Commit e31cc9ea authored by Clark's avatar Clark
Browse files

Starting to add UML to map out Qubes architecture

parent de9fb8de
......@@ -37,15 +37,15 @@ Get the Release Signing Key and validate that the signature includes the Qubes M
#+BEGIN_SRC sh
sudo gpg2 --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc && \
sudo gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
sudo gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
#+END_SRC
Download and verify the Qubes OS R4.0.3 ISO.
#+BEGIN_SRC sh
wget https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.3-x86_64.iso && \
wget https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.3-x86_64.iso.asc && \
sudo gpg2 -v --verify Qubes-R4.0.3-x86_64.iso.asc Qubes-R4.0.3-x86_64.iso
wget https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.3-x86_64.iso.asc && \
sudo gpg2 -v --verify Qubes-R4.0.3-x86_64.iso.asc Qubes-R4.0.3-x86_64.iso
#+END_SRC
Finally, write the ISO to the USB disk. In this case, my USB is mounted to =/dev/sda=. You may need to change this depending on how you mount your USB.
......@@ -61,36 +61,174 @@ Then flash the ISO to the USB.
sudo dd if=Qubes-R4.0.3-x86_64.iso of=/dev/sda status=progress
#+END_SRC
* TODO Qubes VM architecture
#+begin_src plantuml :file img/Qubes-VM-architecture.svg
' Specifying aesthetics
skinparam backgroundColor #FFF
skinparam shadowing false
skinparam defaultFontColor #404040
skinparam defaultFontSize 24
skinparam frame {
backgroundColor #FEFECE
borderColor #53485C
}
skinparam node {
backgroundColor #FEFECE
borderColor #53485C
}
skinparam rectangle {
backgroundColor<< Public Zone >> #FFE5E5
borderColor<< Public Zone >> #FF4C4C
backgroundColor<< DMZ >> #FFF6E5
borderColor<< DMZ >> #FFC04C
backgroundColor<< Private Zone >> #E5F2E5
borderColor<< Private Zone >> #46A64C
borderColor<< OpenNet >> #FF7F7F
backgroundColor<< OpenNet >> #FFF
borderThickness<< OpenNet >> 8
borderColor<< FastNet >> #FFD27F
borderThickness<< FastNet >> 8
borderColor<< FreeNet >> #7FBF7F
borderThickness<< FreeNet >> 8
}
skinparam control {
borderColor #53485C
}
skinparam component {
borderColor #53485C
}
skinparam cloud {
borderColor #53485C
}
skinparam package {
backgroundColor AliceBlue
borderColor #53485C
}
' Define the network components
allow_mixing
rectangle << UserSpace >> {
}
cloud << Templates >> {
rectangle << Debian >> {
interface "d10" as debian
abstract "d10-ws" as debian_ws {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
}
abstract "d10-email" as debian_email {
{method} #ProtonMail Bridge
}
abstract "d10-social" as debian_social {
{method} #Zoom
{method} #Slack
{method} #Element
{method} #Discord
}
}
rectangle << Fedora >> {
interface "f30" as fedora
abstract "f30-ssh-vault" as fedora_ssh_vault {
{static} qubes-rpc qubes.SshAgent
{field} qubes-rpc qubes.SshAgent
}
}
rectangle << Whonix >> {
interface "w15-gw" as whonix_gw
interface "w15-ws" as whonix_ws
}
rectangle << Ubuntu >> {
interface "u18" as ubuntu
}
rectangle << Windows >> {
interface "w10" as windows
}
}
cloud LAN
' Define component connections
'skinparam linetype polyline
'left to right direction
debian <.. debian_ws : cloned
debian <.. debian_email : cloned
debian <.. debian_social : cloned
fedora <. fedora_ssh_vault : cloned
#+end_src
#+RESULTS[785088829eb12787be73e2b4f807c6ecbc24301f]:
[[file:img/Qubes-VM-architecture.svg]]
* TODO Enforce VPN Routing -> Move this to a NetVM (Qubes)
This requires some kind of VPN access. I'm using a low cost VPN provider, PIA. After signing up, the provide authentication credentials, what I'm using below as =vpn_username= and =vpn_password=.
