Qubes User Forum
an unofficial Proof of Concept project

Home » Mailing Lists » qubes-devel » Qubes SoC Project
Qubes SoC Project [message #17957] Tue, 09 April 2019 04:51 Go to next message
Harry Pantazis
Messages: 2
Registered: April 2019
Karma: 0
Junior Member
Greetings,

I've gone through the GSoC ideas page and I've found a lot of nice projects. I was supposed to contact in terms of GSoC but since Qubes OS isn't in the organizations I'm contacting anyway :)


The ideas (ordered by preference) that interest me:
* Wayland Support (I like sway)
* In-VM Configuration
* LogVM(s)

If someone is interested in mentoring me in some way, giving me tips or collaborating with me I'm open to discussion.

Harry

--
Re: Qubes SoC Project [message #18183 is a reply to message #17957] Tue, 09 April 2019 23:30 Go to previous messageGo to next message
Marek Marczykowski-Go
Messages: 120
Registered: October 2018
Karma: 0
Senior Member
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, Apr 08, 2019 at 09:51:53PM -0700, Harry Pantazis wrote:
> Greetings,
>
> I've gone through the GSoC ideas page and I've found a lot of nice projects. I was supposed to contact in terms of GSoC but since Qubes OS isn't in the organizations I'm contacting anyway :)
>
>
> The ideas (ordered by preference) that interest me:
> * Wayland Support (I like sway)
> * In-VM Configuration
> * LogVM(s)

This is a great choice!
Wayland support is IMO the most beneficial for Qubes, but also the most
challenging of those tasks. There are actually two (mostly independent)
parts - support for Wayland in dom0 (in gui-daemon) and support for
Wayland in VM (in gui-agent). It's perfectly fine to focus on one of
them only.

On the other hand, LogVM(s) is probably the simplest one, but still
pretty cool.

> If someone is interested in mentoring me in some way, giving me tips or collaborating with me I'm open to discussion.

I'll be happy to provide any kind of assistance you'll need.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlytKwIACgkQ24/T HMrX
1yxlUgf+J1YRt7XENxYWoW138aUY8jbZqaOZexRLtWgD1mFkxeKaQEw2eYk3 +lEk
hQ/0OPBHswesFLHs2w2mBIM9ycgmLiiDmPRhNuNcv1CpGMI4glYUxDUUBhn3 lIuz
BcIl5F4+zgBwlnZg+j7XR2a22jKlGYGAafBqyBI0C+jJEckmv7O4DvKxxCb6 eTZg
UABgk342SIkS2CEOudDPsMGqChScRbnv1l8hk2h/mg9qY++1BRyrXzWYtEqk UlLg
LqUZaPCHoRlhmHa/dHniKsWfRSym1ZVeGlq921aszvYH/r2ejpFXeyq4Ft6P lvey
EdKSHLKROH3WpBZ/8eCm2CkJD9XsSw==
=8ku3
-----END PGP SIGNATURE-----

--
Re: Qubes SoC Project [message #18263 is a reply to message #18183] Wed, 10 April 2019 06:10 Go to previous messageGo to next message
Mataku
Messages: 21
Registered: January 2019
Karma: 0
Junior Member
Hi,

By LogVM(s) you mean, collect the log of the VM and try to detect any
compromission state?



