Through the way Qubes OS is made, I think intrusion detection in dom0 doesn’t make much sense. You are not only increasing the attack surface of the most trusted component of the system by installing additional software. At the same time that you are missing the majority of what would potentially need to be analyzed (domUs – aka. AppVMs & StandaloneVMs). For this second point the following (read-only) mailing list discussion may be more adequate: [qubes-users] Hardening Guide for Paranoid Noobs?.
3 Likes