[qubes-users] Hardening Guide for Paranoid Noobs?

Stumpy:

I was reminded about qubes hardening that Chris L has been working on
and also noticed that Patrick/Whonix is now basing whonix on thier
kicksecure distro and was trying (not so successfully) to absorb all of
this. I got the impression that Chris's work wouldnt jive so well with
kicksecure (fair enough, can just use it on non-whoinx setups) but wasnt
sure. Also there is the idea of DVM sys-* (net/usb/firewall/etc) vms
sounded like they would add an extra layer of security, maybe based on
centos (I have seen conversations about how fedora doesnt sign or
something apps in their repos? please dont troll me, i am not trying to
pretend like i understand that) and some other things that i am sure i
have missed (maybe a iptable/firewall gui [apart from whats built into
qubes settings... i just dont find that intuitive).

Just running Qubes by itself is already more hardened than 99% of people
out there, so if your main concern is standard/driveby attacks against
mainstream OSes, you shouldn't be very much so.

My threat model is not super strict at home (when traveling toooootally different scenario [lots of diff scenarios actually, will save for another post])

You cover multiple points:

- There is something in the works to allow custom kernels inside AppVMs.
Whonix and others can use them for additional hardening and/or
additional drivers. Don't think it's released yet.

Nice! I wasnt aware of that, will hurry up and wait :slight_smile:

- Chris's VM hardening works on regular qubes. Not sure if it will on
Whonix ones.

I got the impression it wouldnt but that might be moot as kicksecure seems to be quite hardened.

- DVM sys-* is pretty straight-forward, just follow the docs.

True enough i guess

- Centos is unrelated.

Well I had mentioned CentOS since I thought thier packages, like RH, were signed?

If you're concerned about Fedora's lack of
signing, switch to Debian templates, or some other that has signing.

So centOS doesn't sign their packages?

- Mirage can be used as a sys-firewall replacement.

I thought about that, i ended up just going with a minimal centOS template for my sys-* appvms.

I know there have been back and forths about Qubes "Ease of use" especially for non-techies; I consider myself somewhere in the middle, but I was wondering about configs during start up? I totally understand the Qubes Team has more important (sec) things to work on but I think a UX person was hired to address some of the UX things in Qubes which could be polished? (not 100% sure about that, maybe i was reading about another distro). It would just be nice if a thorough howto could bring much of the hardening documentation together rather than skiping around from one doc to another - or better yet make some of these things options during the install like which "distro would you like to use for your minimal templates", "Would you like to add X community templates", click here to input your VPN provider info if you want a VPN proxy, "click here if you want your sys-* to be a DVM", "select your win iso if you want a MS win appvm, and click here if you want it to be standalone or a template", while I am completely aware that its easier to suggest such things than to actually do them it seems like a worthy goal for making a more versitle and perhaps noobish friendly Qubes while also addressing FAQ (granted not everything i listed is a requalr mailing/forum list question) which might make those FAQs a bit less... frequent? :slight_smile:

Anyway, just my ? cents.

Cheers