Libertad · June 4, 2021, 2:50am

That’s a good question. I wish I could do it every day automatically as most servers can automate this activity. This issue is I am not complete confident that my backups will occur because of the screen lock timer. So by default, I need to stay alert so that the screen doesn’t stop during the time required to backup. Please, keep in mind the time required for backups increase as make you more VMs.

I have no idea what would be a good way to automate the function as I cringe every time I think of making a backup.
That’s just my opinion, I am sure there are others out there that have way more experience in this activity and may provide you better insight as to how to best manage it.

But if you make a schedule, make it simple yet rigid to build in discipline by repetition.

Good luck!

qubicrm · June 4, 2021, 11:11am

I guess when you do a fresh install, specially if you use a usb drive (usual, I think) you can expose the machine to USB atacks. So, I do not know it tha is good idea.

Sven · June 4, 2021, 3:21pm

The backup/restore GUI are very simple wrappers around qvm-backup and
qvm-backup-restore. Get familiar with those and write your own scripts.
This way you can:

run backup unattentded
if no error, verify backup unattended
if no error, shutdown or do whatever else you want to automate

Also with your own script calling qvm-backup you can do things like:

backup every qube into it’s own backup file
backup some qubes more often then others
backup templates only if they changed
… etc

Libertad · June 4, 2021, 5:31pm

Thanks for the suggestion. It’s on my weekend todo list. Thanks,

adw · June 5, 2021, 1:10am

Why would you think that?

If the screen locks during a backup, why not just… unlock it?

fsflover · June 6, 2021, 9:26pm

I wish the GUI was more user-friendly, so people would not have to learn too many CLI tools.

Sven · June 7, 2021, 12:16am

I wish the GUI was more user-friendly

The OP was asking for ways to automate, I don’t think that’s a valid
context to criticize the GUI. It does in fact expose almost all options
the command line gives you sans the dangerous one (e.g. backup without
encryption).

Also luckily @adw picked up on the real head scratcher here. Why does
the OP feel the need to keep the screen unlocked? This may interest
@ninavizz too.

ninavizz · June 13, 2021, 10:37pm

I did not know that screenlockers did not interrupt background processes, until I was told as much. Yes, users will assume what may seem irrational to folks that understand how the internals work. We need to respect that, and improve how we communicate with non-technical users.

@fsflover We’re working on it! We really are. Qubes’ funding today is very modest, and we can only do so much. Please bear with us.