Guide: Kicksecure for DISP-sys* revisions

Go back to topic: Guide: Kicksecure for DISP-sys*

  1. v16 anchor; v16 full version
  2. v15 anchor; v15 full version
  3. v14 anchor; v14 full version
  4. v13 anchor; v13 full version
  5. v12 anchor; v12 full version
  6. v11 anchor; v11 full version
  7. v10 anchor; v10 full version
  8. v9 anchor; v9 full version
  9. v8 anchor; v8 full version
  10. v7 anchor; v7 full version
  11. v6 anchor; v6 full version
  12. v5 anchor; v5 full version
  13. v4 anchor; v4 full version
  14. v3 anchor; v3 full version
  15. v2 anchor; v2 full version

Revision #16

Edited on
2023-09-07
Edited by user
deeplow

Revision #15

Edited on
2022-08-29
Edited by user
fsflover

Revision #14

Edited on
2022-08-25
Edited by user
thewanderer
You will need to follow that but use the deb-11-sysfirewall, deb-11-sysusb, deb-11-sysnet for these.You will need to follow that but use the deb-11-sysfirewall, deb-11-sysusb, deb-11-sysnet for these. **Known Issues:**

Revision #13

Edited on
2022-08-25
Edited by user
thewanderer
**Steps:**

Revision #12

Edited on
2022-08-25
Edited by user
thewanderer
7. Install hardened Malloc `sudo echo '/usr/lib/libhardened_malloc.so/libhardened_malloc.so' >> /etc/ld.so.preload` 7. Install hardened Malloc `echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload`

Revision #11

Edited on
2022-08-25
Edited by user
thewanderer
qvm-run --pass-io --no-gui --user=root $1 'apt-get -t bullseye-backports -y --no-install-recommends linux-image-amd64 linux-headers-amd64' qvm-run --pass-io --no-gui --user=root $1 'apt-get -t bullseye-backports -y --no-install-recommends install linux-image-amd64 linux-headers-amd64'
4. Install Linux Kernel runtime guard (LKRG) sudo apt install --no-install-recommends lkrg-dkms linux-headers-amd64 4. Install Linux Kernel runtime guard (LKRG) `sudo apt install --no-install-recommends lkrg-dkms`

Revision #10

Edited on
2022-08-24
Edited by user
thewanderer
qvm-prefs $TARGET_TEMPLATE maxmem 4000 qvm-prefs $TARGET_TEMPLATE maxmem 600
qvm-prefs $TARGET_TEMPLATE maxmem 4000 qvm-prefs $TARGET_TEMPLATE maxmem 600

Revision #9

Edited on
2022-08-24
Edited by user
thewanderer
**add-feature-sys-net** ````bash #!/bin/bash # Adding sys-net support echo +++ installing sys-net packages into $1 # Note I have a Intel iwl wifi adapter if you don't you can remove this. qvm-run --pass-io -u root $1 "apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager gnome-keyring firmware-iwlwifi -y"
**add-feature-sys-net** ````bash #!/bin/bash # Adding sys-net support echo +++ installing sys-net packages into $1 # Note I have a Intel iwl wifi adapter if you don't you can remove this. qvm-run --pass-io -u root $1 "apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager gnome-keyring firmware-iwlwifi -y"

