For the Whonix VM's, you can enable AppArmor by just changing the kernel parameters in the Qube settings. https://www.whonix.org/wiki/Qubes/AppArmor
For more VM hardening, you can install Linux Kernel Runtime Guard(LKRG). For Whonix and Debian VM's, this is made real easy by Whonix(note that Whonix recommends using a VM kernel, but for me it works fine with the default kernel supplied by dom0): https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG More instructions: https://bitbucket.org/Adam_pi3/lkrg-main/src/master/README On Saturday, September 5, 2020 at 5:02:57 PM UTC+2 Stumpy wrote: > I was reminded about qubes hardening that Chris L has been working on > and also noticed that Patrick/Whonix is now basing whonix on thier > kicksecure distro and was trying (not so successfully) to absorb all of > this. I got the impression that Chris's work wouldnt jive so well with > kicksecure (fair enough, can just use it on non-whoinx setups) but wasnt > sure. Also there is the idea of DVM sys-* (net/usb/firewall/etc) vms > sounded like they would add an extra layer of security, maybe based on > centos (I have seen conversations about how fedora doesnt sign or > something apps in their repos? please dont troll me, i am not trying to > pretend like i understand that) and some other things that i am sure i > have missed (maybe a iptable/firewall gui [apart from whats built into > qubes settings... i just dont find that intuitive). > > In short, it just seems like there are quite a few additional hardening > things that can be done but for novices like myself a step by step spoon > feeding explanation/howto that brings it all together would be awesome. > If i ever get something working I will try to document it but as its > taken me like 3 years to just get comfortable with qubes i am not > holding my breath... anyone interested in crowd funding something like > this? (*not* for me to write, more like to crowd fund for a qubes guru > to write) :P > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f97a1c84-8310-4b35-babe-562279f816a2n%40googlegroups.com.
