The QubesOS R3 linux distro is a brilliantly smooth and fast sectionalized virtual machine-centric operating system. But it has some built-in customizations to it that are necessary to facilitate that speed and ease of use, but which require special attention when considering security. I’m referring to the QubesOS user management and sudoers. The system comes with numerous pre-defined users and all of these users are granted password free sudo access. This is fine as long as the user does not attempt to set the system up for some type of remote access under the assumption that new users will not have sudo access. The user could modify their firewall settings and install additional software that creates security vulnerabilities that they would not normally have suspected. To prevent this, I propose the following simple tweak to the net VM’s, dom0 and the template VM’s. The user account name is assumed to be Ivan in this example.
Open a terminal and edit the login access control table with:
sudo nano /etc/security/access.conf
Add the following lines at the bottom:
#Disallows console logins to all accounts except Ivan: -:ALL EXCEPT Ivan:LOCAL #Disallows all non-local logins: -:ALL:ALL EXCEPT LOCAL
Hit Ctrl-X and save the file. Next, open up the pam login configuration file to force the use of access.conf:
sudo nano /etc/pam.d/login
Add the following line at the bottom:
account required pam_access.so
Hit Ctrl-X and save the file. Repeat this process in all of the netVM’s, dom0, and the template VM’s.
It should now be impossible to log in to the system remotely.