Fedora 41 Minimal vs. Kicksecure 17 (Debian 12 Minimal) for sys-net – Which is Better Security-Wise?

Hi,

I’m trying to decide on the best template for sys-net. I’ve narrowed it down to two options: the fedora-41-minimal template and Kicksecure 17 morphed from debian-12-minimal. I need to understand which one might be the better choice for sys-net and why.

Here’s what I’m considering so far:

Fedora 41 Minimal:

Pros:

  • Officially available template,
  • Got latest kernel and packages (great for hardware support and recent patches),
  • SELinux enforcing mode by default.

Cons:

  • Semi-rolling updates might introduce new bugs,
  • It’s not as hardened out of the box as Kicksecure.

Kicksecure 17 (Debian 12 Minimal):

Pros:

  • Security focus, hardened kernel,
  • AppArmor,
  • Extra tweaks like better entropy generation.
  • Stable and needs fewer updates

Cons:

  • Older packages (e.g., kernel/drivers)
  • Not officially supported.

By looking at these pros and cons, Kicksecure looks better, but Kicksecure inherently installs more packages than fedora-41-minimal that are useless for sys-net, like VLC media player, KeePassXC, GPA, etc., which could theoretically increase the attack surface. Fedora’s minimal install seems leaner by default, though less hardened.

So what is a better choice?

Regards!

1 Like

A better choice for what threat model? Qubes OS is all about risk assessment and risk management.

There are more things to consider.
Fedora works in cooperation with NSA.
Debian has reproducible builds.
Fedora is being taken over by IBM.

Any external network-based attacks that could exploit sys-net’s exposure. I just want to minimize its attack surface and harden it against exploitation.

Really? I’ve heard rumors before about NSA ties through SELinux’s origins and IBM’s role since they own Red Hat, but I haven’t found solid evidence tying it directly to Fedora’s current state. I’d love to see any links or sources you’ve got that back these up.

Have you thought about using OpenBSD? You said that security is important to you, and OpenBSD is known for being secure. Their motto is “Only two remote holes in the default install, in a heck of a long time,” which shows how much they focus on security/hardening.

I made a guide for using sys-net OpenBSD. The guide needs some updates, but it works well for now. Just keep in mind that it it is advanced, so you’ll need to decide if you want to go ahead with it. You can install the OpenBSD template from @unman (thanks unman) to have a smoother experience, but I haven’t tested it yet.

2 Likes

Are you sure fedora minimal has SELinux enabled in default installation?

1 Like

You should give links to support your claims please.

I don’t think so

I’d go with kicksecure in that case, because it’s made exactly for this.

1 Like

I really want to give it a shot! I’ve looked at it with awe for years because of its security focus (that “only two remote holes in the default install” motto is seriously impressive). But honestly, I don’t think I’m technically ready to make that leap yet. I’ve never had the guts to try it, and I still don’t. I’m hoping someday Qubes OS will offer an official or at least community-maintained OpenBSD template, then I’d jump on it instantly. Until that happens, I’m worried I’d mess things up (or at least mess my brain up) if I try rigging it for sys-net myself.

there is one now

1 Like

Really? But I can’t see it in template manager?

1 Like

Even if it’s not, we install required packages in a minimal setup anyway, so can’t we just enable SELinux ourselves?

If we do that, how would Fedora Minimal with SELinux stack up security-wise against Kicksecure for sys-net? Or let me rephrase my question: Which offers better protection against remote threats, SELinux on Fedora or Kicksecure’s full suite??

My confusion is based on the fact that Fedora is officially offered by Qubes OS for sys-net while Kicksecure isn’t even part of the template list.

2 Likes

I’ll definitely give this template a try!

In the meantime, I’ve shifted all my sys VMs to Kicksecure 17. I hope it’s the right decision for now.

I’ve successfully installed the OpenBSD Template in Qubes OS and managed to boot it. I assigned sys-firewall as its NetVM. However, there is no network, when I checked ifconfig, it seems the fxp driver is missing.

I can’t even copy anything within the OpenBSD window.

What should I do next?

Honestly, I am feeling below beginner level right now. Is there a good resource like an “OpenBSD for Dummies” guide, tutorial, or eBook that could help me get started?

Edit: I figured that fxp driver is needed to connect with internal network but on further search it seems fxp is the intel ethernet driver for OpenBSD and what I really require here is xnf0 and its missing.

Are you working with a qube or the template?
If you are using the template as a standalone, have you configured the
network using the information from Settings?

What do you mean?
Do you want to copy from the OpenBSD qube to another qube? This is not
possible.
The best you can do is to use a storage device to move data around, or
set up a storage qube with (e.g. ssh, rsync) to share data.

OpenBSD is well documented - see the FAQ

If you want a guide for OpenBSD in Qubes, there isnt one. This is
really aimed at advanced users. (There’s sometimes questions about what
an advanced user is - a simple answer might be: if you have to ask you
are not an advanced user.)

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

you may also try liteqube. there could be certain problems during the install but i will do my best to help.

Well then, I think OpenBSD is not for me. Yet!

Until and unless Qubes OS team review and endorse it, I don’t think I can trust something that run tons of scripts in dom0, no offense.