#+begin_src sh
sudo apt install -y openvpn && \
wget --secure-protocol=PFS --https-only https://www.privateinternetaccess.com/openvpn/openvpn.zip && \
unzip openvpn.zip -d openvpn && \
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/ && \
sudo cp openvpn/US\ California.ovpn /etc/openvpn/local_profile.conf && \
sudo rm -rf openvpn && \
sudo bash -c 'cat <<EOT >> /etc/openvpn/login
wget --secure-protocol=pfs --https-only https://www.privateinternetaccess.com/openvpn/openvpn.zip && \
unzip openvpn.zip -d openvpn && \
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/ && \
sudo cp openvpn/US\ California.ovpn /etc/openvpn/local_profile.conf && \
sudo rm -rf openvpn && \
sudo bash -c 'cat <<EOT >> /etc/openvpn/login
vpn_username
vpn_password
EOT' && \
sudo chmod 600 /etc/openvpn/login && \
sudo sed -i '/ca ca.rsa.2048.crt/c\ca /etc/openvpn/ca.rsa.2048.crt' /etc/openvpn/local_profile.conf && \
sudo sed -i '/auth-user-pass/c\auth-user-pass /etc/openvpn/login' /etc/openvpn/local_profile.conf && \
sudo sed -i '/crl-verify crl.rsa.2048.pem/c\crl-verify /etc/openvpn/crl.rsa.2048.pem' /etc/openvpn/local_profile.conf &&
sudo systemctl enable openvpn@local_profile && \
sudo systemctl start openvpn@local_profile && \
sudo bash -c 'cat <<EOT >> /etc/openvpn/restart-service
sudo chmod 600 /etc/openvpn/login && \
sudo sed -i '/ca ca.rsa.2048.crt/c\ca /etc/openvpn/ca.rsa.2048.crt' /etc/openvpn/local_profile.conf && \
sudo sed -i '/auth-user-pass/c\auth-user-pass /etc/openvpn/login' /etc/openvpn/local_profile.conf && \
sudo sed -i '/crl-verify crl.rsa.2048.pem/c\crl-verify /etc/openvpn/crl.rsa.2048.pem' /etc/openvpn/local_profile.conf &&
sudo systemctl enable openvpn@local_profile && \
sudo systemctl start openvpn@local_profile && \
sudo bash -c 'cat <<EOT >> /etc/openvpn/restart-service
#/bin/sh
if [ "$(ping -c 3 1.1.1.1 | grep '100% packet loss' )" != "" ]; then
sudo systemctl restart openvpn@local_profile
fi
EOT' && \
sudo chmod +x /etc/openvpn/restart-service && \
sudo crontab -l | { cat; echo "* * * * * /etc/openvpn/restart-service"; } | sudo crontab -
sudo chmod +x /etc/openvpn/restart-service && \
sudo crontab -l | { cat; echo "* * * * * /etc/openvpn/restart-service"; } | sudo crontab -
#+end_src
Test the VPN service initializes using =sudo openvpn --config /etc/openvpn/local_profile.conf= (and exit with =Ctrl-c=).