Le mer. 10 avr. 2019 à 01:30, Marek Marczykowski-Górecki <
marmarekatinvisiblethingslabdotcom> a écrit :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Mon, Apr 08, 2019 at 09:51:53PM -0700, Harry Pantazis wrote:
>> Greetings,
>>
>> I've gone through the GSoC ideas page and I've found a lot of nice
> projects. I was supposed to contact in terms of GSoC but since Qubes OS
> isn't in the organizations I'm contacting anyway :)
>>
>>
>> The ideas (ordered by preference) that interest me:
>> * Wayland Support (I like sway)
>> * In-VM Configuration
>> * LogVM(s)
>
> This is a great choice!
> Wayland support is IMO the most beneficial for Qubes, but also the most
> challenging of those tasks. There are actually two (mostly independent)
> parts - support for Wayland in dom0 (in gui-daemon) and support for
> Wayland in VM (in gui-agent). It's perfectly fine to focus on one of
> them only.
>
> On the other hand, LogVM(s) is probably the simplest one, but still
> pretty cool.
>
>> If someone is interested in mentoring me in some way, giving me tips or
> collaborating with me I'm open to discussion.
>
> I'll be happy to provide any kind of assistance you'll need.
>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -----BEGIN PGP SIGNATURE-----
>
> iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlytKwIACgkQ24/T HMrX
> 1yxlUgf+J1YRt7XENxYWoW138aUY8jbZqaOZexRLtWgD1mFkxeKaQEw2eYk3 +lEk
> hQ/0OPBHswesFLHs2w2mBIM9ycgmLiiDmPRhNuNcv1CpGMI4glYUxDUUBhn3 lIuz
> BcIl5F4+zgBwlnZg+j7XR2a22jKlGYGAafBqyBI0C+jJEckmv7O4DvKxxCb6 eTZg
> UABgk342SIkS2CEOudDPsMGqChScRbnv1l8hk2h/mg9qY++1BRyrXzWYtEqk UlLg
> LqUZaPCHoRlhmHa/dHniKsWfRSym1ZVeGlq921aszvYH/r2ejpFXeyq4Ft6P lvey
> EdKSHLKROH3WpBZ/8eCm2CkJD9XsSw==
> =8ku3
> -----END PGP SIGNATURE-----
>
> --
>
Re: Qubes SoC Project [message #18276 is a reply to message #17957] Wed, 10 April 2019 07:12 Go to previous messageGo to next message
Zrubi
Messages: 63
Registered: October 2018
Karma: 0
Member
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 4/9/19 6:51 AM, Harry Pantazis wrote:

> The ideas (ordered by preference) that interest me: * Wayland
> Support (I like sway) * In-VM Configuration * LogVM(s)
>
> If someone is interested in mentoring me in some way, giving me
> tips or collaborating with me I'm open to discussion.

I'm happy to collaborate about the LogVM project.

As I really interested to make that happen, and I already played with
log (and traffic) analysis:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
http://zrubi.hu/en/2017/siem-at-home/

I think all of those can be related (and hopefully useful) for Qubes
Log VMs too.
(As I work with enterprise level SIEM solutions for years, I have some
experience on this field)

- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlytl0kACgkQVjGl enYH
FQ0myQ//URPqj9uPERw4ivBN/VtGRLd+RHdofIRjlf363NcRNsLG4gaADGYE Mrki
L397f6vXKn09Uv+c1mWvWGFIsFBD4BF5fRWSIrQNNzpwcO/zgLuLPSL7fCbF 4kfC
8SiMYLVZgppZ6sgnwMWZfvpTAehBeMYEjnClyrpi0FCkVYzKCuva8wGH4OcX zMyg
OiuUjyPer2OBwMYU4aoYaJahK/4RaB1PKFqEOQP2PzsuyG55qtauomIj1uEp N1Dl
Cup0xN2bKh6vyaCBc4nhC/h8tCo97hc9cprZCbylU+IUlapDDvXOx15ZSor2 b7ZG
QdUkv6CoXSeIlBIrQMz0srGCdLh+U/wNHjpfb/VP3c+l7b9yCxpoXztzRQXt w8b2
YeVJRhpYfpJwQobB7Vi7dMkvcViRN5gHkTU6Mv26z177Dgws1cw2LYQpap4Y 5xbB
U67UbYz9mV1uVA3wwSKIde90fu/dbbEUnSvDzG/ROeUYp6XrAxLlBQB5pbIE eK+c
ST3mx+Slu3PY43TGL1AVmMMyNM+EWJbr3ZggCS1etZh2VljcHSeoPvjVEgEe kJ6F
qqCuu84dMEHhfT0M01JimkOaWq/3AE9r3GjR9ox1S//5Llc/vTtHoOUbL0/m x+J2
UDvVmaoj7ikurVSs9488Pj/9Vgq6L0SfAqwPO15zNUy0Zp4ZXsc=
=H/mE
-----END PGP SIGNATURE-----

