Lynis hardening on qubes?

qun · October 4, 2021, 10:25pm

Hello,
what is about lynis hardening tool on QubesOS?
The problem I have, is to understand some entries and the things Qubes needs for it’s own working by using the suggestions of lynis.

Such things as “accounts-daemon.service / alsa-state.service” and much more, but also “qubes-firewall.service” and such things that belongs to qubes are marked as unsafe. So some of them I can surely shut down, but other I suppose I should not.

Also by “Kernel hardening / Comparing sysctl key pairs with scan profile” I can see many entries marked as “different”, such as “dev.tty.ldisc_autoload / fs.protected_fifos” and much more.

Did somebody try to harden some VMs with lynis and can help out?

Regards
qun

ppc · October 5, 2021, 2:57am

yes, you can do that but be careful

i tried it and i accidentally removed some qubes services so i had to reinstall it (i don’t backup it)

qun · October 5, 2021, 9:02am

ok, so I’ll make a backup and try it out.

What is about sysctl.conf? Can there be any problems related to Qubes if I harden the sysctl.conf or is it just the thing of the VM?

ppc · October 5, 2021, 9:28am

i’m not sure but qubes use customized kernel so i think you shouldn’t “harden” that

qun · October 5, 2021, 9:40am

oh, sorry. I mean just the kernel in the VM. I try just to harden the VMs running in Qubes.

Is there automated hardening for each VM with this “Qubes-VM-hardening”?? But as it seems it’s not for removing some services or harden the VM-kernel, isn’t it?

ppc · October 5, 2021, 10:04am

iirc, many vm use same kernel

i don’t know

maybe no, i haven’t tried it

qun · October 5, 2021, 10:10am

so, do you mean, that the templateVMs use hardened kernel made by qubes team?
What about standaloneVM which was installed via qubes?

ppc · October 5, 2021, 10:11am

i say many vm, not all vm use same kernel

it not hardened kernel

qun · October 5, 2021, 10:15am

ok, I suppose that such VMs as fedora and debian use the same kernel and just some very special one, use their own, isn’t it?

ppc · October 5, 2021, 10:19am

yes, iirc

qun · October 5, 2021, 1:55pm

ModemManager.service: [ MEDIUM ]
- NetworkManager.service: [ EXPOSED ]
- alsa-state.service: [ UNSAFE ]
- auditd.service: [ EXPOSED ]
- dbus-broker.service: [ EXPOSED ]
- emergency.service: [ UNSAFE ]
- flatpak-system-helper.service: [ UNSAFE ]
- haveged.service: [ PROTECTED ]
- polkit.service: [ UNSAFE ]
- qubes-db.service: [ UNSAFE ]
- qubes-firewall.service: [ UNSAFE ]
- qubes-gui-agent.service: [ UNSAFE ]
- qubes-meminfo-writer.service: [ UNSAFE ]
- qubes-qrexec-agent.service: [ UNSAFE ]
- qubes-sync-time.service: [ UNSAFE ]
- qubes-updates-proxy.service: [ UNSAFE ]
- rc-local.service: [ UNSAFE ]
- rescue.service: [ UNSAFE ]
- rtkit-daemon.service: [ MEDIUM ]
- serial-getty@hvc0.service: [ UNSAFE ]
- switcheroo-control.service: [ EXPOSED ]
- systemd-ask-password-console.service: [ UNSAFE ]
- systemd-ask-password-wall.service: [ UNSAFE ]
- systemd-homed.service: [ MEDIUM ]
- systemd-hostnamed.service: [ PROTECTED ]
- systemd-initctl.service: [ UNSAFE ]
- systemd-journald.service: [ PROTECTED ]
- systemd-logind.service: [ PROTECTED ]
- systemd-networkd.service: [ PROTECTED ]
- systemd-resolved.service: [ PROTECTED ]
- systemd-timesyncd.service: [ PROTECTED ]
- systemd-udevd.service: [ MEDIUM ]
- systemd-userdbd.service: [ PROTECTED ]
- user@1000.service: [ UNSAFE ]
- xendriverdomain.service: [ UNSAFE ]

what about these services on the standalone fedora 33?
qubes-services are surely needed for qubes itself, but whats about the rest?