......@@ -105,7 +243,7 @@ First, clone the latest Fedora TemplateVM, naming it /fedora-30-ssh-vault/. Temp
#+BEGIN_SRC sh
sudo dnf install nmap-ncat -y && \
bash -c 'cat <<EOT >> ~/etc/qubes-rpc/qubes.SshAgent
bash -c 'cat <<EOT >> ~/etc/qubes-rpc/qubes.SshAgent
#!/bin/sh
notify-send "[`qubesdb-read /name`] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
ncat -U $SSH_AUTH_SOCK'
......@@ -117,12 +255,12 @@ On the =ssh-vault= AppVM, create an ssh-key, and update the config. Also add an
#+BEGIN_SRC sh
ssh-keygen -t ed25519 -C "sentry@bytecache.io" -f "$HOME"/.ssh/id_rsa -N '' && \
bash -c 'cat <<EOT >> ~/.ssh/config
bash -c 'cat <<EOT >> ~/.ssh/config
VisualHostKey=yes
LogLevel=VERBOSE
EOT' && \
bash -c 'cat <<EOT >> ~user/.config/autostart/ssh-add.desktop
bash -c 'cat <<EOT >> ~user/.config/autostart/ssh-add.desktop
[Desktop Entry]
Name=ssh-add
Exec=ssh-add
......@@ -149,10 +287,10 @@ Wazuh is an HIDS system, which is a fork of OSSEC built on the ELK stack. I'll i
#+begin_src sh
sudo apt install curl apt-transport-https lsb-release gnupg2 -y && \
sudo curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
sudo echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list && \
sudo apt update -y && \
sudo WAZUH_MANAGER="192.168.1.2" apt install wazuh-agent -y
sudo curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
sudo echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list && \
sudo apt update -y && \
sudo WAZUH_MANAGER="192.168.1.2" apt install wazuh-agent -y
#+end_src
For addition steps registering agents to the Wazuh manager, see [[https://documentation.wazuh.com/3.9/user-manual/registering/index.html][the Wazuh guide]].
......@@ -169,14 +307,24 @@ Add and enable the following extensions, in the following order:
5) [[https://addons.mozilla.org/en-US/firefox/addon/pay-by-privacy-com/][Pay by Privacy.com]]
6) [[https://github.com/marcelklehr/floccus][Floccus]]
** Protonmail Bridge
Download and install the Protonmail bridge, for synchronizing email locally for paid Prototonmail accounts.
#+BEGIN_SRC sh
wget --secure-protocol=pfs --https-only https://protonmail.com/download/protonmail-bridge_1.5.2-1_amd64.deb && \
sudo apt install -y ./protonmail-bridge_1.5.2-1_amd64.deb
#+END_SRC
** TODO Git
Live and die by Git. I'm using the handle =sentry=.
#+BEGIN_SRC sh
sudo apt install -y git && \
git config --global user.name "sentry" && \
git config --global user.email "sentry@bytecache.io" && \
git config --global user.name "sentry" && \
git config --global user.email "sentry@bytecache.io" && \
#+END_SRC
Copy the SSH key to clipboard.
......@@ -191,7 +339,7 @@ For virtual machines running in VMware with =open-vm-tools= installed, add the f
#+begin_src sh
Host *
IPQoS lowdelay throughput
IPQoS lowdelay throughput
#+end_src
** Emacs
......@@ -199,14 +347,21 @@ Host *
Setup my preferred text editor, Emacs.
#+BEGIN_SRC sh
sudo apt install -y emacs elpa-evil twittering-mode graphviz elpa-rainbow-mode && \
mkdir ~/.emacs.d && \
cd ~/.emacs.d && \
git init && \
git remote add origin git@git.bytecache.io:ehacks/ehacks.git && \
git fetch origin && \
git reset --hard origin/master && \
git push --set-upstream git@git.bytecache.io:ehacks/ehacks.git master
sudo apt install -y emacs elpa-evil twittering-mode graphviz elpa-rainbow-mode default-jre && \
mkdir ~/.emacs.d && \
cd ~/.emacs.d && \
git init && \
git remote add origin git@git.bytecache.io:ehacks/ehacks.git && \
git fetch origin && \
git reset --hard origin/master && \
git push --set-upstream git@git.bytecache.io:ehacks/ehacks.git master
#+END_SRC
If the host is running =Ubuntu=, and emacs version is stuck at 25.x, run the following to install emacs26.
#+BEGIN_SRC sh
sudo add-apt-repository ppa:kelleyk/emacs && \
sudo apt update && sudo apt install emacs26
#+END_SRC
** TODO Riot and Whalebird
......@@ -215,12 +370,12 @@ git push --set-upstream git@git.bytecache.io:ehacks/ehacks.git master
#+BEGIN_SRC sh
sudo wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg https://packages.riot.im/debian/riot-im-archive-keyring.gpg && \
echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ default main" |
sudo tee /etc/apt/sources.list.d/riot-im.list && \
sudo apt update && \
sudo apt install -y riot-desktop && \
wget https://github.com/h3poteto/whalebird-desktop/releases/download/4.1.0/Whalebird-4.1.0-linux-x64.deb && \
sudo dpkg -i Whalebird-4.1.0-linux-x64.deb
echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ default main" |
sudo tee /etc/apt/sources.list.d/riot-im.list && \
sudo apt update && \
sudo apt install -y riot-desktop && \
wget https://github.com/h3poteto/whalebird-desktop/releases/download/4.1.0/Whalebird-4.1.0-linux-x64.deb && \
sudo dpkg -i Whalebird-4.1.0-linux-x64.deb
#+END_SRC
** Rust
......@@ -228,7 +383,7 @@ sudo dpkg -i Whalebird-4.1.0-linux-x64.deb
First install Rust.
