Hello,
I noticed that sdwdate has been disabled in the kicksecure template due to lack of support. What alternative should I use? Would it be sufficient to install chronyd and configure it with NTS servers?
Thank you!
2 Likes
1 Like
What are you aiming to do? What level of time precision do you want/need?
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
1 Like
I don’t have any specific goals or needs. I initially thought sdwdate was important because it was included with Kicksecure. Is it necessary to have an NTP/NTS server running within the template(s)? I noticed that dom0 synchronizes the time with the Qubes.
1 Like
sdwdate generally works in Kicksecure.
due to lack of support.
These are 2 non-obvious assumptions, statements without stating or referencing how these have been concluded.
It’s possible to use to have a Kicksecure based ClockVM which is using sdwdate. Documented just now:
2 Likes
Ah, It’s disabled in the template and enabled in the AppVM. I thought everything would be copied from the template to the AppVM.
By the way, I also can’t see Kicksecure in the sdwdate logo on the tray bar when running the AppVM. Not sure if that’s already been reported. I can see anon-whonix etc though.
It’s great to know that the clockVM can be set to sdwdate! How can we test if it it’s working?
1 Like
Inside a Kicksecure based App Qube the Qubes sdwdate watcher [1] is functional. But there is no App Qube with sdwdate-gui-qubes to report it to by default.
In case of Whonix App Qubes, the sdwdate watcher uses qrexec to notify sys-whonix but in case of Kicksecure App Qubes it’s not clear yet which App Qube to send the sdwdate status to. Qrexec policy [2] will need some changes. [3]
I doubt any progress will be made before build Kicksecure Qubes Template · Issue #9573 · QubesOS/qubes-issues · GitHub is done.
Alternatively, meanwhile you could start from terminal:
sdwdate-gui-qubes
Or.
sdwdate-gui
Or.
sudo sdwdate-log-viewer
The indirect way to reply to this is: Unspecific to Kicksecure / sdwdate. Same as for verification of a default Qubes ClockVM.
Quote The Challenge of System Audits:
Performing system audits is beyond the reach of non-technical users.
[…]
Similarly, expecting a non-technical user to conduct a system audit is unrealistic.
Users aren’t expected to audit that part or any other part of the system. Out-of-scope for support.
[1] Technical information for developers:
/etc/xdg/autostart/sdwdate-gui.desktop/usr/libexec/sdwdate-gui/start-maybe/usr/libexec/sdwdate-gui/sdwdate-watcher/usr/lib/python3/dist-packages/sdwdate_gui/sdwdate_watcher.py
[2]
[3]
- Above file could be modified. This is what I am currently using. sdwdate watcher reports sdwdate status to sdwdate-gui running in sys-whonix. Might be confusing for users. So this might not be how it will be implemented when this gets improved.
# service arg source target action params
whonix.SdwdateStatus + @tag:anon-gateway @tag:anon-vm allow autostart=no notify=no
whonix.SdwdateStatus + @tag:anon-gateway @default allow target=sys-whonix autostart=no
whonix.SdwdateStatus + @anyvm @anyvm allow autostart=no
whonix.NewStatus * @tag:anon-vm @tag:anon-gateway allow autostart=no
whonix.NewStatus * @anyvm @anyvm allow autostart=no
whonix.GatewayCommand +restart @tag:anon-gateway @tag:anon-vm allow autostart=no
whonix.GatewayCommand +stop @tag:anon-gateway @tag:anon-vm allow autostart=no
whonix.GatewayCommand +showlog @tag:anon-gateway @tag:anon-vm allow autostart=no
whonix.GatewayCommand * @anyvm @anyvm allow autostart=no
2 Likes