Does QubesOS/Xen employ the use of a hardened kernel as per the following Whonix forum discussion?
Unlike KVM, which is based on a Linux kernel, Xen is actually already quite minimal with better security and smaller attack surface, so one could consider it hardened in that sense.
As per Linux kernels: there’s the dom0 kernel, which is not particularly hardened, but that’s because it doesn’t face the internet or any user files etc. (unless the user breaks those barriers down explicitly, which is obviously not recommended), so unless the very good protection afforded by Xen is broken, which is very unlikely, this is not a problem.
Finally there are the kernels of the user qubes, which currently don’t use a particularly hardened kernel, either, by default, but you can compile your own hardened kernels for them if you wish (there also seems to be some tentative work to include various hardening measures, including kernel hardening, by default.). Do note that sudo protections are disabled by default, though you can re-enable them and further harden your qubes if you wish, but debian qubes do have at least AppArmor active by default and with Qubes 4.2 SELinux will be on by default in Fedora qubes.
Which Debian/Fedora versions use AppArmor and SELinux by default?
Is there a script that can be run inside Whonix to verify is security-misc package has been applied?
Which Debian/Fedora versions use AppArmor and SELinux by default?
All standard Debian templates (not minimal ones) should have it on by default, same for Whonix, but you can check for yourself with sudo aa-status. Fedora will only have it on by default starting in Qubes 4.2, but there, again, it should be active in all templates (except minimal templates).
Is there a script that can be run inside Whonix to verify is security-misc package has been applied?
apt list security-misc