QubesOS Hardening

Hello.

Are there any QubesOS hardening guides or tips or are the default settings hardened enough?

what do you recommend

I think Qubes achieves to be a reasonably secure OS by focusing on compartmentalization while giving up on “hardening” stuff.

See:

So I would say it is not “hardened” enough but who cares?

any guides or tips to harden it?

Dom0 is already very reasonably hardened. I’d advise against doing any significant “hardening” modifications within dom0. However, you can still harden the templates themselves, I suppose. But then again, what could constitute “hardening” in your case depends entirely on your threat model.

Hardening against what?

Tell me your threat model and I tell you, as good as I can, how to harden your Qubes OS installation.

@Kubeis The best guides (scripts) for max hardening

• Anonymize hostname hardened template automatic installation of browser
• 🛡 Qubes OS live mode. dom0 in RAM. Non-persistent Boot. RAM-Wipe. Protection against forensics. Tails mode. Hardening dom0. Root read‑only. Paranoid Security. Ephemeral Encryption

I think you can just use a harden template and not have to reinvent the wheel.

For example you can use the Whonix-ws template, which has strong hardening already, but it’s focused on anonymity.
However, if you want a heavily harden template, then go with Kicksecure, which is very locked down, but hard to work with, as you have to set a lot of permissions, and you even have to boot to a different kernel just to run sudo.

Both are available in the Template Manager for you to download.

Unikernels are cool and I like them :]

IMO weakest aspect of Qubes is that despite all efforts of the developers compartmentalizing things has notable friction. Check out stuff like Quick Quality-of-Life Improvements , write your own scripts, figure out you own security policy and find a way to reliably enforce it (e.g. never move things from less trusted to more trusted domains, never open files in vaults, etc. - what is allowed to do and how and in what situations and why)

Customized qrexec policies, passwordful root and MAC could be useful for further hardening but only in some circumstances.

I bet I’m forgetting some stuff at this point but you will get the hang of it over time.

By hardening I would first decide what to harden against. If you’re looking to harden the OS software further, then perhaps install a templateVM, which has a hardened kernel and packages (especially the browser) compiled with various hardening flags? Alpine linux comes to mind.

Also interested, how would you harden for an example threat model: state adversaries (targeted), script kiddies & stalkers?

I’m no expert in this field, but this came to my mind:

I’d check for any kind of EMA hardening.

Remove all smartdevices from my home WLAN. Use a dedicated firewall like IPfire in between Qubes OS and my Internat access, which is done solely by LAN.

Never use a smart device for critical communication, just cat videos.

Use Tor bridges like webtunnel together with sys-whonix.

I have a very detailed threat model for me and it took me some time to make it. AI like Grok or ChatGPT are pretty good at asking the right questions when briefed accordingly (=good prompting).

There are lots of good templates for threat modeling out there, too.

It’s always better to do it yourself than trust anyone. Even me… hehe.

When considering state actors as adversaries, it makes a significant difference whether you live in a country where you are not legally obligated to decrypt your devices (LUKS, password managers, etc.) and ultimately cannot be forced to do so, or whether you live in a country where this is not the case and you may even be compelled to decrypt through the use of force.

However, our discussion is drifting from pure Qubes OS topics like hardening to pure privacy topics like threat modeling, which are certainly better suited here: https://discuss.privacyguides.net/