And this is the kernel hardening section on the same standalone fedora 33

Comparing sysctl key pairs with scan profile
- dev.tty.ldisc_autoload (exp: 0) [ DIFFERENT ]
- fs.protected_fifos (exp: 2) [ DIFFERENT ]
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_regular (exp: 2) [ DIFFERENT ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ DIFFERENT ]
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ OK ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.modules_disabled (exp: 1) [ DIFFERENT ]
- kernel.perf_event_paranoid (exp: 3) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ DIFFERENT ]
- net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]

is there any sense to fiddle on the kernel there?

ppc · October 5, 2021, 2:02pm

can you use preformatted text please

ppc · October 5, 2021, 2:17pm

there are quite safe to change

i check this on the internet and this is normal (i think no mod needed)

mostly no for this tool

qun · October 5, 2021, 6:48pm

sorry, I tried to post it as bockquote, but while adding the second blockquote, by editing the thread it was posted that way.

The other services has to do with system requierements?

how much points did you get via lynis?
I got just 67 (without fiddling)

And by the way… what is “/usr/sbin/xl”? Is it a xen service (I suppose)
rkhunter shows it as possible rootkit

ppc · October 6, 2021, 12:25am

it can be

62

correct

qun · October 6, 2021, 2:37pm

what about dnsmasq and such things? I found this here: https://github.com/QubesOS/qubes-issues/issues/37 He talks about DNAT to DNS server, but it’s from 2015.

ppc · October 6, 2021, 2:48pm

it a dns server (and sometime dhcp, tftp server)

Completed ?

DNAT to DNS is Destination NAT used to forward dns which make sys-net safer because dns is processed in the vm instead of sys-net (make dnsmasq necessary in other qubes instead sys-net?)

qun · October 7, 2021, 8:49am

hmm… interesting, also if I don’t really understand the exact way of working between sys-net and other VMs. And how can I set DNAT to DNS, via iptables in the sys-net?
Whats about implementing dnscrypt in Qubes?

ppc · October 7, 2021, 9:08am

idk

github.com/QubesOS/qubes-issues

DNScrypt support

opened 08:53AM - 30 Nov 20 UTC

closed 05:09PM - 07 Dec 21 UTC

ghost

R: duplicate T: enhancement P: default C: networking

**The problem you're addressing (if any)** DNS resolving via DNScrypt. *…*Describe the solution you'd like** Run DNScrypt-proxy in firewall-vm and forward DNS-requests to that service. **Where is the value to a user, and who might that user be?** DNScrypt is a fast and reliable solution to encrypt and authenticate DNS traffic. Actually I would expect every operating system to protect DNS traffic. Protection of DNS traffic concerns all users of operating systems which utilise the internet. There are DoT and DoH also, but so far DNScrypt worked best for me. **Describe alternatives you've considered** I have not considered an alternative so far. I have tried DoT and DoH in different setups but their performance hasn't been convincing. **Additional context** This is just a quick hack. I'm interested in your perspective, especially if you have security concerns. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://www.qubes-os.org/doc/contributing/ **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** https://github.com/QubesOS/qubes-issues/issues/2341 https://github.com/QubesOS/qubes-issues/issues/2344 https://github.com/DNSCrypt/dnscrypt-proxy https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/ To enable DNScrypt for Qubes-OS it takes two steps: Step 1: ``` # start FEDORA-TEMPLATE-VM and run a terminal sudo su dnf install dnscrypt-proxy # do not (!) enable the dnscrypt-proxy.service # shutdown FEDORA-TEMPLATE-VM # restart all VMs which use the FEDORA-TEMPLATE ``` Step 2: ``` # open a terminal in SYS-FIREWALL sudo su cd /rw/config vi rc.local # insert the lines below at the end of rc.local # save and close file # shutdown and restart SYS-FIREWALL ``` ``` # start dnscrypt-proxy systemctl start dnscrypt-proxy.service # tweak iptables iptables -t nat -F PR-QBS iptables -t nat -I PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to-destination 127.0.0.1 iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT # enable traffic coming from the virtual interfaces to be forwarded to the loopback interface find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' find /proc/sys/net/ipv6/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' ``` Further considerations: 1. There is no need to use unbound or dnsmasq since dnscrypt-proxy already caches DNS-requests. 2. To run an extra VM for dnscrypt-proxy seemed a bit overkill to me. 3. It is reasonable to trust dnscrypt-proxy since it is part of the fedora distribution which we put our trust in. 4. Whonix Tor traffic is not affected, all traffic including DNS is still tunneled through the Tor network as far as I can tell. However, I am going to investigate by which means Tor is protecting DNS traffic.

qun · October 7, 2021, 9:18am

so it seems to me, that the qubes team will implement dnscrypt to qubes