--
Re: Qubes SoC Project [message #19727 is a reply to message #18276] Mon, 15 April 2019 06:36 Go to previous messageGo to next message
Mataku
Messages: 21
Registered: January 2019
Karma: 0
Junior Member
Ahah i suggest it to Frederic one years ago.
But we need to salt all VM with auditd policy, rsyslog forward, hids, build
a repo syslog-ng and the most difficult part... did you know any siem
without eating the power? xD.
Splunk : ko.
Graylog : gpl (as i know)
Elastic? : ko for power saving.
We can use virustotal api for hids check with checksum of file (requiert
free account for limited submission but enough i guess for the usb VM)
It is a very tough project by this is what QubesOS need. Absolutly because
this is the 1st thing i was thinking when someone show me the project. How
do you know this VM is compromise?
Nothing....
But something we can do is :
- build a minimum version for laptop ( it is like a non-sense because of
the batterie power ahah)
- build a solution for the server/cloud version of Qubes. This is a very
good project! This can be a physical server with OpenSource SOC Base on
QubesOS.

Le mer. 10 avr. 2019 à 09:12, Zrubi a écrit :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 4/9/19 6:51 AM, Harry Pantazis wrote:
>
>> The ideas (ordered by preference) that interest me: * Wayland
>> Support (I like sway) * In-VM Configuration * LogVM(s)
>>
>> If someone is interested in mentoring me in some way, giving me
>> tips or collaborating with me I'm open to discussion.
>
> I'm happy to collaborate about the LogVM project.
>
> As I really interested to make that happen, and I already played with
> log (and traffic) analysis:
> http://zrubi.hu/en/2017/traffic-analysis-qubes/
> http://zrubi.hu/en/2017/siem-at-home/
>
> I think all of those can be related (and hopefully useful) for Qubes
> Log VMs too.
> (As I work with enterprise level SIEM solutions for years, I have some
> experience on this field)
>
> - --
> Zrubi
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlytl0kACgkQVjGl enYH
> FQ0myQ//URPqj9uPERw4ivBN/VtGRLd+RHdofIRjlf363NcRNsLG4gaADGYE Mrki
> L397f6vXKn09Uv+c1mWvWGFIsFBD4BF5fRWSIrQNNzpwcO/zgLuLPSL7fCbF 4kfC
> 8SiMYLVZgppZ6sgnwMWZfvpTAehBeMYEjnClyrpi0FCkVYzKCuva8wGH4OcX zMyg
> OiuUjyPer2OBwMYU4aoYaJahK/4RaB1PKFqEOQP2PzsuyG55qtauomIj1uEp N1Dl
> Cup0xN2bKh6vyaCBc4nhC/h8tCo97hc9cprZCbylU+IUlapDDvXOx15ZSor2 b7ZG
> QdUkv6CoXSeIlBIrQMz0srGCdLh+U/wNHjpfb/VP3c+l7b9yCxpoXztzRQXt w8b2
> YeVJRhpYfpJwQobB7Vi7dMkvcViRN5gHkTU6Mv26z177Dgws1cw2LYQpap4Y 5xbB
> U67UbYz9mV1uVA3wwSKIde90fu/dbbEUnSvDzG/ROeUYp6XrAxLlBQB5pbIE eK+c
> ST3mx+Slu3PY43TGL1AVmMMyNM+EWJbr3ZggCS1etZh2VljcHSeoPvjVEgEe kJ6F
> qqCuu84dMEHhfT0M01JimkOaWq/3AE9r3GjR9ox1S//5Llc/vTtHoOUbL0/m x+J2
> UDvVmaoj7ikurVSs9488Pj/9Vgq6L0SfAqwPO15zNUy0Zp4ZXsc=
> =H/mE
> -----END PGP SIGNATURE-----
>
> --
>
Re: Qubes SoC Project [message #19740 is a reply to message #19727] Mon, 15 April 2019 07:36 Go to previous messageGo to next message
Zrubi
Messages: 63
Registered: October 2018
Karma: 0
Member
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote:
> Ahah i suggest it to Frederic one years ago. But we need to salt
> all VM with auditd policy, rsyslog forward, hids, build a repo
> syslog-ng and the most difficult part... did you know any siem
> without eating the power? xD.
Well, we should not aim to create a full SIEM in this project, but
"only" a log collecting (and parsing) VM, and the stuff needed for this.

As log collecting (and parsing) is the very first requirement of every
SIEM, we can't skip this part. As I already did (see my blog) it:
basic log parsing can be done by syslog-ng (or maybe rsyslog, or
nxlog) with only very small resources needed.

The Qubes specific part would be the "special" log forwarding, instead
of using TCP/UDP network. But the solution is already here: see the
current template network access method.

Then, if we have the architecture and the Qubes specific log
collecting solution we can start extending it by defining what kind
of logs we need, and what we can do with them...

But to jump ahead, and answer your question:
As you may read on my blog, I started a tiny SIEM like project which
runs on my home NAS. And this thing has only 512Mb RAM total. :)

Of course it is not works like the big huge ELK/Splunk/Qradar, but
something like well defined daily statistics instead. I would say that
is a good start by seeing what happened in our home network. And I
think the same should apply for a Qubes box.

- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAly0NJIACgkQVjGl enYH
FQ2vig/9GTvDEqmbIPIAk4d/WMZm3rqFiqNhjoYTw4ECFW0BSNxy1d9wsgRp Cw+G
mhUPX1twgznzkHPuNTrxrAuynlTO5NUgrA/tTcOxuAzrYHbdDOA5TOgcXmkW J3GE
Fm0RWTuJYt4XnGmz43mPPdXtKv8gJ76AkjnYvOfhSySjxE659v5AfbOeNre5 Raz1
+OvasfUMxnlpzAwS/wUNauSU7zqWGy4adBDR3H6l4aoVV1N3A4fg78kFdG33 TO5J
CD8MaCiLOF4UmJwsDY0dt8gT3CERzwR+x/4qlu/9eHBykNBs9J9Gc1zTyvbm 04Bb
dnCc/0O+W/sS/jBAXiAEOipWhOWmr62klnBHKaVXP8MW2rzysAB484Cw9R3I FbrQ
jNOVa3BbZzPrptqjD1uyfkYUxXicRdWrNLEO9Tb3X9Z0EYXJQFTPab58Qn6M 3hmT
2crtjcPpNAjq7Zi+5LIce4zqTaAg1bdqlJLwkioOa0MI2g2SJxxJ+SBdXOBY Ws2U
O4g13Tiw6vgM5J48qAx116OebZLWNIuheBI9sC+63oMV/AU3/ioZAIZty75K SUrp
pu0cXhlCh+3ntD5Jx1kcYDT+o5advbMpI9uKXEM6P9frkAKTa5EpC2Gqa9CZ knJQ
qcPFvGw76nqGrFU6rm13vDqtux4b8c1uW4tjSMw7t4JjPD+mfwA=
=8k6w
-----END PGP SIGNATURE-----

--
Re: Qubes SoC Project [message #19768 is a reply to message #19740] Mon, 15 April 2019 09:54 Go to previous messageGo to next message
Mataku
Messages: 21
Registered: January 2019
Karma: 0
Junior Member
Ok i will check your blog to night.
rsyslog is already inside each system. Better to use it instead of install
syslog-ng. Event if ng is better :)

Le lun. 15 avr. 2019 à 09:37, Zrubi a écrit :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote:
>> Ahah i suggest it to Frederic one years ago. But we need to salt
>> all VM with auditd policy, rsyslog forward, hids, build a repo
>> syslog-ng and the most difficult part... did you know any siem
>> without eating the power? xD.
> Well, we should not aim to create a full SIEM in this project, but
> "only" a log collecting (and parsing) VM, and the stuff needed for this.
>
> As log collecting (and parsing) is the very first requirement of every
> SIEM, we can't skip this part. As I already did (see my blog) it:
> basic log parsing can be done by syslog-ng (or maybe rsyslog, or
> nxlog) with only very small resources needed.
>
> The Qubes specific part would be the "special" log forwarding, instead
> of using TCP/UDP network. But the solution is already here: see the
> current template network access method.
>
> Then, if we have the architecture and the Qubes specific log
> collecting solution we can start extending it by defining what kind
> of logs we need, and what we can do with them...
>
> But to jump ahead, and answer your question:
> As you may read on my blog, I started a tiny SIEM like project which
> runs on my home NAS. And this thing has only 512Mb RAM total. :)
>
> Of course it is not works like the big huge ELK/Splunk/Qradar, but
> something like well defined daily statistics instead. I would say that
> is a good start by seeing what happened in our home network. And I
> think the same should apply for a Qubes box.
>
> - --
> Zrubi
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAly0NJIACgkQVjGl enYH
> FQ2vig/9GTvDEqmbIPIAk4d/WMZm3rqFiqNhjoYTw4ECFW0BSNxy1d9wsgRp Cw+G
> mhUPX1twgznzkHPuNTrxrAuynlTO5NUgrA/tTcOxuAzrYHbdDOA5TOgcXmkW J3GE
> Fm0RWTuJYt4XnGmz43mPPdXtKv8gJ76AkjnYvOfhSySjxE659v5AfbOeNre5 Raz1
> +OvasfUMxnlpzAwS/wUNauSU7zqWGy4adBDR3H6l4aoVV1N3A4fg78kFdG33 TO5J
> CD8MaCiLOF4UmJwsDY0dt8gT3CERzwR+x/4qlu/9eHBykNBs9J9Gc1zTyvbm 04Bb
> dnCc/0O+W/sS/jBAXiAEOipWhOWmr62klnBHKaVXP8MW2rzysAB484Cw9R3I FbrQ
> jNOVa3BbZzPrptqjD1uyfkYUxXicRdWrNLEO9Tb3X9Z0EYXJQFTPab58Qn6M 3hmT
> 2crtjcPpNAjq7Zi+5LIce4zqTaAg1bdqlJLwkioOa0MI2g2SJxxJ+SBdXOBY Ws2U
> O4g13Tiw6vgM5J48qAx116OebZLWNIuheBI9sC+63oMV/AU3/ioZAIZty75K SUrp
> pu0cXhlCh+3ntD5Jx1kcYDT+o5advbMpI9uKXEM6P9frkAKTa5EpC2Gqa9CZ knJQ
> qcPFvGw76nqGrFU6rm13vDqtux4b8c1uW4tjSMw7t4JjPD+mfwA=
> =8k6w
> -----END PGP SIGNATURE-----
>

--
Re: Qubes SoC Project [message #19776 is a reply to message #19768] Mon, 15 April 2019 10:26 Go to previous messageGo to next message
Mataku
Messages: 21
Registered: January 2019
Karma: 0
Junior Member
Ok,
Read your blog. Nice.
I think before everything of technique we have to define the Supervision
Policy.
What we are facing?
Where?
.....

Le lun. 15 avr. 2019 à 11:54, Scarpafo Scarpafo a
écrit :

> Ok i will check your blog to night.
> rsyslog is already inside each system. Better to use it instead of install
> syslog-ng. Event if ng is better :)
>
> Le lun. 15 avr. 2019 à 09:37, Zrubi a écrit :
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote:
>>> Ahah i suggest it to Frederic one years ago. But we need to salt
>>> all VM with auditd policy, rsyslog forward, hids, build a repo
>>> syslog-ng and the most difficult part... did you know any siem
>>> without eating the power? xD.
>> Well, we should not aim to create a full SIEM in this project, but
>> "only" a log collecting (and parsing) VM, and the stuff needed for this.
>>
>> As log collecting (and parsing) is the very first requirement of every
>> SIEM, we can't skip this part. As I already did (see my blog) it:
>> basic log parsing can be done by syslog-ng (or maybe rsyslog, or
>> nxlog) with only very small resources needed.
>>
>> The Qubes specific part would be the "special" log forwarding, instead
>> of using TCP/UDP network. But the solution is already here: see the
>> current template network access method.
>>
>> Then, if we have the architecture and the Qubes specific log
>> collecting solution we can start extending it by defining what kind
>> of logs we need, and what we can do with them...
>>
>> But to jump ahead, and answer your question:
>> As you may read on my blog, I started a tiny SIEM like project which
>> runs on my home NAS. And this thing has only 512Mb RAM total. :)
>>
>> Of course it is not works like the big huge ELK/Splunk/Qradar, but
>> something like well defined daily statistics instead. I would say that
>> is a good start by seeing what happened in our home network. And I
>> think the same should apply for a Qubes box.
>>
>> - --
>> Zrubi
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAly0NJIACgkQVjGl enYH
>> FQ2vig/9GTvDEqmbIPIAk4d/WMZm3rqFiqNhjoYTw4ECFW0BSNxy1d9wsgRp Cw+G
>> mhUPX1twgznzkHPuNTrxrAuynlTO5NUgrA/tTcOxuAzrYHbdDOA5TOgcXmkW J3GE
>> Fm0RWTuJYt4XnGmz43mPPdXtKv8gJ76AkjnYvOfhSySjxE659v5AfbOeNre5 Raz1
>> +OvasfUMxnlpzAwS/wUNauSU7zqWGy4adBDR3H6l4aoVV1N3A4fg78kFdG33 TO5J
>> CD8MaCiLOF4UmJwsDY0dt8gT3CERzwR+x/4qlu/9eHBykNBs9J9Gc1zTyvbm 04Bb
>> dnCc/0O+W/sS/jBAXiAEOipWhOWmr62klnBHKaVXP8MW2rzysAB484Cw9R3I FbrQ
>> jNOVa3BbZzPrptqjD1uyfkYUxXicRdWrNLEO9Tb3X9Z0EYXJQFTPab58Qn6M 3hmT
>> 2crtjcPpNAjq7Zi+5LIce4zqTaAg1bdqlJLwkioOa0MI2g2SJxxJ+SBdXOBY Ws2U
>> O4g13Tiw6vgM5J48qAx116OebZLWNIuheBI9sC+63oMV/AU3/ioZAIZty75K SUrp
>> pu0cXhlCh+3ntD5Jx1kcYDT+o5advbMpI9uKXEM6P9frkAKTa5EpC2Gqa9CZ knJQ
>> qcPFvGw76nqGrFU6rm13vDqtux4b8c1uW4tjSMw7t4JjPD+mfwA=
>> =8k6w
>> -----END PGP SIGNATURE-----
>>
>

--
Re: Qubes SoC Project [message #19802 is a reply to message #19776] Mon, 15 April 2019 12:34 Go to previous messageGo to next message
Mataku
Messages: 21
Registered: January 2019
Karma: 0
Junior Member
https://simple-evcorr.github.io

Le lun. 15 avr. 2019 à 12:26, Scarpafo Scarpafo a
écrit :

