How to set up CSI Linux 2023_2 as a Qube in Qubes OS. It's not as straightforward as I would prefer, but maybe in getting this out there, the process might be made better.
I have taken on a challenge to (try to) use Qubes OS as my daily driver. I am sure to be writing some more about that, but that's another topic entirely. For now, let's just focus on getting CSI Linux up and running. Keep in mind, I'm no Qubes expert here, I'm largely learning and figuring this out as I go, so if there's a better way to do something, please don't hesitate to let me know.
As usual, please read through to the end before undertaking this yourself.
To start,
The Requirements:
- CSI Linux Disk qcow2 disk image
- The other .vmdk image can work too, the commands should be mostly the same, but this is the one I explicitly used. Just swap out the .vmdk file for the .qcow2 file in the commands below.
- Qubes OS up and running
- A "storage" Qube with 80+ GB storage available
- I have a Qube just for the purpose of storing ISO files, called "ISOs"
- Enough HDD space to grow dom0 by 100 GB
- It does NOT have this much space by default.
- Linux and Qubes knowledge enough to follow along
NOTE: I cannot go in to detail on how to verify whether or not you have enough HDD space for this. But I must caution you... I borked my whole Qubes OS a couple of times doing this and improperly growing dom0 to an insufficient size; I couldn't even boot, I had to do a whole fresh install to get things back up. So proceed with caution.
To get things going, we'll need to make sure we have a couple utilities in your "storage" Qube:
sudo apt install qemu-utils 7z
Next, get the CSI Linux Disk image to this Qube. You can either download it directly or transfer it via USB key, whatever works best for you. I would suggest transferring the 7z compressed image around though, just to save time. Once the transfer is complete, extract the .qcow2 image.
Now, we need to convert the qcow2 image to a raw image:
qemu-img convert -O raw CSI_Linux_2023.2-disk001.qcow2 CSILinux.raw
And we're done in this Qube, but don't shut it down.
Next, we "transfer" the disk image to dom0.I wish there were a better way to accomplish this part, because while it can work for some smaller images (in this case, "only" 50GB in size), as we'll see, it does NOT scale at all for larger images. But before we can do this, we need to make sure that dom0's storage have enough space (it does NOT by default). We can do this by running the following commands in a dom0 terminal:
sudo lvresize --size 100G /dev/mapper/qubes_dom0-root
sudo resize2fs /dev/mapper/qubes_dom0-root
Now I know what you're thinking... I thought it too. 100GB seems a bit excessive when the disk image is only 50GB, right? Wrong. I tried many different sizes, 50GB, 60GB, 75GB... NONE of those worked. I suspect this may have something to do with already having needed to increase the size to create a Kali template, and "caching" the file before "copying" it over to the "real" file, but I am no expert in these things, so I do not actually know WHY for certain, just that 100GB was the magic number that finally allowed this to work for me in this situation.
Now we can finally "transfer" the image to dom0:
qvm-run --pass-io ISOs 'cat "/home/user/CSILinux.raw"' > /home/user/CSILinux.img
Finally, we create the VM:
qvm-create --property=virt_mode=hvm --property=memory=8192 --property=kernel='' --label red --standalone --root-move-from /home/user/CSILinux.img CSILinux
But, before we start up the Qube, let's double-check a couple settings in the Qube's setting in the Qube manager.
In the 'Advanced' tab, make sure you have at least 8192 MB of memory, at least 4 VCPUs, and that "Include in memory balancing" is NOT checked.
Click the 'Apply' button, but keep the 'Basic' tab open and visible, we'll need the networking details shortly.
We can finally start the Qube. But we're not quite done yet...
Once the Qube starts up and you log in, edit the network interface in CSI Linux to statically assign the IP and networking details you see in the Qube's settings 'Basic' tab. I know the 255.255.255.255 subnet mask and gateway don't immediately make sense, and don't look like they'll work, but I have done this a few times here now, and they do.
Finally, the setup is done for Qubes, and it is ready to go and you can move on to your CSI Linux Post Install setup.
In addition to my "usual" CSI Linux Post Install setup detailed above, I have found it to be of great benefit to make a couple additional changes to CSI Linux, but ONLY as a qube. I would NOT recommend the doing this on an "actual" VM or hardware. I am only doing these changes in qubes since, IMHO, the rest of the Qubes OS and setup "makes up" for the "loss" of security these may bring.
Let's first get rid of the sudo password prompt:
sudo visudo
After the "%sudo" line, enter the following:
csi ALL=(ALL:ALL) NOPASSWD:ALL
Ctrl+x to exit, y to save the file, and Enter to finish.
Next, we set the csi user to automatically log in. This is handled by the Display Manager, and CSI Linux uses SLiM.
sudo nano /etc/slim.conf
Find the line, "auto_login" and change it to "yes".
Ctrl+x to exit, y to save the file, and Enter to finish.
Let's also remove a few buttons in the top-right. Qubes doesn't allow for the power on after the power off in a reboot, so there's no point having that button there. Right-click the Restart button, select Properties, and in the Action Buttons window, uncheck Suspend and Restart. We'll also remove the Lock Screen button while we're here (similar reasons). Right-click that button, and select Remove. Click the Remove button to verify you want to remove that launcher.
Finally, take a moment to find a better window size (display resolution in the VM). I found 1440x900 works best for me and my setup, but pick what suits you best.
When you're all done, power off the VM.
And you are DONE!
Finally, a parting
Pro Tip:
Once you've completed your Post Install setup, power off the Qube and rename it to "Template-CSILinux" (or whatever your template naming scheme is). While not a Qube Template in the strict Qubes OS kind of way, we can clone this Qube out, grow the clone's storage to an appropriate size as needed, and then just back up that Qube and archive it, thereby preserving all that investigation's evidence and notes and such, and then delete it and move on to the next. So we're not continuously growing 1 Qube with all the investigations, or continuously rebuilding the Qube.
Growing the storage is very similar to what they would have you do for any other VM. With the VM powered off, simply increase the storage, then power it back up. Once it's booted, start gparted with command:
sudo gparted
Select the storage partition, right-click it, and select "Resize/Move". In the reize window, increase the storage to max. If you get an error about the storage still being mounted, you can right-click it and "Unmount" it. You will get an error that it can't be unmounted as it is in use, but it will allow to resize the partition. If you do this, reboot immediately upon completion.
Also, don't forget to reconfigure your networking on the new Qube when you clone it.