Revision #8

Edited on
2022-08-24
Edited by user
thewanderer
**Install LKRG, tirdad, malloc and enabling apparmor** 1. We are using the Linux VM kernel from bullseye-backports this requires installing pvgrub2-pvh in dom0 as the deb-11-sysfirewall is PVH virtualisation. `sudo qubes-dom0-update grub2-xenpvh` 2. Go to Qubes Manager and find the deb-11-sysfirewall. Click on settings -> Advanced and change the kernel to pvgrub2-pvh, Then start the deb-11-sysfirewall. This will now boot with the latest kernel 3. Open a xterm on deb-11-sysfirewall then check you are on the latest kernel `uname -a` 4. Install Linux Kernel runtime guard (LKRG) sudo apt install --no-install-recommends lkrg-dkms linux-headers-amd64 5. Install tirdad `sudo apt-get install tirdad` 5. restart deb-11-sysfirewall 6. Check LKRG and tirdad is installed by `sudo dkms status` 7. Install hardened Malloc `sudo echo '/usr/lib/libhardened_malloc.so/libhardened_malloc.so' >> /etc/ld.so.preload` 8. Enabling apparmor in Dom0. `qvm-prefs -s deb-11-sysfirewall kernelopts "apparmor=1 security=apparmor"` These steps are the same for sysnet and sys-usb. However, sys-net and sys-usb should be set to HVM due to attachments of devices (ethernet and usb controller). Therefore you will have to make a slight change to step 2. Instead of pvgrub2-pvh you will need to put (none).
```` **Install LKRG, tirdad, malloc and enabling apparmor** 1. We are using the Linux VM kernel from bullseye-backports this requires installing pvgrub2-pvh in dom0 as the deb-11-sysfirewall is PVH virtualisation. `sudo qubes-dom0-update grub2-xenpvh` 2. Go to Qubes Manager and find the deb-11-sysfirewall. Click on settings -> Advanced and change the kernel to pvgrub2-pvh, Then start the deb-11-sysfirewall. This will now boot with the latest kernel 3. Open a xterm on deb-11-sysfirewall then check you are on the latest kernel `uname -a` 4. Install Linux Kernel runtime guard (LKRG) sudo apt install --no-install-recommends lkrg-dkms linux-headers-amd64 5. Install tirdad `sudo apt-get install tirdad` 5. restart deb-11-sysfirewall 6. Check LKRG and tirdad is installed by `sudo dkms status` 7. Install hardened Malloc `sudo echo '/usr/lib/libhardened_malloc.so/libhardened_malloc.so' >> /etc/ld.so.preload` 8. Enabling apparmor in Dom0. `qvm-prefs -s deb-11-sysfirewall kernelopts "apparmor=1 security=apparmor"` These steps are the same for sysnet and sys-usb. However, sys-net and sys-usb should be set to HVM due to attachments of devices (ethernet and usb controller). Therefore you will have to make a slight change to step 2. Instead of pvgrub2-pvh you will need to put (none). ````

Revision #7

Edited on
2022-08-24
Edited by user
thewanderer
* https://www.kicksecure.com/wiki/System_Hardening_Checklist#Kernels_/_Kernel_Modules * https://www.kicksecure.com/wiki/System_Hardening_Checklist * https://madaidans-insecurities.github.io/guides/linux-hardening.html#mac

Revision #6

Edited on
2022-08-24
Edited by user
thewanderer
Here are the scripts for add-feature for sys-net, sys-usb and deb-11-sysusb, deb-11-sysnet. **add-feature-sys-net**
**add-feature-sys-usb**
**deb-11-sysusb**
**deb-11-sysnet**

Revision #5

Edited on
2022-08-24
Edited by user
thewanderer
* https://www.qubes-os.org/doc/usb-qubes/ * https://www.qubes-os.org/doc/usb-qubes/
* Using @Sven method for creating templates ( thanks Sven) * Using @Sven method for creating templates ( thanks Sven) * Using a USB qube for deb-11-sysusb
# Note I have a Intel iwl wifi adapter if you don't you can remove this.
1. We are using the Linux VM kernel from bullseye-backports this requires installing pvgrub2-pvh in dom0. `sudo qubes-dom0-update grub2-xenpvh` 1. We are using the Linux VM kernel from bullseye-backports this requires installing pvgrub2-pvh in dom0 as the deb-11-sysfirewall is PVH virtualisation. `sudo qubes-dom0-update grub2-xenpvh`

Revision #4

Edited on
2022-08-24
Edited by user
thewanderer
Here are the scripts for add-feature for sys-net, sys-usb and deb-11-sysusb, deb-11-sysnet. ````bash #!/bin/bash # Adding sys-net support echo +++ installing sys-net packages into $1 qvm-run --pass-io -u root $1 "apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager gnome-keyring firmware-iwlwifi -y" ```` ````bash #!/bin/bash # Adding sys-usb support echo +++ installing sys-usb packages into $1 qvm-run --pass-io -u root $1 "apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 ntfs-3g -y" ```` ````bash #!/bin/bash SOURCE_TEMPLATE=deb-11-min TARGET_TEMPLATE=deb-11-sysusb #clone qvm-clone $SOURCE_TEMPLATE $TARGET_TEMPLATE #add features $(pwd)/add-feature-sysusb $TARGET_TEMPLATE #shutdown qvm-shutdown --wait $TARGET_TEMPLATE qvm-prefs $TARGET_TEMPLATE memory 400 qvm-prefs $TARGET_TEMPLATE maxmem 4000 ```` ````bash #!/bin/bash SOURCE_TEMPLATE=deb-11-min TARGET_TEMPLATE=deb-11-sysnet #clone qvm-clone $SOURCE_TEMPLATE $TARGET_TEMPLATE #add features $(pwd)/add-feature-sysnet $TARGET_TEMPLATE #shutdown qvm-shutdown --wait $TARGET_TEMPLATE qvm-prefs $TARGET_TEMPLATE memory 400 qvm-prefs $TARGET_TEMPLATE maxmem 4000 ````

Revision #3

Edited on
2022-08-24
Edited by user
thewanderer
* https://forum.qubes-os.org/t/automate-debian-minimal-based-template-creation/ * https://forum.qubes-os.org/t/debian-10-minimal-configuration/2603/32 * https://forum.qubes-os.org/t/automate-debian-minimal-based-template-creation * https://forum.qubes-os.org/t/debian-10-minimal-configuration/2603/12
* https://www.qubes-os.org/doc/disposable-customization/#create-custom-sys-net-sys-firewall-and-sys-usb-disposables * https://www.qubes-os.org/doc/disposable-customization/#create-custom-sys-net-sys-firewall-and-sys-usb-disposables * https://www.qubes-os.org/doc/usb-qubes/
2. Create add-feature-kicksecure in ~/scripts folder 2. Create add-feature-kicksecure
8. Enabling apparmor in Dom0. qvm-prefs -s deb-11-sysfirewall kernelopts "apparmor=1 security=apparmor" 8. Enabling apparmor in Dom0. `qvm-prefs -s deb-11-sysfirewall kernelopts "apparmor=1 security=apparmor"`

Revision #2

Edited on
2022-08-24
Edited by user
thewanderer
* https://forum.qubes-os.org/t/automate-debian-minimal-based-template-creation/11421/17 * https://forum.qubes-os.org/t/automate-debian-minimal-based-template-creation/