#+BEGIN_SRC sh
curl --tlsv1.2 https://sh.rustup.rs -sSf | sh -s -- -y
curl --tlsv1.2 https://sh.rustup.rs -sSf | sh -s -- -y
#+END_SRC
Then some additional utilities.
......@@ -247,20 +402,35 @@ Install various libraries for Python.
#+BEGIN_SRC sh
sudo apt install -y python3-venv && \
pip3 install --upgrade --user pip && \
pip3 install --user jedi autopep8 yapf flake8 flake8-bandit keystone-engine capstone ropper unicorn
pip3 install --upgrade --user pip && \
pip3 install --user jedi autopep8 yapf flake8 flake8-bandit keystone-engine capstone ropper unicorn
pip install virtualenv
#+END_SRC
** Ethereum
Install latest version of Node, Ethereum, solc, ganache, solium.
#+BEGIN_SRC emacs-lisp
sudo add-apt-repository ppa:ethereum/ethereum -y && \
sudo apt update && \
sudo apt install -y solc && \
cd ~ && \
curl -sL https://deb.nodesource.com/setup_10.x -o nodesource_setup.sh && \
sudo bash nodesource_setup.sh && \
sudo apt install -y nodejs && \
sudo npm install -g truffle ganache-cli solium
#+END_SRC
** R
Install R from CRAN.
#+BEGIN_SRC sh
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E19F5F87128899B192B1A2C2AD5F960A256A04AF && \
sudo add-apt-repository 'deb https://cloud.r-project.org/bin/linux/debian buster-cran35/' && \
sudo apt update && \
sudo apt install -y r-base
sudo add-apt-repository 'deb https://cloud.r-project.org/bin/linux/debian buster-cran35/' && \
sudo apt update && \
sudo apt install -y r-base
#+END_SRC
** GDB
......@@ -269,8 +439,8 @@ GDB is the GNU Project Debugger, facilitating low level analysis of executable p
#+BEGIN_SRC sh
sudo apt install -y gdb && \
git clone https://github.com/longld/peda.git ~/peda && \
echo "source ~/peda/peda.py" >> ~/.gdbinit
git clone https://github.com/longld/peda.git ~/peda && \
echo "source ~/peda/peda.py" >> ~/.gdbinit
#+END_SRC
** Radare 2
......@@ -279,8 +449,8 @@ Radare2 is a reverse engineering framework.
#+BEGIN_SRC sh
sudo apt install radare2 && \
r2pm init && \
r2pm -i rarop
r2pm init && \
r2pm -i rarop
#+END_SRC
** TODO Cell Phone Utilities
......@@ -289,17 +459,17 @@ I have a Pixel 3 running the [[https://grapheneos.org/][GrapheneOS]]. To flash t
#+BEGIN_SRC sh
cd ~/ && \
wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip && \
sudo unzip platform-tools-latest-linux.zip -d /etc/ && rm platform-tools-latest-linux.zip && \
export PATH="/etc/platform-tools:$PATH"
wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip && \
sudo unzip platform-tools-latest-linux.zip -d /etc/ && rm platform-tools-latest-linux.zip && \
export PATH="/etc/platform-tools:$PATH"
#+END_SRC
* Windows VM
I still run Windows VMs, used exclusively for gaming.
I still run Windows VMs, used exclusively for gaming.
References:
References:
https://www.qubes-os.org/doc/windows-vm/
https://www.qubes-os.org/doc/windows-tools/
......
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment