Hi, First step for me was to install the minimal template and use them instead of the complete template for service qubes (sys-net, sys-USB and sys-firewall). Information on minimal template can be found here: https://www.qubes-os.org/doc/templates/minimal/
Second step for me was building and using the mirage firewall instead of sys-firewall. Information on mirage can be found here: https://github.com/mirage/qubes-mirage-firewall/ Third step for me was random mac address and hostname. https://www.qubes-os.org/doc/anonymizing-your-mac-address/ That are things that I do on all my qubes laptop installation. After that, you can play with firewall rules, apparmor and other things. I would love to see a way to add IDS/IPS in qubes easily but did not have time to even check if someone did try to add IDS/IPS Have fun! Dominique On Tuesday, June 9, 2020 at 11:26:22 AM UTC-4, [email protected] wrote: > > Hi all, > > I took a break from setting up my Qubes OS machine and now I'm looking to > finish the job and actually settle in. I am familiar with the overall > layout and functions of the OS as a whole, but want to shore up the > security of my individual VMs, with Debian running everything except for > dom0. I know that isolation should do most of the work, but if further > hardening my VMs will add more hurdles for attackers while being of minimal > cost to me, why not? > > For now, I plan on proper firewalling, activating apparmor, installing > taskett-hardening, and reducing attack surfaces where possible. > > Specific question: how would one strip down non-app VMs (sys-net, sys-USB, > sys-firewall, whonix-gw) to minimize their attack surfaces? Aside from > common-sense hardening and operation of app VMs, these seem to be the most > exposed and therefore most vulnerable. > > More generally: what steps have you taken to harden your VMs? > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad3b1c28-e980-4d0c-9517-8b18402f816do%40googlegroups.com.
