Template Hardening

Are there steps that can be taken to harden Qubes templates for Debian and Fedora? Things like exploit mitigations, kernel and boot flags, app sandboxing, apparmor, SELinux, etc. I don’t see any documentation that talks about this. Was looking to follow this guide


Creating templates themselves is the best hardening one could imagine, thanks to the Qubes OS concept of a security-by-isolation (or security-by-compartmentalization).

There are lot of topics on the forum regarding “hardening”, so please feel free to research.

Is there any kind of package available in the Qubes repo that can assist with the creation of templates or the hardening of templates? I mean something that can be installed via the Yum Extender (DNF)

1 Like

It has some flaws though: Templates | Qubes OS

Which is why we call it “reasonably secure”, since hardly any other could fall into this category :slight_smile:

How to harden a template is that a guide on how to do it?

It depends on why you want to harden it. What are you defending against? What is your threat model?

Let’s assume the highest possible threat model just for sake of example.

This is not so simple. Do you expect that someone can come to your home and take your machine and read your data? If yes, you probably should use TAILS, not Qubes. Do you expect that someone can infect your BIOS while you leave your computer unattended? Then, you should use Heads or AEM.

Do you think that state actors are trying to get you? Then, you have almost no chance to hide. Enter your passwords under a blanket, live in hotels for no longer than a day, and it will not help you.

Now, realistically, for 99% people default Qubes install should be reasonably secure. You can use minimal templates to further reduce your attack surface and do other things mentioned above. The best approach with Qubes is to compartmentalize your digital life as much as possible, to defend from online threats. There is no end to hardening, but it’s a good idea to stop somewhere.

You are describing side-channel attacks performed by spooks.

Tempest (electromagnetic) monitoring, audio/video monitoring, evil maid attacks, and other firmware level

attacks like flashing SPI chip or attacks like USB, SD card, Ethernet, etc. Don’t forget side channels like

insecure smart tvs, laptops, cell

phones (anything with networking drivers). In reference to Tails, there was a legal case against a person

who used Tails in a malicious way and a 0-day in the Tor Browser was used to de-cloak the ip address

which led to an arrest. Whonix would have prevented this and Whonix is the gold standard. Tails is

woefully insufficient on its own. Something like

aforensics https://github.com/aforensics/HiddenVM would be a better option because you can run Whonix

inside of a Tails VM with anti-forensic properties. I was asking about specific steps to harden Qubes

templates (using Saltstack).

Also, I recently found that Alpine Linux has a Xen-specific .iso which can be used in Qubes as a

standalone OS, or as the basis for a template. I think the Qubes community should pursue Alpine Linux

as a means of offering a more secure OS template with exploit mitigations like PIE (Position Independent

Executables), muslc and stack smashing protection.

1 Like