> Ok,
> Read your blog. Nice.
> I think before everything of technique we have to define the Supervision
> Policy.
> What we are facing?
> Where?
> .....
>
> Le lun. 15 avr. 2019 à 11:54, Scarpafo Scarpafo a
> écrit :
>
>> Ok i will check your blog to night.
>> rsyslog is already inside each system. Better to use it instead of
>> install syslog-ng. Event if ng is better :)
>>
>> Le lun. 15 avr. 2019 à 09:37, Zrubi a écrit :
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote:
>>>> Ahah i suggest it to Frederic one years ago. But we need to salt
>>>> all VM with auditd policy, rsyslog forward, hids, build a repo
>>>> syslog-ng and the most difficult part... did you know any siem
>>>> without eating the power? xD.
>>> Well, we should not aim to create a full SIEM in this project, but
>>> "only" a log collecting (and parsing) VM, and the stuff needed for this.
>>>
>>> As log collecting (and parsing) is the very first requirement of every
>>> SIEM, we can't skip this part. As I already did (see my blog) it:
>>> basic log parsing can be done by syslog-ng (or maybe rsyslog, or
>>> nxlog) with only very small resources needed.
>>>
>>> The Qubes specific part would be the "special" log forwarding, instead
>>> of using TCP/UDP network. But the solution is already here: see the
>>> current template network access method.
>>>
>>> Then, if we have the architecture and the Qubes specific log
>>> collecting solution we can start extending it by defining what kind
>>> of logs we need, and what we can do with them...
>>>
>>> But to jump ahead, and answer your question:
>>> As you may read on my blog, I started a tiny SIEM like project which
>>> runs on my home NAS. And this thing has only 512Mb RAM total. :)
>>>
>>> Of course it is not works like the big huge ELK/Splunk/Qradar, but
>>> something like well defined daily statistics instead. I would say that
>>> is a good start by seeing what happened in our home network. And I
>>> think the same should apply for a Qubes box.
>>>
>>> - --
>>> Zrubi
>>> -----BEGIN PGP SIGNATURE-----
>>>
>>> iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAly0NJIACgkQVjGl enYH
>>> FQ2vig/9GTvDEqmbIPIAk4d/WMZm3rqFiqNhjoYTw4ECFW0BSNxy1d9wsgRp Cw+G
>>> mhUPX1twgznzkHPuNTrxrAuynlTO5NUgrA/tTcOxuAzrYHbdDOA5TOgcXmkW J3GE
>>> Fm0RWTuJYt4XnGmz43mPPdXtKv8gJ76AkjnYvOfhSySjxE659v5AfbOeNre5 Raz1
>>> +OvasfUMxnlpzAwS/wUNauSU7zqWGy4adBDR3H6l4aoVV1N3A4fg78kFdG33 TO5J
>>> CD8MaCiLOF4UmJwsDY0dt8gT3CERzwR+x/4qlu/9eHBykNBs9J9Gc1zTyvbm 04Bb
>>> dnCc/0O+W/sS/jBAXiAEOipWhOWmr62klnBHKaVXP8MW2rzysAB484Cw9R3I FbrQ
>>> jNOVa3BbZzPrptqjD1uyfkYUxXicRdWrNLEO9Tb3X9Z0EYXJQFTPab58Qn6M 3hmT
>>> 2crtjcPpNAjq7Zi+5LIce4zqTaAg1bdqlJLwkioOa0MI2g2SJxxJ+SBdXOBY Ws2U
>>> O4g13Tiw6vgM5J48qAx116OebZLWNIuheBI9sC+63oMV/AU3/ioZAIZty75K SUrp
>>> pu0cXhlCh+3ntD5Jx1kcYDT+o5advbMpI9uKXEM6P9frkAKTa5EpC2Gqa9CZ knJQ
>>> qcPFvGw76nqGrFU6rm13vDqtux4b8c1uW4tjSMw7t4JjPD+mfwA=
>>> =8k6w
>>> -----END PGP SIGNATURE-----
>>>
>>

--
Re: Qubes SoC Project [message #19815 is a reply to message #19776] Mon, 15 April 2019 13:32 Go to previous messageGo to next message
unman
Messages: 261
Registered: October 2018
Karma: 0
Senior Member
On Mon, Apr 15, 2019 at 12:26:43PM +0200, Scarpafo Scarpafo wrote:
> Ok,
> Read your blog. Nice.
> I think before everything of technique we have to define the Supervision
> Policy.
> What we are facing?
> Where?
> .....
>
> Le lun. 15 avr. 2019 à 11:54, Scarpafo Scarpafo a
> écrit :
>
>> Ok i will check your blog to night.
>> rsyslog is already inside each system. Better to use it instead of install
>> syslog-ng. Event if ng is better :)
>>
>> Le lun. 15 avr. 2019 à 09:37, Zrubi a écrit :
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote:
>>>> Ahah i suggest it to Frederic one years ago. But we need to salt
>>>> all VM with auditd policy, rsyslog forward, hids, build a repo
>>>> syslog-ng and the most difficult part... did you know any siem
>>>> without eating the power? xD.
>>> Well, we should not aim to create a full SIEM in this project, but
>>> "only" a log collecting (and parsing) VM, and the stuff needed for this.
>>>
>>> As log collecting (and parsing) is the very first requirement of every
>>> SIEM, we can't skip this part. As I already did (see my blog) it:
>>> basic log parsing can be done by syslog-ng (or maybe rsyslog, or
>>> nxlog) with only very small resources needed.
>>>
>>> The Qubes specific part would be the "special" log forwarding, instead
>>> of using TCP/UDP network. But the solution is already here: see the
>>> current template network access method.
>>>
>>> Then, if we have the architecture and the Qubes specific log
>>> collecting solution we can start extending it by defining what kind
>>> of logs we need, and what we can do with them...
>>>
>>> But to jump ahead, and answer your question:
>>> As you may read on my blog, I started a tiny SIEM like project which
>>> runs on my home NAS. And this thing has only 512Mb RAM total. :)
>>>
>>> Of course it is not works like the big huge ELK/Splunk/Qradar, but
>>> something like well defined daily statistics instead. I would say that
>>> is a good start by seeing what happened in our home network. And I
>>> think the same should apply for a Qubes box.
>>>
>>> - --
>>> Zrubi

Please don't top post. It makes it much more difficult to follow the
thread.

--
Re: Qubes SoC Project [message #20763 is a reply to message #19815] Thu, 18 April 2019 18:18 Go to previous message
Harry Pantazis
Messages: 2
Registered: April 2019
Karma: 0
Junior Member
Wow!

It's really nice this post got that much attention :D

Since Laszlo has some pre-existing knowledge on the LogVM idea I will try
to focus on the other two and keep communications with him to test and
coordinate.
To reply in total, I know the Wayland support is the hardest of the three,
but I'd like to give it a shot.

Within the next days I'll instrument my research on both In-VM
configurations and Wayland support and create a standalone post on the idea
details for feedback.

Regards,
Harry

On Mon, Apr 15, 2019 at 9:32 AM unman wrote:

> On Mon, Apr 15, 2019 at 12:26:43PM +0200, Scarpafo Scarpafo wrote:
>> Ok,
>> Read your blog. Nice.
>> I think before everything of technique we have to define the Supervision
>> Policy.
>> What we are facing?
>> Where?
>> .....
>>
>> Le lun. 15 avr. 2019 à 11:54, Scarpafo Scarpafo a
>> écrit :
>>
>>> Ok i will check your blog to night.
>>> rsyslog is already inside each system. Better to use it instead of
> install
>>> syslog-ng. Event if ng is better :)
>>>
>>> Le lun. 15 avr. 2019 à 09:37, Zrubi a écrit :
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote:
>>>> > Ahah i suggest it to Frederic one years ago. But we need to salt
>>>> > all VM with auditd policy, rsyslog forward, hids, build a repo
>>>> > syslog-ng and the most difficult part... did you know any siem
>>>> > without eating the power? xD.
>>>> Well, we should not aim to create a full SIEM in this project, but
>>>> "only" a log collecting (and parsing) VM, and the stuff needed for
> this.
>>>>
>>>> As log collecting (and parsing) is the very first requirement of every
>>>> SIEM, we can't skip this part. As I already did (see my blog) it:
>>>> basic log parsing can be done by syslog-ng (or maybe rsyslog, or
>>>> nxlog) with only very small resources needed.
>>>>
>>>> The Qubes specific part would be the "special" log forwarding, instead
>>>> of using TCP/UDP network. But the solution is already here: see the
>>>> current template network access method.
>>>>
>>>> Then, if we have the architecture and the Qubes specific log
>>>> collecting solution we can start extending it by defining what kind
>>>> of logs we need, and what we can do with them...
>>>>
>>>> But to jump ahead, and answer your question:
>>>> As you may read on my blog, I started a tiny SIEM like project which
>>>> runs on my home NAS. And this thing has only 512Mb RAM total. :)
>>>>
>>>> Of course it is not works like the big huge ELK/Splunk/Qradar, but
>>>> something like well defined daily statistics instead. I would say that
>>>> is a good start by seeing what happened in our home network. And I
>>>> think the same should apply for a Qubes box.
>>>>
>>>> - --
>>>> Zrubi
>
> Please don't top post. It makes it much more difficult to follow the
> thread.
>
> --
>
Previous Topic: Re: Something is stopping me from writing MSRs (0x150 / Undervolting to be exact)
Next Topic: Subnet Mask is not accepted in HVM installation
Goto Forum:
  


Current Time: Wed Apr 24 19:55:41 UTC 2019