Commit 657d79a0 authored by Clark's avatar Clark
Browse files

Adding Qubes OS Split SSH and Windows Template info... rough draft

parent 1eaad378
......@@ -61,16 +61,7 @@ Then flash the ISO to the USB.
sudo dd if=Qubes-R4.0.3-x86_64.iso of=/dev/sda status=progress
#+END_SRC
* TODO Enable Firewalls
Install and enable firealls.
#+begin_src sh
sudo apt install -y ufw && \
sudo ufw --force enable
#+end_src
* TODO Enforce VPN Routing
* TODO Enforce VPN Routing -> Move this to a NetVM (Qubes)
This requires some kind of VPN access. I'm using a low cost VPN provider, PIA. After signing up, the provide authentication credentials, what I'm using below as =vpn_username= and =vpn_password=.
......@@ -106,19 +97,53 @@ Test the VPN service initializes using =sudo openvpn --config /etc/openvpn/local
Verify the service status using =sudo systemctl status openvpn@local_profile= and checking one's public IP using =wget --secure-protocol=PFS --https-only -qO- checkip.dyndns.org=.
* TODO Setup SSH
* TODO Setup Split SSH
In Qubes OS, ssh keypairs can be split between the =private key location= (an offline AppVM) and users (any other AppVM, such as a development VM).
Create an ssh-key, and update config.
First, clone the latest Fedora TemplateVM, naming it /fedora-30-ssh-vault/. Temporarily enable networking over =sys-whonix=. Start the TemplateVM, and run the following to install =ncat= and configure the ssh agent.
#+BEGIN_SRC sh
sudo dnf install nmap-ncat -y && \
bash -c 'cat <<EOT >> ~/etc/qubes-rpc/qubes.SshAgent
#!/bin/sh
notify-send "[`qubesdb-read /name`] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
ncat -U $SSH_AUTH_SOCK'
#+END_SRC
Then shutdown the TemplateVM and disable networking. Create a new AppVM named /ssh-vault/, using the /fedora-30-ssh-vault/ TemplateVM. This will be the =private key= VM, so be sure to *disable network access*.
On the =ssh-vault= AppVM, create an ssh-key, and update the config. Also add an autostart entry.
#+BEGIN_SRC sh
ssh-keygen -t ed25519 -C "sentry@bytecache.io" -f "$HOME"/.ssh/id_rsa -N '' && \
bash -c 'cat <<EOT >> ~/.ssh/config
VisualHostKey=yes
LogLevel=VERBOSE
EOT'
EOT' && \
bash -c 'cat <<EOT >> ~user/.config/autostart/ssh-add.desktop
[Desktop Entry]
Name=ssh-add
Exec=ssh-add
Type=Application'
#+END_SRC
On =dom0=, add a policy for the ssh agent.
#+BEGIN_SRC sh
echo "$anyvm $anyvm ask" > /etc/qubes-rpc/policy/qubes.SshAgent
#+END_SRC
Now, on any AppVM which should have access to the ssh key as an agent (e.g., a development AppVM), perform the following steps.
#+BEGIN_SRC sh
...
#+END_SRC
* TODO Wazuh Agent - Endpoint Security
* TODO TO MIGRATE: (Debian to Qubes VMs)
** TODO Wazuh Agent - Endpoint Security
Wazuh is an HIDS system, which is a fork of OSSEC built on the ELK stack. I'll install a Wazuh agent that I use to send data to a Wazuh server deployed elsewhere (e.g., on =10.0.0.2=).
......@@ -132,7 +157,7 @@ sudo WAZUH_MANAGER="192.168.1.2" apt install wazuh-agent -y
For addition steps registering agents to the Wazuh manager, see [[https://documentation.wazuh.com/3.9/user-manual/registering/index.html][the Wazuh guide]].
* TODO Harden Firefox
** TODO Harden Firefox
Go through all the about:preferences particularly the /search/ and /privacy & security/ settings.
......@@ -144,7 +169,7 @@ Add and enable the following extensions, in the following order:
5) [[https://addons.mozilla.org/en-US/firefox/addon/pay-by-privacy-com/][Pay by Privacy.com]]
6) [[https://github.com/marcelklehr/floccus][Floccus]]
* TODO Git
** TODO Git
Live and die by Git. I'm using the handle =sentry=.
