What's the best way to check if qubes is hacked?I

As the topic says… whats the absolute best ways to check the integrity of a qubes install or if you have been hacked? sys-net, or sys-firewall or dom0 and so on?
Any step-by-step guide for tlike that…
But i might be paranoid also. I’m no hacker so i can’t tell if i have been hacked really. What’s the best way to check? hat on this forum? I think someone might have hacked my passwords… hmm. I got nothing to hide, but that would be disrespectful, that’s all. You ask for permission, not break into sites or computers without asking. Some wierd login messages on sites and so on… I’m more for white-hats then if some black-hats break into systems like that…
But i might be paranoid also. I’m no hacker so i can’t tell if i have been hacked really. What’s the best way to check? thanks

if you think youve been hacked, either delete the qubes and templates affected and reinstall them. Or do a full OS reinstall. I like to make my SYS VMs disposible, so they are fully reset to new every restart.

its far more likely your passwords were compromised by some kind of Phishing site. A site that looks just like your real site, but isnt, and you click a link in an email or something and then they get your details when you try log in.
If you password for your email is the same as other sites, they can then log into your email and reset password on all your sites.
I recomend using Lastpass + 2FA app. This way all your passwords are differnt, and even if they get your password, they need the 2FA app that on your phone that generates a random code ever 30 seconds.

thanks… but how do you confirm or know you are hacked in the best way? That was the question. Are there no hips or automatic intrusion alarms? Why not? Can i install mcafee or zonealarm? kidding… but some notifications…

how do i install aide in dom0?
edit. i missed an s… in qubes-dom0-update aide, the package where available… my bad. I would not compile it…

If qubes (dom0) gets compromised then odds are you are dealing with a very elaborate attack. First off they’d have to infect an appVM, then they’d have to find a way to break out of the appVM which would require them to know they are dealing with a QubesOS system and be aware of some exploit. For an attacker that elaborate you can be pretty sure they won’t do anything that would trigger a notification. As an analogy, imagine someone breaks into Fort Knox and successfully bypasses all the security, but then they trip over the last resort “rope at ankle level tied to a bell” trap.

check out FAQ Frequently asked questions (FAQ) | Qubes OS

3 Likes

If you think you might’ve been hacked you should just delete the affected AppVMs and templates and recreate them. Can’t get easier than that. You could also install rkhunter in your template(s) and scan your vms.

In the future you could consider system hardening:
\ GitHub - tasket/Qubes-VM-hardening: Fend off malware at Qubes VM startup
\ https://www.kicksecure.com/

1 Like
1 Like

the best way i could think of is if our templates had some kinda HASH/signature that dom0 could compare at boot. this would ensure the templates are unmodified and trustworthy. what do you think @fsflover ?

I agree with you. i would like things to harden up. passwordless sudo never sat right with me.

What exactly would you calculate the hash of? If you do the img then even opening the template will produce a different hash. Not to mention the size of the template, which will slow down the template boot even more.

Since the templates are not directly connected to the internet, resources are better spent on verifying AppVMs, which are far more likely to be compromised (i.e. by malicious modifications of /rw). And for that, you could use the solution I proposed, which does indeed use hashes.

I’ll join you on this, but it’s easy enough to create minimal templates without qubes-core-agent-passwordless-sudo, locking down sudo, and restricting su to wheel…

There is no best way to check if you were hacked by not even the best hack.

Templates (as all the packages) are already signed. As well as all packages inside the templates. You can run some RPM queries to check if everything is consistent. Quite trivial to implement, but getting low-noise and still useful results is a different story.

2 Likes

Thanks for all of your answers… But do you mean aide then? In sys-net or dom0?

This seems to be good, i will read some… If i can ask about traffic.Where would you place open-snitch or monitor traffic if you just wanted to check? sys-firewall?

That one would notify if people get hacked…

1 Like

I want a “rope tied to a bell” when qubes do get hacked. Maybe a sound playing when the integrety of files changes… Could anyone fix that? Some guide? Or that with opensnitch? That would be great. Then you know if you have been hacked…
People should be able to tell in a secure OS. Sounds like a good feature. Like some firewall that plings… “Hey spock, you have an attacker in the mainframe of the ship.” Something with humor…
“Your passwords have been stolen.”
It would be good to know if someone scans the computer or breaks in right.

I also want it in surround sound 5.1. Joking. :wink: But if anyone could make a guide with that i would try it. Sounds cool also. That sounded way nerdy! haha. But also kinda cool right :slight_smile:

Qubes 24.2 Live AI HIPS edition. Karaoke bonus version.

1 Like

You should give this a read:
https://www.debian.org/doc/manuals/securing-debian-manual/intrusion-detect.en.html

A whole manual in fact:

Also note that all these tools you are mentioning, are not specific to QubesOS. You can probably find some detailed explanations online.

I made two replies in this thread about this…

1 Like

Thanks… Yes that’s allot of reading to install a hips… But i can read through it sometime a bit… i meant like an easy quick guide, but i understand it’s quite complicated stuff. Thanks for posting though.

Neither any system can. You cannot make a universal heuristic to tell a good code from bad.

1 Like

You kinda can… If one system if untouched and someone needs to bypass that untouched cube.
Just some good way to know a system has been changed. early on.

You disagree with the Qubes founder herself here:

The inconvenient and somehow embarrassing truth for us – the malware experts – is that there does not exist any reliable method to determine if a given system is not compromised. True, there is a number of conditions that can warn us that the system is compromised, but there is no limit on the number of checks that a system must pass in order to be deemed “clean”.

If you suspect that you are compromised, try Compromise recovery in Qubes OS, and also do it regularly just in case.

1 Like