Hi, I’m not quite sure if I’m posting my thread in the right place, I apologize in advance to the moderation if you have to move it to another place.
I have a topic I’ve been thinking about for the past day, it’s about minimal debian templates and integrating Kicksecure enhancements into them.
What do you think, is the meaning and philosophy of minimal debian templates lost once Kicksecure enhancements are installed in them?
Because there are a lot of dependencies and libraries, my image of minimal template increased by ~800mb after installing Kicksecure in it.
Package kicksecure-qubes-cli besides necessary installs auxiliary packages, such as openvpn. You can probably cut them out, but I’m afraid to do it for fear of breaking something.
I also had a problem updating appvm after installing kicksecure in a template. I wrote about this problem in detail here: —
I’m very interested to hear your opinion and reasoning on this.
Hello,
I’ve been using kicksecure-based templates for a while now without many issues. It’s true they’re a bit heavier and use a bit more resources (I’ve had to up the max ram of sys qubes of ~150/200Mb), but it’s a trade-off you may or may not want for extra security.
I did some testing and you can install security packages without full distro morphing:
Did you use the --no-install-recommends parameter when installing packages?
The link is missing, but I haven’t had this problem.
Check out the link I provided above to remove unwanted packages.
Otherwise you can disable and mask unused systemd services.
Just for reference, my sys-net, sys-firewall, sys-usb (ks based on deb-11-minimal) are running on 250Mb of ram (with all security services enabled, and things like openvpn and auto-updates disabled).
I have also successfully installed kicksecure on minimal DISP sys-firewall with hardening checklists features (LKRG, tirdad etc). Maybe this deserves a write-up/howto as some of the details are different to the docs and scattered all over the place. Especially around the using debian VM kernel and headers. Anyone interested in one?