......@@ -169,7 +194,7 @@ Host *
IPQoS lowdelay throughput
#+end_src
* Emacs
** Emacs
Setup my preferred text editor, Emacs.
......@@ -184,7 +209,7 @@ git reset --hard origin/master && \
git push --set-upstream git@git.bytecache.io:ehacks/ehacks.git master
#+END_SRC
* TODO Riot and Whalebird
** TODO Riot and Whalebird
=Matrix= and =Mastodon= are decentralized, open-source, social networking protocols. =Riot= provides a desktop client to access =Matrix=, while =Whalebird= provides a desktop client for =Mastodon=.
......@@ -198,7 +223,15 @@ wget https://github.com/h3poteto/whalebird-desktop/releases/download/4.1.0/Whale
sudo dpkg -i Whalebird-4.1.0-linux-x64.deb
#+END_SRC
* Python 3
** Rust
#+BEGIN_SRC sh
curl https://sh.rustup.rs -sSf | sh -s -- -y && source "$HOME"/.cargo/env && \
rustup component add rustfmt && \
rustup component add clippy
#+END_SRC
** Python 3
Install various libraries for Python.
......@@ -209,7 +242,7 @@ pip3 install --user jedi autopep8 yapf flake8 flake8-bandit keystone-engine caps
pip install virtualenv
#+END_SRC
* R
** R
Install R from CRAN.
......@@ -220,7 +253,7 @@ sudo apt update && \
sudo apt install -y r-base
#+END_SRC
* GDB
** GDB
GDB is the GNU Project Debugger, facilitating low level analysis of executable programs by stepping through each operation. GDB comes with Debian, but I also install a few GDB utilities to enhance the debugging process.
......@@ -230,7 +263,7 @@ git clone https://github.com/longld/peda.git ~/peda && \
echo "source ~/peda/peda.py" >> ~/.gdbinit
#+END_SRC
* Radare 2
** Radare 2
Radare2 is a reverse engineering framework.
......@@ -240,7 +273,7 @@ r2pm init && \
r2pm -i rarop
#+END_SRC
* TODO Cell Phone Utilities
** TODO Cell Phone Utilities
I have a Pixel 3 running the [[https://grapheneos.org/][GrapheneOS]]. To flash the OS to my cell phone, it requires =abd= and =fastboot=, which are not part of Debian. To add these utilities, I'll download and install the [[https://developer.android.com/studio/releases/platform-tools][Android SDK Platform-Tools]], as follows.
......@@ -250,3 +283,44 @@ wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip &&
sudo unzip platform-tools-latest-linux.zip -d /etc/ && rm platform-tools-latest-linux.zip && \
export PATH="/etc/platform-tools:$PATH"
#+END_SRC
* Windows VM
I still run Windows VMs, used exclusively for gaming.
References:
https://www.qubes-os.org/doc/windows-vm/
https://www.qubes-os.org/doc/windows-tools/
Download a Windows 10 iso to some untrusted VM.
From =dom0=, create a template.
#+BEGIN_SRC sh
qvm-create --class TemplateVM --property virt_mode=HVM --property kernel='' --label black windows-10-template
qvm-prefs windows-10-template memory 4096
qvm-prefs windows-10-template maxmem 4096
qvm-volume extend windows-10-template:root 25g
qvm-prefs windows-10-template debug true
qvm-features windows-10-template video-model cirrus
#+END_SRC
Then start the VM to begin installation using the downloaded iso.
#+BEGIN_SRC sh
qvm-start --cdrom=untrusted:/home/user/Win10_1809Oct_v2_English_x64.iso windows-10-template
#+END_SRC
Skip product key activation. Select Windows 10 Home. The VM will shutdown once the installer extracts the Windows installation files. Start the VM again to complete the installation. This may need to be done a couple times.
#+BEGIN_SRC sh
qvm-start windows-10-template
#+END_SRC
Once the installation completes, perform the following steps.
#+BEGIN_SRC sh
qvm-features --unset windows-10-template video-model
qvm-prefs windows-10-template qrexec_timeout 300
#+END_SRC
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment