I am trying to decide which distribution / OS to use for my Qubes VMs. I have read a few discussion regarding this on the mailing list, but it does not seem like there was any conclusion, so I am hoping to get some answers/suggestions here
Ideally, I would want something minimal, has a small attack surface, but is still easily maintainable. So far, here is what I current understand:
Compared to the likes of Debian, Fedora ships more up to date packages and has less downstream patching. Even with the 6 month (1 whole release cycle) behind Fedora version Qubes ships in the stable repository, Fedora packages are still generally more up to date than what’s on Debian’s stable repository, which is a plus.
However, it does look like that SELinux is currently non-functional, and the fact that the repository metadata is not signed could be a risk.
Generally, I do not want to use Debian at all. Their packages are very outdated, and as far as I know, they only fix bugs that have a CVE filed. I get nervous thinking about the bugs that do not have a CVE or bugs that they refuse to fix/hold back until the next Debian release. I also know that while the repository metadata is signed, the packages are not.
However, I am also aware that KickSecure exists. Their security-misc package is particularly helpful, especially with out of the box sysctl hardening, a large kernel module blacklist, SUID removal, etc. Their hide-hardware-info.service does work nicely on NetVMs as well. I can replicate a lot of these on a normal Fedora template, but that will require a lot more effort on my part compared to just relying on someone else (who is a security professional) to maintain the security configuration instead.
The lkrg-dkms package being available on the KickSecure is a plus, as I do not want to keep track of version updates and manually compile the kernel module myself. The same thing goes with the hardenedmalloc package, it’s nice just heaving it being automatically available.
Oh, and AppArmor works just fine too.
With Arch, I get the benefit of getting updated packages with minimal downstream patching like Fedora, and I can (or at least I think I can) get AppArmor working. I could also replicate some feautres of security-misc, but again, that would be a bit more work than just relying on someone else to maintain it.
The obvious downside with this is that Arch is not officially supported, I don’t know if the Qubes Updater works with pacman or not, and even if it does, dealing with AUR packages like hardened_malloc or lkrg-dkms would still require additional maintenance work from me. There is no concept of “meta packages” or distro upgrade either, so if a package in the software sttack becomes deprecated/obsolete, I wouldn’t notice.
I don’t know much about these operating systems / unikernels. I saw some posts arguing that they would be better than Linux for something like sys-net or sys-firewall, but then again, they are not officially supported, and I would imagine maintaining the system with them would be hell. Take Mirage for example, it is not availble as a package on any repo, and I wouldn’t know when to rebuild/redeploy it. Or take OpenBSD/HardenedBSD, does the wrapper even work with their package managers? Do I need to check for updates manually?
Overall, I am torn on which operating system to pick, for which purpose. I want something that at least has decent security so Xen wouldn’t be the only thing that’s protecting me. I don’t mind spending a lot of time setting the system up, but once it is up, I don’t want to spend a lot of time maintaining it.