Minimal Templates and Kicksecure

GostoColletti3486 · May 16, 2022, 8:38am

Hi, I’m not quite sure if I’m posting my thread in the right place, I apologize in advance to the moderation if you have to move it to another place.

I have a topic I’ve been thinking about for the past day, it’s about minimal debian templates and integrating Kicksecure enhancements into them.

What do you think, is the meaning and philosophy of minimal debian templates lost once Kicksecure enhancements are installed in them?
Because there are a lot of dependencies and libraries, my image of minimal template increased by ~800mb after installing Kicksecure in it.

Package kicksecure-qubes-cli besides necessary installs auxiliary packages, such as openvpn. You can probably cut them out, but I’m afraid to do it for fear of breaking something.

I also had a problem updating appvm after installing kicksecure in a template. I wrote about this problem in detail here: —

I’m very interested to hear your opinion and reasoning on this.

Thanks for reading.

Regards Gosto Colletti.

BEBF738VD · May 16, 2022, 9:09am

Hello,
I’ve been using kicksecure-based templates for a while now without many issues. It’s true they’re a bit heavier and use a bit more resources (I’ve had to up the max ram of sys qubes of ~150/200Mb), but it’s a trade-off you may or may not want for extra security.

I did some testing and you can install security packages without full distro morphing:

Did you use the --no-install-recommends parameter when installing packages?

The link is missing, but I haven’t had this problem.

GostoColletti3486 · May 16, 2022, 2:16pm

Thank you for the instructions, but I intend to use the full distribution conversion

Oh, I’m sorry, here is the link to the problem KickSecure Minimal Templates update problem in AppVM - #2 by tzwcfq

My question was more of a reflection on how much the critical code base increases after installing KickSecure enhancements.

BEBF738VD · May 16, 2022, 2:47pm

Fair enough, I only mentioned that option because you seem to want to cut down on packages.

Another option is to install dummy-dependency and then remove whatever package you don’t need.
Source: Debian Packages - Kicksecure

GostoColletti3486 · May 16, 2022, 3:10pm

Oh, thank you, that sounds interesting, I will definitely try it and post my results on the forum

KarlinQubes · June 16, 2022, 9:12am

Have you arrived at some form of conclusion on this question? I’m curious also.

Especially RE: Sys- qubes.

BEBF738VD · June 16, 2022, 9:20am

Check out the link I provided above to remove unwanted packages.
Otherwise you can disable and mask unused systemd services.

Just for reference, my sys-net, sys-firewall, sys-usb (ks based on deb-11-minimal) are running on 250Mb of ram (with all security services enabled, and things like openvpn and auto-updates disabled).

thewanderer · August 23, 2022, 12:51am

I have also successfully installed kicksecure on minimal DISP sys-firewall with hardening checklists features (LKRG, tirdad etc). Maybe this deserves a write-up/howto as some of the details are different to the docs and scattered all over the place. Especially around the using debian VM kernel and headers. Anyone interested in one?

KarlinQubes · August 23, 2022, 11:34am

Absolutely, please do it!