Hi,
I am trying to decide which distribution / OS to use for my Qubes VMs. I have read a few discussion regarding this on the mailing list, but it does not seem like there was any conclusion, so I am hoping to get some answers/suggestions here
Ideally, I would want something minimal, has a small attack surface, but is still easily maintainable. So far, here is what I current understand:
Fedora
Compared to the likes of Debian, Fedora ships more up to date packages and has less downstream patching. Even with the 6 month (1 whole release cycle) behind Fedora version Qubes ships in the stable repository, Fedora packages are still generally more up to date than whatâs on Debianâs stable repository, which is a plus.
However, it does look like that SELinux is currently non-functional, and the fact that the repository metadata is not signed could be a risk.
Debian
Generally, I do not want to use Debian at all. Their packages are very outdated, and as far as I know, they only fix bugs that have a CVE filed. I get nervous thinking about the bugs that do not have a CVE or bugs that they refuse to fix/hold back until the next Debian release. I also know that while the repository metadata is signed, the packages are not.
However, I am also aware that KickSecure exists. Their security-misc package is particularly helpful, especially with out of the box sysctl hardening, a large kernel module blacklist, SUID removal, etc. Their hide-hardware-info.service does work nicely on NetVMs as well. I can replicate a lot of these on a normal Fedora template, but that will require a lot more effort on my part compared to just relying on someone else (who is a security professional) to maintain the security configuration instead.
The lkrg-dkms package being available on the KickSecure is a plus, as I do not want to keep track of version updates and manually compile the kernel module myself. The same thing goes with the hardenedmalloc package, itâs nice just heaving it being automatically available.
Oh, and AppArmor works just fine too.
Arch
With Arch, I get the benefit of getting updated packages with minimal downstream patching like Fedora, and I can (or at least I think I can) get AppArmor working. I could also replicate some feautres of security-misc, but again, that would be a bit more work than just relying on someone else to maintain it.
The obvious downside with this is that Arch is not officially supported, I donât know if the Qubes Updater works with pacman or not, and even if it does, dealing with AUR packages like hardened_malloc or lkrg-dkms would still require additional maintenance work from me. There is no concept of âmeta packagesâ or distro upgrade either, so if a package in the software sttack becomes deprecated/obsolete, I wouldnât notice.
OpenBSD/HardenedBSD/Mirage
I donât know much about these operating systems / unikernels. I saw some posts arguing that they would be better than Linux for something like sys-net or sys-firewall, but then again, they are not officially supported, and I would imagine maintaining the system with them would be hell. Take Mirage for example, it is not availble as a package on any repo, and I wouldnât know when to rebuild/redeploy it. Or take OpenBSD/HardenedBSD, does the wrapper even work with their package managers? Do I need to check for updates manually?
Overall, I am torn on which operating system to pick, for which purpose. I want something that at least has decent security so Xen wouldnât be the only thing thatâs protecting me. I donât mind spending a lot of time setting the system up, but once it is up, I donât want to spend a lot of time maintaining it.