From 56e8f982fb24ddbadcc34e659d46c3baec84ea62 Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 26 May 2022 13:50:11 -0400 Subject: [PATCH] kickseucre --- README.md | 8 ------ debian/kicksecure.sh | 14 ----------- fedora-minimal/fedora-minimal.sh | 3 --- fedora-minimal/minimal-firewall.sh | 3 --- kicksecure-minimal/firewall.sh | 3 +++ kicksecure-minimal/kicksecure.sh | 25 +++++++++++++++++++ .../minimal-sys-net.sh | 0 .../vault-gpg.sh | 2 +- ...secure-hardening.sh => whonix-hardening.sh | 4 +-- 9 files changed, 30 insertions(+), 32 deletions(-) delete mode 100644 debian/kicksecure.sh delete mode 100644 fedora-minimal/fedora-minimal.sh delete mode 100644 fedora-minimal/minimal-firewall.sh create mode 100644 kicksecure-minimal/firewall.sh create mode 100644 kicksecure-minimal/kicksecure.sh rename {fedora-minimal => kicksecure-minimal}/minimal-sys-net.sh (100%) rename fedora-minimal/minimal-vault-gpg.sh => kicksecure-minimal/vault-gpg.sh (80%) rename debian/kicksecure-hardening.sh => whonix-hardening.sh (91%) diff --git a/README.md b/README.md index d1aa0ea..cf3efcf 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,2 @@ # QubesOS-Scripts My scripts for setting up QubesOS. Read the scripts and adjust them to your needs, don't just blindly run them. Note that the scripts do not disable passwordless sudo. If you want to do it, follow https://www.qubes-os.org/doc/vm-sudo/ and set it up on the Fedora and Debian templates before using my scripts. The purpose of this is to **hopefully** get a bit better protection against VM escapes (as an attacker would need to both get root privilege in the VM and exploit a bug in the Qubes agents or Xen hypervisor). - -1. Run dom0.sh script to set up dom0 -2. Download the Fedora Minimal template and use the fedora-minimal.sh script to do basic configuration. Then, create TemplateVMs based on it. The most important thing here is that you replace sys-net and sys-firewall with a minimal version for attack surface reduction. I have been trying to create a minimal template for ProtonVPN, but haven't been able to so far. Any help with this would be appreciated. -3. Run the fedora.sh script to trim down the default Fedora template and do basic configuration. The script includes a systemd user timer `update-user-flatpaks.timer` that you can manually enable on AppVMs. Firefox is also replaced with Brave. Other TemplateVMs should be based on the trimmed down Fedora template. -4. Copy the Fedora template to a Brave template. Run brave.sh to install brave in the brave template. TemplateVMs which need a dedicated browser should be based on the Brave template of the Fedora template. Create a disposable VM based on the Brave template. When you need to open a browser inside of a VM with no browser, Qubes will open it in a disposable VM instead. -5. Run debian.sh to trim down the Debian template. -6. Copy the Debian template to a Kicksecure template, then run kicksecure.sh to morph it into Kicksecure. AppVMs should be based on KickSecure instead of Debian. -7. Run the kicksecure_hardening.sh script on both the Whonix Gateway and Workstation templates to enable experimental hardening features. The same script can be used to harden AppVMs based on KickSecure too, so long as it doesn't stop your app from running. diff --git a/debian/kicksecure.sh b/debian/kicksecure.sh deleted file mode 100644 index 4a9dcf4..0000000 --- a/debian/kicksecure.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -sudo apt update -sudo apt full-upgrade -sudo addgroup --system console -sudo adduser user console - -curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc -sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc -echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list - -sudo apt install kicksecure-qubes-cli -sudo mv /etc/apt/sources.list ~/ -sudo touch /etc/apt/sources.list diff --git a/fedora-minimal/fedora-minimal.sh b/fedora-minimal/fedora-minimal.sh deleted file mode 100644 index 6b63373..0000000 --- a/fedora-minimal/fedora-minimal.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -echo "countme=false" | sudo tee /etc/dnf/dnf.conf diff --git a/fedora-minimal/minimal-firewall.sh b/fedora-minimal/minimal-firewall.sh deleted file mode 100644 index 24966dd..0000000 --- a/fedora-minimal/minimal-firewall.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -sudo dnf install -y qubes-core-agent-networking iproute qubes-core-agent-dom0-updates diff --git a/kicksecure-minimal/firewall.sh b/kicksecure-minimal/firewall.sh new file mode 100644 index 0000000..9bb0bb3 --- /dev/null +++ b/kicksecure-minimal/firewall.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sudo apt install --no-install-recommends qubes-core-agent-networking iproute qubes-core-agent-dom0-updates -y diff --git a/kicksecure-minimal/kicksecure.sh b/kicksecure-minimal/kicksecure.sh new file mode 100644 index 0000000..243746b --- /dev/null +++ b/kicksecure-minimal/kicksecure.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +#Adding KickSecure's signing key +sudo apt install --no-install-recommends curl -y +curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc +sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc +echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list + +#Distribution morphing +sudo apt install --no-install-recommends kicksecure-qubes-cli -y +sudo mv /etc/apt/sources.list ~/ +sudo touch /etc/apt/sources.list + +#Enabling SUID Disabler and Permission Hardener +sudo systemctl enable --now permission-hardening + +#Install LKRG +sudo apt install --no-install-recommends lkrg-dkms linux-headers-amd64 -y + +#Enable hardened malloc +echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload + +#Reduce kernel information leaks +#Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it. +sudo systemctl enable --now hide-hardware-info.service \ No newline at end of file diff --git a/fedora-minimal/minimal-sys-net.sh b/kicksecure-minimal/minimal-sys-net.sh similarity index 100% rename from fedora-minimal/minimal-sys-net.sh rename to kicksecure-minimal/minimal-sys-net.sh diff --git a/fedora-minimal/minimal-vault-gpg.sh b/kicksecure-minimal/vault-gpg.sh similarity index 80% rename from fedora-minimal/minimal-vault-gpg.sh rename to kicksecure-minimal/vault-gpg.sh index c2c0318..61fbe2e 100644 --- a/fedora-minimal/minimal-vault-gpg.sh +++ b/kicksecure-minimal/vault-gpg.sh @@ -1,6 +1,6 @@ #!/bin/bash -sudo dnf install -y qubes-gpg-split arc-theme +sudo apt install --no-install-recommends qubes-gpg-split arc-theme -y sudo mkdir /etc/gtk-3.0 echo '[Settings] diff --git a/debian/kicksecure-hardening.sh b/whonix-hardening.sh similarity index 91% rename from debian/kicksecure-hardening.sh rename to whonix-hardening.sh index 05cd000..e52fed1 100644 --- a/debian/kicksecure-hardening.sh +++ b/whonix-hardening.sh @@ -4,9 +4,7 @@ sudo systemctl enable --now permission-hardening #Install LKRG -sudo apt update -sudo apt full-upgrade -y -sudo apt install --no-install-recommends lkrg-dkms linux-headers-amd64 +sudo apt install --no-install-recommends lkrg-dkms linux-headers-amd64 -y #Enable hardened malloc echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload