From cb78b02b63103835469bc33d6243ca33921542d3 Mon Sep 17 00:00:00 2001
From: SaltedBytes <128539064+ama-bit@users.noreply.github.com>
Date: Fri, 1 May 2026 15:02:13 -0400
Subject: [PATCH 1/3] Update vm-install-harden.md
---
vm-install-harden.md | 532 ++++++++++++++++++++++++++++++++++++++-----
1 file changed, 475 insertions(+), 57 deletions(-)
diff --git a/vm-install-harden.md b/vm-install-harden.md
index 8cd7a32..3227cd0 100644
--- a/vm-install-harden.md
+++ b/vm-install-harden.md
@@ -1,24 +1,39 @@
# Virtual Machine Install & Harden ๐ก๏ธ
-Set up and harden an **Ubuntu** virtual machine (VM) in **VirtualBox** (VBox) with secure defaults, including VM creation, installation, and basic post-install security.
+Set up and harden an **Ubuntu** virtual machine (VM) in **VirtualBox** with secure
+defaults, including VM creation, installation, and basic post-install security.
---
-### Verification Flow
+## Scope
-Create VM โก๏ธ Install Ubuntu โก๏ธ Basic Hardening โก๏ธ Post-Install Checks
+**This Guide**
+```md
+Create VM โก๏ธ Install Ubuntu โก๏ธ Harden OS โก๏ธ Harden VirtualBox โก๏ธ Verify & Maintain
+```
+
+**Previous Guide**
+```md
+Download โก๏ธ Verify SHA256 (Integrity) โก๏ธ Verify GPG Signature (Authenticity)
+```
---
-### Platform Specific Commands
+## Tools
-Supported platforms for VirtualBox host:
+| Tool | Purpose |
+|------|---------|
+| Oracle VM VirtualBox | Creates and runs VMs |
+| Ubuntu ISO | Verified installation media |
+| VBoxManage | VirtualBox CLI for advanced configuration |
+| Terminal / PowerShell | Runs hardening and verification commands |
+๐ก *Supported host platforms:*
+```md
๐ป Linux
๐ macOS
-๐ช Windows (PowerShell)
-
-Each platform has its own dropdown section for commands where applicable.
+๐ช Windows (PowerShell)
+```
---
@@ -28,24 +43,174 @@ Each platform has its own dropdown section for commands where applicable.
Open Step 1
### Purpose
+Create a new virtual machine in VirtualBox and attach the verified Ubuntu ISO as boot media.
+
+---
+
+### Recommended Specifications
+
+| Setting | Minimum | Recommended |
+|---------|---------|-------------|
+| CPU | 2 cores | 4 cores |
+| RAM | 4 GB | 8 GB |
+| Disk | 25 GB | 50 GB |
+| Display | 16 MB VRAM | 32 MB VRAM |
+| Network | NAT | Host-Only (see Step 4) |
+
+> ๐ These specs are for Ubuntu 24.04 LTS desktop. Adjust based on your
+> host machine's available resources.
+
+---
+
+### GUI Steps (All Platforms)
+
+
+VirtualBox GUI
+
+```md
+1. Open VirtualBox โ Click "New"
+2. Name your VM (e.g. "Ubuntu-24.04")
+3. Set Type: Linux | Version: Ubuntu (64-bit)
+4. Set RAM and CPU to recommended values above
+5. Create a new virtual hard disk
+ - Format: VDI (VirtualBox Disk Image)
+ - Storage: Dynamically allocated
+ - Size: 25 GB minimum, 50 GB recommended
+6. Click Finish
+```
+
+**Attach the verified Ubuntu ISO:**
+```md
+1. Select your VM โ Click "Settings"
+2. Navigate to Storage
+3. Under Controller: IDE โ Click the empty disk icon
+4. Click the disk icon on the right โ "Choose a disk file"
+5. Select your verified ubuntu-XX.XX-desktop-amd64.iso
+6. Click OK
+```
+
+> โ Only attach the ISO verified in vm-verify.md.
+> Do not use ISOs from mirrors or unverified sources.
+
+
+
+---
+
+### CLI Steps (VBoxManage)
+
+> Replace `Ubuntu-24.04` with your chosen VM name.
+> Replace ISO path with the full path to your verified Ubuntu ISO.
+
+
+๐ป Linux
+
+```bash
+# Create the VM
+VBoxManage createvm --name "Ubuntu-24.04" --ostype Ubuntu_64 --register
+
+# Set RAM and CPU
+VBoxManage modifyvm "Ubuntu-24.04" --memory 4096 --cpus 2
+
+# Set display memory
+VBoxManage modifyvm "Ubuntu-24.04" --vram 32
+
+# Create virtual hard disk (size in MB โ 25600 = 25 GB)
+VBoxManage createhd --filename ~/VirtualBox\ VMs/Ubuntu-24.04/Ubuntu-24.04.vdi --size 25600
+
+# Add SATA storage controller
+VBoxManage storagectl "Ubuntu-24.04" --name "SATA Controller" --add sata --controller IntelAhci
+
+# Attach the virtual hard disk
+VBoxManage storageattach "Ubuntu-24.04" --storagectl "SATA Controller" \
+ --port 0 --device 0 --type hdd \
+ --medium ~/VirtualBox\ VMs/Ubuntu-24.04/Ubuntu-24.04.vdi
+
+# Attach the verified Ubuntu ISO
+VBoxManage storageattach "Ubuntu-24.04" --storagectl "SATA Controller" \
+ --port 1 --device 0 --type dvddrive \
+ --medium /path/to/ubuntu-XX.XX-desktop-amd64.iso
+
+# Set boot order โ DVD first for initial installation
+VBoxManage modifyvm "Ubuntu-24.04" --boot1 dvd --boot2 disk --boot3 none --boot4 none
+```
+
+
+
+
+๐ macOS
+
+```bash
+# Create the VM
+VBoxManage createvm --name "Ubuntu-24.04" --ostype Ubuntu_64 --register
-Set up a new virtual machine with proper resources and attach the verified Ubuntu ISO.
+# Set RAM and CPU
+VBoxManage modifyvm "Ubuntu-24.04" --memory 4096 --cpus 2
-### Recommended Settings
+# Set display memory
+VBoxManage modifyvm "Ubuntu-24.04" --vram 32
-- CPU: X cores
-- RAM: X GB
-- Disk: X GB
-- Attach ISO as boot media
+# Create virtual hard disk (size in MB โ 25600 = 25 GB)
+VBoxManage createhd --filename ~/VirtualBox\ VMs/Ubuntu-24.04/Ubuntu-24.04.vdi --size 25600
-### Host-specific Notes
+# Add SATA storage controller
+VBoxManage storagectl "Ubuntu-24.04" --name "SATA Controller" --add sata --controller IntelAhci
-๐ป Linux / ๐ macOS / ๐ช Windows
+# Attach the virtual hard disk
+VBoxManage storageattach "Ubuntu-24.04" --storagectl "SATA Controller" \
+ --port 0 --device 0 --type hdd \
+ --medium ~/VirtualBox\ VMs/Ubuntu-24.04/Ubuntu-24.04.vdi
-- Instructions or commands for creating VM on each platform
+# Attach the verified Ubuntu ISO
+VBoxManage storageattach "Ubuntu-24.04" --storagectl "SATA Controller" \
+ --port 1 --device 0 --type dvddrive \
+ --medium /path/to/ubuntu-XX.XX-desktop-amd64.iso
+
+# Set boot order โ DVD first for initial installation
+VBoxManage modifyvm "Ubuntu-24.04" --boot1 dvd --boot2 disk --boot3 none --boot4 none
+```
+๐ช Windows (PowerShell)
+
+```powershell
+# Create the VM
+VBoxManage createvm --name "Ubuntu-24.04" --ostype Ubuntu_64 --register
+
+# Set RAM and CPU
+VBoxManage modifyvm "Ubuntu-24.04" --memory 4096 --cpus 2
+
+# Set display memory
+VBoxManage modifyvm "Ubuntu-24.04" --vram 32
+
+# Create virtual hard disk (size in MB โ 25600 = 25 GB)
+VBoxManage createhd `
+ --filename "$env:USERPROFILE\VirtualBox VMs\Ubuntu-24.04\Ubuntu-24.04.vdi" `
+ --size 25600
+
+# Add SATA storage controller
+VBoxManage storagectl "Ubuntu-24.04" --name "SATA Controller" --add sata --controller IntelAhci
+
+# Attach the virtual hard disk
+VBoxManage storageattach "Ubuntu-24.04" --storagectl "SATA Controller" `
+ --port 0 --device 0 --type hdd `
+ --medium "$env:USERPROFILE\VirtualBox VMs\Ubuntu-24.04\Ubuntu-24.04.vdi"
+
+# Attach the verified Ubuntu ISO
+# Replace with the full path to your verified ISO
+VBoxManage storageattach "Ubuntu-24.04" --storagectl "SATA Controller" `
+ --port 1 --device 0 --type dvddrive `
+ --medium "C:\path\to\ubuntu-XX.XX-desktop-amd64.iso"
+
+# Set boot order โ DVD first for initial installation
+VBoxManage modifyvm "Ubuntu-24.04" --boot1 dvd --boot2 disk --boot3 none --boot4 none
+```
+
+
+
+> โ
VM created and ISO attached. Proceed to Step 2 to install Ubuntu.
+
---
@@ -56,103 +221,356 @@ Set up a new virtual machine with proper resources and attach the verified Ubunt
Open Step 2
### Purpose
+Install Ubuntu inside the VM using the verified ISO attached in Step 1.
-Install Ubuntu safely following verified ISO.
+---
-### Notes
+### Installation Steps (All Platforms)
-- Partitioning recommendations
-- User setup
-- Enable encryption if desired
+
+VirtualBox GUI
+
+```md
+1. Select your VM in VirtualBox โ Click "Start"
+2. Ubuntu installer will boot from the attached ISO
+3. Select "Try or Install Ubuntu"
+4. Choose your language and keyboard layout
+5. Select "Install Ubuntu"
+6. Installation type:
+ - Erase disk and install Ubuntu (recommended for VM)
+ - Enable LVM if you want flexible disk management
+ - Enable disk encryption (LUKS) if required by your threat model
+7. Set your timezone
+8. Create your user account:
+ - Use a strong password
+ - Enable "Require password to log in"
+ - Do not enable auto-login
+9. Complete installation and restart when prompted
+10. Remove ISO when prompted or via Settings โ Storage
+```
+
+> โ Do not install from an unverified ISO.
+> If you skipped vm-verify.md, complete verification before proceeding.
-### Host-specific Notes
+
-๐ป Linux / ๐ macOS / ๐ช Windows
+---
-- Installation steps, screenshots or CLI commands if needed
+### Post-Install Boot
-
Open Step 3
### Purpose
+Apply essential security configurations to Ubuntu after installation.
+
+---
+
+### 3a: Update System
+
+```bash
+# Update package lists and upgrade all installed packages
+sudo apt update && sudo apt upgrade -y
-Apply essential security configurations after install.
+# Remove unused packages
+sudo apt autoremove -y
+```
-### Process
+---
+
+### 3b: Enable Firewall (UFW)
+
+```bash
+# Install UFW if not already present
+sudo apt install ufw -y
+
+# Set default policies โ deny all incoming, allow all outgoing
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
-- Enable firewall (UFW)
-- Disable root login
-- Create limited sudo user
-- Automatic security updates
-- Optional: disable unused services or obfuscate ports
+# Allow SSH only if remote access is needed
+# sudo ufw allow ssh
+
+# Enable firewall
+sudo ufw enable
+
+# Confirm firewall status
+sudo ufw status verbose
+```
+
+> ๐ Only open ports you explicitly need.
+> Every open port increases attack surface.
+
+---
+
+### 3c: Disable Root Login
+
+```bash
+# Lock the root account โ sudo user created during install is sufficient
+sudo passwd -l root
+
+# Confirm root is locked
+sudo passwd -S root
+# Expected output: root L (locked)
+```
+
+---
+
+### 3d: Automatic Security Updates
+
+```bash
+# Install unattended-upgrades
+sudo apt install unattended-upgrades -y
+
+# Enable automatic security updates
+sudo dpkg-reconfigure --priority=low unattended-upgrades
+```
+
+---
+
+### 3e: Verify Sudo User
+
+```bash
+# Confirm your user has sudo access
+sudo -l
+
+# Confirm root is not used for regular tasks
+whoami
+# Expected output: your username, not root
+```
+
+---
+
+### 3f: Optional โ Disable Unused Services
+
+```bash
+# List running services
+systemctl list-units --type=service --state=running
+
+# Disable a service (replace SERVICE with the service name)
+sudo systemctl disable --now SERVICE
+
+# Example: disable Bluetooth if not needed
+sudo systemctl disable --now bluetooth
+```
+
+> ๐ Only disable services you understand.
+> Disabling critical services can break system functionality.
---
-## ๐ก๏ธ Step 4: VirtualBox Hardening
+## ๐ก๏ธ Step 4: Harden VirtualBox
Open Step 4
### Purpose
+Reduce the attack surface between the VM guest and the host machine.
+
+---
+
+### 4a: Disable Shared Clipboard and Drag-and-Drop
+
+**GUI:**
+```md
+Settings โ General โ Advanced
+- Shared Clipboard: Disabled
+- Drag'n'Drop: Disabled
+```
-Secure the virtual machine environment.
+**CLI:**
+```bash
+# Disable shared clipboard
+VBoxManage modifyvm "Ubuntu-24.04" --clipboard-mode disabled
-### Suggested Actions
+# Disable drag and drop
+VBoxManage modifyvm "Ubuntu-24.04" --drag-and-drop disabled
+```
+
+---
+
+### 4b: Disable Shared Folders
+
+**GUI:**
+```md
+Settings โ Shared Folders
+- Remove any shared folder entries unless explicitly required
+```
+
+**CLI:**
+```bash
+# List existing shared folders
+VBoxManage showvminfo "Ubuntu-24.04" | grep "Shared folders"
+
+# Remove a shared folder (replace FOLDER-NAME)
+VBoxManage sharedfolder remove "Ubuntu-24.04" --name "FOLDER-NAME"
+```
+
+---
-- Snapshots for rollback
-- Disable unnecessary shared folders and clipboard
-- Restrict USB / network access
-- Adjust VM settings for maximum isolation
+### 4c: Configure Network Isolation
+
+**GUI:**
+```md
+Settings โ Network โ Adapter 1
+- For internet access: NAT
+- For host isolation: Host-Only
+- For full isolation: Not Attached
+```
+
+**CLI:**
+```bash
+# Set network to Host-Only (replace "vboxnet0" with your host-only adapter name)
+VBoxManage modifyvm "Ubuntu-24.04" --nic1 hostonly --hostonlyadapter1 "vboxnet0"
+
+# Or disable network entirely for full isolation
+VBoxManage modifyvm "Ubuntu-24.04" --nic1 none
+```
+
+> ๐ Check available host-only adapters:
+> ```bash
+> VBoxManage list hostonlyifs
+> ```
+
+---
+
+### 4d: Disable USB Access
+
+**GUI:**
+```md
+Settings โ USB
+- Uncheck "Enable USB Controller"
+```
+
+**CLI:**
+```bash
+# Disable USB controller
+VBoxManage modifyvm "Ubuntu-24.04" --usbehci off
+VBoxManage modifyvm "Ubuntu-24.04" --usbxhci off
+```
+
+---
+
+### 4e: Take a Clean Snapshot
+
+```md
+After hardening is complete, take a snapshot to preserve the secure baseline.
+
+GUI:
+Machine โ Take Snapshot โ Name: "Post-Harden Baseline"
+
+CLI:
+```
+```bash
+# Take a snapshot of the current VM state
+VBoxManage snapshot "Ubuntu-24.04" take "Post-Harden Baseline" --description "Clean hardened baseline"
+```
+
+> ๐ Snapshots allow rollback if the VM is later compromised or misconfigured.
+> Take a new snapshot after any significant configuration change.
---
-## โ
Step 5: Verification & Maintenance
+## โ
Step 5: Verify & Maintain
Open Step 5
### Purpose
+Confirm the VM is secure and establish a maintenance routine.
-Ensure VM is secure and properly maintained.
+---
-### Suggested Actions
+### 5a: Verification Checklist
-- Confirm system integrity
-- Update regularly
-- Optional monitoring or antivirus
-- Backup important snapshots
+**VirtualBox Settings**
+- [ ] Shared clipboard disabled
+- [ ] Drag-and-drop disabled
+- [ ] Shared folders removed or restricted
+- [ ] USB controller disabled
+- [ ] Network set to Host-Only or None
+- [ ] Clean snapshot taken
-
+**Ubuntu OS**
+- [ ] System fully updated
+- [ ] UFW enabled and active
+- [ ] Root account locked
+- [ ] Automatic security updates enabled
+- [ ] No unnecessary services running
+- [ ] Login requires password
---
-## ๐ Links
+### 5b: Ongoing Maintenance
-
-Open Links
+```bash
+# Run regularly to keep system updated and secure
+sudo apt update && sudo apt upgrade -y
+sudo apt autoremove -y
-1. [VirtualBox Official Documentation](https://www.virtualbox.org/manual/)
-2. [Ubuntu Security Guide](https://ubuntu.com/security)
-3. [Linux Hardening Guides](https://linuxsecurity.com/)
+# Check firewall status
+sudo ufw status verbose
-
+# Review running services periodically
+systemctl list-units --type=service --state=running
+
+# Check for failed services
+systemctl --failed
+```
---
-## THANK YOU
+### 5c: Snapshot Strategy
+
+```md
+- Post-Harden Baseline โ taken after Step 4 (never delete)
+- Post-Update โ taken after major system updates
+- Pre-Change โ taken before any configuration changes
+```
+
+> ๐ Label snapshots clearly with dates or descriptions.
+> VirtualBox snapshots do not replace external backups.
+
+
---
+## ๐ References
+
+
+Open References
+
+**Official Sources**
+1. [VirtualBox โ Official Documentation](https://www.virtualbox.org/manual/)
+2. [VirtualBox โ VBoxManage Reference](https://www.virtualbox.org/manual/topics/vboxmanage.html)
+3. [VirtualBox โ Security Documentation](https://www.virtualbox.org/manual/topics/Security.html)
+4. [Ubuntu โ Security Guide](https://ubuntu.com/security)
+5. [Ubuntu โ UFW Documentation](https://help.ubuntu.com/community/UFW)
+6. [Ubuntu โ Automatic Updates](https://help.ubuntu.com/community/AutomaticSecurityUpdates)
+
+
+
+---
+## Good Luck!
From f3d78d5aef5e978eb468a4ecfdeb0d9451e5ffd8 Mon Sep 17 00:00:00 2001
From: SaltedBytes <128539064+ama-bit@users.noreply.github.com>
Date: Sun, 3 May 2026 00:14:09 -0400
Subject: [PATCH 2/3] Update vm-install-harden.md
---
vm-install-harden.md | 355 ++++++++++++++++++++++++++++++++++++++++---
1 file changed, 331 insertions(+), 24 deletions(-)
diff --git a/vm-install-harden.md b/vm-install-harden.md
index 3227cd0..ebc6e4f 100644
--- a/vm-install-harden.md
+++ b/vm-install-harden.md
@@ -37,6 +37,28 @@ Download โก๏ธ Verify SHA256 (Integrity) โก๏ธ Verify GPG Signature (Authentic
---
+## Threat Model
+
+This guide addresses the following threats:
+
+1. Running unverified or compromised installation media
+2. Weak default OS configuration post-install
+3. Guest-to-host escape via shared resources
+4. Unauthorized access through open ports or services
+5. Persistence of a compromised state without rollback capability
+
+This guide does **not** address:
+- Network-level threats external to the VM host
+- Physical access attacks
+- Advanced persistent threats (APT)
+- Full disk encryption of the host machine
+
+> ๐ Hardening is a tradeoff between security and usability.
+> Apply controls that match your actual threat model.
+> Not every step is required for every use case.
+
+---
+
## ๐ Step 1: Create Virtual Machine
@@ -79,7 +101,12 @@ Create a new virtual machine in VirtualBox and attach the verified Ubuntu ISO as
6. Click Finish
```
+
+
**Attach the verified Ubuntu ISO:**
+
```md
1. Select your VM โ Click "Settings"
2. Navigate to Storage
@@ -89,6 +116,10 @@ Create a new virtual machine in VirtualBox and attach the verified Ubuntu ISO as
6. Click OK
```
+
+
> โ Only attach the ISO verified in vm-verify.md.
> Do not use ISOs from mirrors or unverified sources.
@@ -105,6 +136,9 @@ Create a new virtual machine in VirtualBox and attach the verified Ubuntu ISO as
๐ป Linux
```bash
+# Create the VM directory first if it does not exist
+mkdir -p ~/VirtualBox\ VMs/Ubuntu-24.04/
+
# Create the VM
VBoxManage createvm --name "Ubuntu-24.04" --ostype Ubuntu_64 --register
@@ -140,6 +174,9 @@ VBoxManage modifyvm "Ubuntu-24.04" --boot1 dvd --boot2 disk --boot3 none --boot4
๐ macOS
```bash
+# Create the VM directory first if it does not exist
+mkdir -p ~/VirtualBox\ VMs/Ubuntu-24.04/
+
# Create the VM
VBoxManage createvm --name "Ubuntu-24.04" --ostype Ubuntu_64 --register
@@ -207,6 +244,30 @@ VBoxManage storageattach "Ubuntu-24.04" --storagectl "SATA Controller" `
VBoxManage modifyvm "Ubuntu-24.04" --boot1 dvd --boot2 disk --boot3 none --boot4 none
```
+> ๐ **Windows CLI โ Known Limitations**
+> VBoxManage is available on Windows but behavior may differ from Linux and macOS.
+> If you encounter errors running these commands:
+>
+> - Confirm VBoxManage is in your system PATH:
+> ```powershell
+> Get-Command VBoxManage
+> ```
+> - If not found, add the VirtualBox installation directory to PATH manually:
+> ```powershell
+> # Default VirtualBox install location
+> $env:PATH += ";C:\Program Files\Oracle\VirtualBox"
+> ```
+> - Run PowerShell as Administrator if permission errors occur
+> - Confirm your VirtualBox version supports the flags used โ some flags
+> differ between VirtualBox versions
+> - If a command fails silently, check the VirtualBox log:
+> ```powershell
+> # Logs are stored per-VM
+> Get-Content "$env:USERPROFILE\VirtualBox VMs\Ubuntu-24.04\Logs\VBox.log"
+> ```
+> - For persistent PATH changes, use System Properties โ
+> Environment Variables โ add VirtualBox directory to System PATH
+
> โ
VM created and ISO attached. Proceed to Step 2 to install Ubuntu.
@@ -234,12 +295,19 @@ Install Ubuntu inside the VM using the verified ISO attached in Step 1.
1. Select your VM in VirtualBox โ Click "Start"
2. Ubuntu installer will boot from the attached ISO
3. Select "Try or Install Ubuntu"
+```
+
+
+
+```md
4. Choose your language and keyboard layout
5. Select "Install Ubuntu"
6. Installation type:
- - Erase disk and install Ubuntu (recommended for VM)
- - Enable LVM if you want flexible disk management
- - Enable disk encryption (LUKS) if required by your threat model
+ - Select "Erase disk and install Ubuntu"
+ - Click "Advanced features" to access:
+ - LVM (flexible disk management)
+ - LVM with encryption (LUKS) โ recommended if your threat model requires it
7. Set your timezone
8. Create your user account:
- Use a strong password
@@ -249,6 +317,22 @@ Install Ubuntu inside the VM using the verified ISO attached in Step 1.
10. Remove ISO when prompted or via Settings โ Storage
```
+
+
+
+
+
+
+
+
> โ Do not install from an unverified ISO.
> If you skipped vm-verify.md, complete verification before proceeding.
@@ -315,7 +399,7 @@ sudo ufw enable
sudo ufw status verbose
```
-> ๐ Only open ports you explicitly need.
+> ๐ Only open ports you explicitly need.
> Every open port increases attack surface.
---
@@ -358,21 +442,191 @@ whoami
---
-### 3f: Optional โ Disable Unused Services
+### 3f: Disable Unused Services โ Optional
+
+Reducing running services reduces attack surface.
+Only disable services you do not need.
+
+**Commonly safe to disable in a VM context:**
+
+| Service | What it does | Disable if... |
+|---------|-------------|---------------|
+| bluetooth | Bluetooth support | No Bluetooth hardware or use |
+| cups | Printing service | No printing needed |
+| avahi-daemon | Network discovery (mDNS) | No local network discovery needed |
+| ModemManager | Mobile broadband management | No modem attached |
+| snapd | Snap package manager | Not using Snap packages โ verify no dependencies first |
```bash
-# List running services
+# List all running services
systemctl list-units --type=service --state=running
-# Disable a service (replace SERVICE with the service name)
+# Check what a service does before disabling
+systemctl status SERVICE
+
+# Disable a service (replace SERVICE with service name from table above)
sudo systemctl disable --now SERVICE
-# Example: disable Bluetooth if not needed
+# Example: disable Bluetooth
sudo systemctl disable --now bluetooth
+
+# Verify service is stopped and disabled
+systemctl is-enabled SERVICE
+systemctl is-active SERVICE
+```
+
+> โ ๏ธ Do not disable services you do not recognize without researching them first.
+> Disabling critical services can break system functionality or prevent boot.
+> snapd in particular may have dependencies on Ubuntu 24.04 โ verify before disabling.
+
+---
+
+### 3g: Verify AppArmor is Active
+
+AppArmor ships with Ubuntu and enforces mandatory access controls on applications.
+It should be active by default โ this step confirms it.
+
+```bash
+# Check AppArmor status
+# aa-status is the canonical command on modern Ubuntu
+sudo aa-status
+
+# Expected output: apparmor module is loaded
+# Profiles should show enforced, not complain mode
+
+# If inactive, enable and start it
+sudo systemctl enable apparmor
+sudo systemctl start apparmor
+```
+
+---
+
+### 3h: Kernel Hardening (sysctl) โ Optional
+
+Apply kernel-level security parameters to reduce attack surface.
+
+> โ ๏ธ Understand each parameter before applying.
+> Some settings may affect VM functionality depending on your use case.
+
+```bash
+# Check the current value of a specific parameter before changing it
+sysctl net.ipv4.ip_forward
+
+# Apply hardening parameters
+sudo tee /etc/sysctl.d/99-hardening.conf < ๐ Changes persist across reboots via `/etc/sysctl.d/`.
+> To revert, delete the file and reboot or re-apply original values.
+
+---
+
+### 3i: SSH Hardening โ Optional
+
+Apply only if SSH access to the VM is needed.
+If SSH is not required, skip this step and ensure port 22 remains closed in UFW.
+
+```bash
+# Confirm SSH is installed
+ssh -V
+
+# Install if needed
+sudo apt install openssh-server -y
+
+# Back up default config before editing
+sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
+
+# Edit SSH configuration
+sudo nano /etc/ssh/sshd_config
+```
+
+**Key settings to configure in `/etc/ssh/sshd_config`:**
+
+```
+# Disable root login via SSH
+PermitRootLogin no
+
+# Disable password authentication โ use key-based auth only
+PasswordAuthentication no
+
+# Limit SSH to specific user (replace USERNAME)
+AllowUsers USERNAME
+
+# Set idle timeout โ disconnect after 5 minutes of inactivity
+ClientAliveInterval 300
+ClientAliveCountMax 0
+```
+
+```bash
+# Restart SSH to apply changes
+sudo systemctl restart ssh
+
+# Confirm SSH is running
+sudo systemctl status ssh
+
+# Allow SSH through UFW if needed
+sudo ufw allow ssh
+```
+
+> โ ๏ธ If you disable password authentication, ensure your SSH key is
+> configured before restarting SSH or you will lose access.
+
+---
+
+### 3j: Audit Logging โ Optional
+
+Enable basic audit logging to track system events and detect suspicious activity.
+
+```bash
+# Install auditd
+sudo apt install auditd -y
+
+# Enable and start the audit daemon
+sudo systemctl enable auditd
+sudo systemctl start auditd
+
+# Confirm auditd is running
+sudo systemctl status auditd
+
+# View recent login events
+sudo ausearch -m LOGIN --start today
+
+# View all recent events
+sudo aureport --start today
```
-> ๐ Only disable services you understand.
-> Disabling critical services can break system functionality.
+> ๐ Audit logs are stored in `/var/log/audit/audit.log`.
+> Log rotation is handled automatically by auditd.
+> For advanced audit rules, see the official linux-audit project:
+> https://github.com/linux-audit/audit-userspace
@@ -429,27 +683,75 @@ VBoxManage sharedfolder remove "Ubuntu-24.04" --name "FOLDER-NAME"
### 4c: Configure Network Isolation
-**GUI:**
+Choose the network mode that matches your use case and threat model.
+
+**Network Mode Overview**
+
+| Mode | Internet | Host Access | VM-to-VM | Use Case |
+|------|----------|-------------|----------|----------|
+| NAT | โ
| โ | โ | General use, outbound internet needed |
+| NAT Network | โ
| โ | โ
| Multi-VM setups needing internet |
+| Host-Only | โ | โ
| โ
| Development, host communication needed |
+| Internal Network | โ | โ | โ
| Isolated lab, VM-to-VM only |
+| Not Attached | โ | โ | โ | Full isolation, no network needed |
+| Bridged | โ
| โ
| โ
| โ ๏ธ VM exposed to physical network โ not recommended for hardened setups |
+
+> ๐ For most hardened setups, **Host-Only** or **Not Attached** are preferred.
+> Use the minimum network access your use case requires.
+> Bridged mode exposes the VM directly to your physical network and
+> should be avoided unless explicitly required.
+
+---
+
+**GUI (All Platforms):**
```md
-Settings โ Network โ Adapter 1
-- For internet access: NAT
-- For host isolation: Host-Only
-- For full isolation: Not Attached
+Settings โ Network โ Adapter 1 โ Attached to:
+- NAT
+- NAT Network
+- Host-Only Adapter
+- Internal Network
+- Not Attached
+- Bridged Adapter (not recommended)
```
**CLI:**
+
```bash
-# Set network to Host-Only (replace "vboxnet0" with your host-only adapter name)
+# NAT โ outbound internet, no host or VM-to-VM access
+VBoxManage modifyvm "Ubuntu-24.04" --nic1 nat
+
+# NAT Network โ outbound internet with VM-to-VM communication
+# Requires a NAT network to exist โ create one first if needed
+VBoxManage natnetwork add --netname "SecureNet" --network "10.0.2.0/24" --enable
+VBoxManage modifyvm "Ubuntu-24.04" --nic1 natnetwork --natnetwork1 "SecureNet"
+
+# Host-Only โ no internet, VM can communicate with host and other VMs
+# Replace "vboxnet0" with your host-only adapter name
VBoxManage modifyvm "Ubuntu-24.04" --nic1 hostonly --hostonlyadapter1 "vboxnet0"
-# Or disable network entirely for full isolation
+# Internal Network โ no internet, no host access, VM-to-VM only
+# Replace "intnet" with your chosen internal network name
+# This name must match across all VMs that need to communicate
+VBoxManage modifyvm "Ubuntu-24.04" --nic1 intnet --intnet1 "intnet"
+
+# Not Attached โ full network isolation
VBoxManage modifyvm "Ubuntu-24.04" --nic1 none
+
+# Bridged โ not recommended for hardened setups
+# VM is exposed directly to your physical network
+# Replace "eth0" with your actual host network interface name
+# Run 'ip link show' on Linux or 'ipconfig' on Windows to find it
+VBoxManage modifyvm "Ubuntu-24.04" --nic1 bridged --bridgeadapter1 "eth0"
```
> ๐ Check available host-only adapters:
> ```bash
> VBoxManage list hostonlyifs
> ```
+> Check available NAT networks:
+> ```bash
+> VBoxManage list natnetworks
+> ```
---
@@ -463,7 +765,8 @@ Settings โ USB
**CLI:**
```bash
-# Disable USB controller
+# Disable all USB controllers (OHCI = USB 1.1, EHCI = USB 2.0, xHCI = USB 3.0)
+VBoxManage modifyvm "Ubuntu-24.04" --usbohci off
VBoxManage modifyvm "Ubuntu-24.04" --usbehci off
VBoxManage modifyvm "Ubuntu-24.04" --usbxhci off
```
@@ -472,14 +775,12 @@ VBoxManage modifyvm "Ubuntu-24.04" --usbxhci off
### 4e: Take a Clean Snapshot
+**GUI:**
```md
-After hardening is complete, take a snapshot to preserve the secure baseline.
-
-GUI:
Machine โ Take Snapshot โ Name: "Post-Harden Baseline"
-
-CLI:
```
+
+**CLI:**
```bash
# Take a snapshot of the current VM state
VBoxManage snapshot "Ubuntu-24.04" take "Post-Harden Baseline" --description "Clean hardened baseline"
@@ -509,7 +810,7 @@ Confirm the VM is secure and establish a maintenance routine.
- [ ] Drag-and-drop disabled
- [ ] Shared folders removed or restricted
- [ ] USB controller disabled
-- [ ] Network set to Host-Only or None
+- [ ] Network mode configured per threat model (see Step 4c)
- [ ] Clean snapshot taken
**Ubuntu OS**
@@ -520,6 +821,12 @@ Confirm the VM is secure and establish a maintenance routine.
- [ ] No unnecessary services running
- [ ] Login requires password
+**Ubuntu OS โ Optional Steps**
+- [ ] AppArmor active and enforcing
+- [ ] sysctl hardening applied (if applicable)
+- [ ] SSH hardened or port 22 confirmed closed (if applicable)
+- [ ] Audit logging enabled (if applicable)
+
---
### 5b: Ongoing Maintenance
From f763e8cf7565ac1197a90ef553f202b4ce8c43e2 Mon Sep 17 00:00:00 2001
From: SaltedBytes <128539064+ama-bit@users.noreply.github.com>
Date: Sun, 3 May 2026 14:32:12 -0400
Subject: [PATCH 3/3] Update vm-install-harden.md
---
vm-install-harden.md | 322 +++++++++++++++++++++++++++++++------------
1 file changed, 236 insertions(+), 86 deletions(-)
diff --git a/vm-install-harden.md b/vm-install-harden.md
index ebc6e4f..cdd9270 100644
--- a/vm-install-harden.md
+++ b/vm-install-harden.md
@@ -1,19 +1,25 @@
# Virtual Machine Install & Harden ๐ก๏ธ
-Set up and harden an **Ubuntu** virtual machine (VM) in **VirtualBox** with secure
-defaults, including VM creation, installation, and basic post-install security.
+Set up and harden an **Ubuntu** virtual machine (VM) in **VirtualBox** with secure
+defaults, including VM creation, installation, and post-install security hardening.
+
+> **Tested on:** Ubuntu 24.04 LTS ยท VirtualBox 7.x ยท Host platforms: Linux, macOS, Windows
+>
+> **Status key used throughout this guide:**
+> - โ
*Tested* โ verified hands-on during authorship
+> - ๐ *Researched* โ sourced from official documentation; not personally verified on every platform
---
## Scope
**This Guide**
-```md
+```
Create VM โก๏ธ Install Ubuntu โก๏ธ Harden OS โก๏ธ Harden VirtualBox โก๏ธ Verify & Maintain
```
**Previous Guide**
-```md
+```
Download โก๏ธ Verify SHA256 (Integrity) โก๏ธ Verify GPG Signature (Authenticity)
```
@@ -29,7 +35,7 @@ Download โก๏ธ Verify SHA256 (Integrity) โก๏ธ Verify GPG Signature (Authentic
| Terminal / PowerShell | Runs hardening and verification commands |
๐ก *Supported host platforms:*
-```md
+```
๐ป Linux
๐ macOS
๐ช Windows (PowerShell)
@@ -39,13 +45,25 @@ Download โก๏ธ Verify SHA256 (Integrity) โก๏ธ Verify GPG Signature (Authentic
## Threat Model
-This guide addresses the following threats:
+This guide addresses the following threats and the controls that mitigate them.
+
+Understanding *why* a control exists matters as much as *how* to apply it โ that's
+what separates a hardened system from one that just ran a checklist.
+
+| # | Threat | Controls That Address It |
+|---|--------|--------------------------|
+| 1 | Running unverified or compromised installation media | ISO verification (prior guide); Step 2 warning to not skip verification |
+| 2 | Weak default OS configuration post-install | Step 3: UFW, root lock, auto-updates, AppArmor |
+| 3 | Guest-to-host escape via shared resources | Step 4: Disable clipboard, drag-and-drop, shared folders, USB |
+| 4 | Unauthorized access through open ports or services | Step 3b (UFW), Step 3f (disable unused services), Step 3i (SSH hardening) |
+| 5 | Persistence of a compromised state without rollback | Step 4e: Snapshot strategy |
+
+**Why each guest-isolation control matters (Threat 3 in depth):**
-1. Running unverified or compromised installation media
-2. Weak default OS configuration post-install
-3. Guest-to-host escape via shared resources
-4. Unauthorized access through open ports or services
-5. Persistence of a compromised state without rollback capability
+- **Shared clipboard** creates a bidirectional data channel between guest and host. If the guest is compromised, this becomes an exfiltration or injection path โ malware in the guest can read from or write to the host's clipboard without any additional privilege escalation.
+- **Drag-and-drop** operates similarly โ it's a file transfer channel that bypasses network controls entirely. An attacker with guest access could use it to stage files on the host.
+- **Shared folders** mount a host filesystem path inside the guest. Any process in the guest โ including malware โ that has filesystem access can read, modify, or delete files on the host through that mount.
+- **USB passthrough** grants the guest direct access to physical USB devices. A compromised guest could interact with USB storage, firmware, or HID devices on the host.
This guide does **not** address:
- Network-level threats external to the VM host
@@ -77,10 +95,10 @@ Create a new virtual machine in VirtualBox and attach the verified Ubuntu ISO as
| RAM | 4 GB | 8 GB |
| Disk | 25 GB | 50 GB |
| Display | 16 MB VRAM | 32 MB VRAM |
-| Network | NAT | Host-Only (see Step 4) |
+| Network | NAT | Host-Only (see Step 4c) |
-> ๐ These specs are for Ubuntu 24.04 LTS desktop. Adjust based on your
-> host machine's available resources.
+> ๐ These specs target Ubuntu 24.04 LTS desktop. Adjust based on your host machine's
+> available resources. Server installs can run on significantly less RAM.
---
@@ -89,7 +107,9 @@ Create a new virtual machine in VirtualBox and attach the verified Ubuntu ISO as
VirtualBox GUI
-```md
+โ
*Tested*
+
+```
1. Open VirtualBox โ Click "New"
2. Name your VM (e.g. "Ubuntu-24.04")
3. Set Type: Linux | Version: Ubuntu (64-bit)
@@ -107,7 +127,7 @@ Create a new virtual machine in VirtualBox and attach the verified Ubuntu ISO as
**Attach the verified Ubuntu ISO:**
-```md
+```
1. Select your VM โ Click "Settings"
2. Navigate to Storage
3. Under Controller: IDE โ Click the empty disk icon
@@ -135,6 +155,8 @@ Create a new virtual machine in VirtualBox and attach the verified Ubuntu ISO as
๐ป Linux
+โ
*Tested*
+
```bash
# Create the VM directory first if it does not exist
mkdir -p ~/VirtualBox\ VMs/Ubuntu-24.04/
@@ -173,6 +195,8 @@ VBoxManage modifyvm "Ubuntu-24.04" --boot1 dvd --boot2 disk --boot3 none --boot4
๐ macOS
+๐ *Researched โ commands mirror Linux; paths differ*
+
```bash
# Create the VM directory first if it does not exist
mkdir -p ~/VirtualBox\ VMs/Ubuntu-24.04/
@@ -211,6 +235,8 @@ VBoxManage modifyvm "Ubuntu-24.04" --boot1 dvd --boot2 disk --boot3 none --boot4
๐ช Windows (PowerShell)
+๐ *Researched โ see Known Limitations note below*
+
```powershell
# Create the VM
VBoxManage createvm --name "Ubuntu-24.04" --ostype Ubuntu_64 --register
@@ -291,7 +317,9 @@ Install Ubuntu inside the VM using the verified ISO attached in Step 1.
VirtualBox GUI
-```md
+โ
*Tested*
+
+```
1. Select your VM in VirtualBox โ Click "Start"
2. Ubuntu installer will boot from the attached ISO
3. Select "Try or Install Ubuntu"
@@ -300,19 +328,22 @@ Install Ubuntu inside the VM using the verified ISO attached in Step 1.
-```md
+```
4. Choose your language and keyboard layout
5. Select "Install Ubuntu"
6. Installation type:
- Select "Erase disk and install Ubuntu"
- Click "Advanced features" to access:
- - LVM (flexible disk management)
- - LVM with encryption (LUKS) โ recommended if your threat model requires it
+ - LVM (flexible disk management โ allows resizing volumes later without reinstalling)
+ - LVM with encryption (LUKS) โ encrypts the virtual disk at rest; recommended if
+ the VM will hold sensitive data or the host machine is shared or portable
7. Set your timezone
8. Create your user account:
- Use a strong password
- Enable "Require password to log in"
- Do not enable auto-login
+ โณ Auto-login bypasses authentication entirely. If the host is left unattended
+ with the VM running, anyone with physical access can open the VM without a password.
9. Complete installation and restart when prompted
10. Remove ISO when prompted or via Settings โ Storage
```
@@ -335,6 +366,10 @@ Install Ubuntu inside the VM using the verified ISO attached in Step 1.
> โ Do not install from an unverified ISO.
> If you skipped vm-verify.md, complete verification before proceeding.
+>
+> Reason: An unverified ISO could be corrupted or tampered with. The verification
+> step in the prior guide confirms both integrity (SHA256) and authenticity (GPG).
+> Skipping it means you cannot trust the foundation everything else is built on.
@@ -344,7 +379,7 @@ Install Ubuntu inside the VM using the verified ISO attached in Step 1.
After installation and restart:
-```md
+```
1. VirtualBox will boot from the virtual hard disk
2. Log in with the credentials created during installation
3. Confirm Ubuntu loads correctly before proceeding to hardening
@@ -365,10 +400,15 @@ After installation and restart:
### Purpose
Apply essential security configurations to Ubuntu after installation.
+Ubuntu ships with reasonable defaults, but "reasonable defaults" are designed for broad
+compatibility โ not for security. Each step below closes a specific gap.
+
---
### 3a: Update System
+โ
*Tested*
+
```bash
# Update package lists and upgrade all installed packages
sudo apt update && sudo apt upgrade -y
@@ -377,10 +417,15 @@ sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y
```
+> ๐ Many exploits target known vulnerabilities in unpatched software. Running updates
+> immediately after install ensures you are not starting from an already-outdated baseline.
+
---
### 3b: Enable Firewall (UFW)
+โ
*Tested*
+
```bash
# Install UFW if not already present
sudo apt install ufw -y
@@ -399,13 +444,19 @@ sudo ufw enable
sudo ufw status verbose
```
-> ๐ Only open ports you explicitly need.
-> Every open port increases attack surface.
+> ๐ UFW is a frontend for iptables. The default policy here is deny-by-default on inbound,
+> which means no port is reachable unless you explicitly open it. This is the correct posture
+> for a VM that isn't intentionally running services.
+>
+> Every open port is a potential entry point. Only open what you explicitly need โ
+> not what might be convenient later.
---
### 3c: Disable Root Login
+โ
*Tested*
+
```bash
# Lock the root account โ sudo user created during install is sufficient
sudo passwd -l root
@@ -415,10 +466,20 @@ sudo passwd -S root
# Expected output: root L (locked)
```
+> ๐ Ubuntu creates a sudo-capable user during install and locks root by default,
+> but it's worth explicitly confirming and enforcing this.
+>
+> Why it matters: a locked root account means that even if an attacker gains a
+> foothold in the system, they cannot escalate by simply switching to root โ
+> they still need to know your sudo user's password and abuse a privilege
+> escalation path. It narrows the attack surface on that escalation step.
+
---
### 3d: Automatic Security Updates
+โ
*Tested*
+
```bash
# Install unattended-upgrades
sudo apt install unattended-upgrades -y
@@ -427,10 +488,17 @@ sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
```
+> ๐ Security patches are only useful if they're applied. Unattended-upgrades handles
+> security updates specifically (not major version upgrades) โ it applies patches
+> without requiring manual intervention. For a VM you might not log into frequently,
+> this is especially important.
+
---
### 3e: Verify Sudo User
+โ
*Tested*
+
```bash
# Confirm your user has sudo access
sudo -l
@@ -444,18 +512,23 @@ whoami
### 3f: Disable Unused Services โ Optional
-Reducing running services reduces attack surface.
-Only disable services you do not need.
+๐ *Researched โ verify behavior for your specific setup before disabling*
+
+Reducing running services reduces attack surface. Every running service is code that
+could contain vulnerabilities, and code that isn't running can't be exploited.
+
+**When to apply this step:** If the VM is long-lived, networked, or holds sensitive data.
+Skip this step if the VM is short-lived or isolated and you don't want the maintenance overhead.
**Commonly safe to disable in a VM context:**
| Service | What it does | Disable if... |
|---------|-------------|---------------|
-| bluetooth | Bluetooth support | No Bluetooth hardware or use |
+| bluetooth | Bluetooth support | No Bluetooth hardware or use โ VMs typically have no BT hardware |
| cups | Printing service | No printing needed |
-| avahi-daemon | Network discovery (mDNS) | No local network discovery needed |
+| avahi-daemon | Network discovery (mDNS) | No local network discovery needed; also reduces network fingerprint |
| ModemManager | Mobile broadband management | No modem attached |
-| snapd | Snap package manager | Not using Snap packages โ verify no dependencies first |
+| snapd | Snap package manager | Not using Snap packages โ **verify no dependencies first on Ubuntu 24.04** |
```bash
# List all running services
@@ -483,8 +556,14 @@ systemctl is-active SERVICE
### 3g: Verify AppArmor is Active
-AppArmor ships with Ubuntu and enforces mandatory access controls on applications.
-It should be active by default โ this step confirms it.
+โ
*Tested*
+
+AppArmor ships with Ubuntu and enforces mandatory access controls (MAC) on applications.
+It limits what a given process can do โ even if that process is exploited โ by defining
+a profile of allowed behaviors (files it can read, syscalls it can make, etc.).
+This provides a layer of containment that operates independently of standard Unix permissions.
+
+AppArmor should be active by default; this step confirms it.
```bash
# Check AppArmor status
@@ -499,11 +578,22 @@ sudo systemctl enable apparmor
sudo systemctl start apparmor
```
+> ๐ "Complain mode" logs violations but does not block them โ it's useful for
+> developing new profiles but provides no actual protection. Ensure profiles
+> show `enforce` mode, not `complain`.
+
---
### 3h: Kernel Hardening (sysctl) โ Optional
-Apply kernel-level security parameters to reduce attack surface.
+๐ *Researched โ parameters sourced from official kernel documentation and established hardening guides*
+
+Apply kernel-level security parameters to reduce attack surface at the OS level.
+These settings affect how the kernel handles networking, memory, and process information.
+
+**When to apply this step:** If the VM is networked, exposed to untrusted input,
+or is part of a higher-security environment. Safe to skip for an isolated dev VM
+with no network exposure.
> โ ๏ธ Understand each parameter before applying.
> Some settings may affect VM functionality depending on your use case.
@@ -515,25 +605,32 @@ sysctl net.ipv4.ip_forward
# Apply hardening parameters
sudo tee /etc/sysctl.d/99-hardening.conf < โ ๏ธ If you disable password authentication, ensure your SSH key is
-> configured before restarting SSH or you will lose access.
+> configured and tested before restarting SSH โ locking yourself out
+> requires console access to recover.
---
### 3j: Audit Logging โ Optional
-Enable basic audit logging to track system events and detect suspicious activity.
+๐ *Researched*
+
+**When to apply this step:** If you need a record of system events for security review,
+compliance, or incident investigation. Adds log overhead โ not necessary for a
+short-lived or isolated VM.
```bash
# Install auditd
@@ -640,12 +753,24 @@ sudo aureport --start today
### Purpose
Reduce the attack surface between the VM guest and the host machine.
+VirtualBox provides a hypervisor boundary between guest and host, but that boundary
+is only as strong as the features you leave disabled. Every shared resource โ
+clipboard, USB, folders, network โ is a potential channel for data or code to
+cross that boundary. This step closes those channels.
+
---
### 4a: Disable Shared Clipboard and Drag-and-Drop
+โ
*Tested*
+
+**Why:** Shared clipboard creates a bidirectional channel between guest and host.
+Drag-and-drop is effectively a file transfer mechanism. Both bypass network controls
+and can be abused by a compromised guest to exfiltrate data or stage files on the host.
+If you don't need them, disable them โ the risk is not theoretical.
+
**GUI:**
-```md
+```
Settings โ General โ Advanced
- Shared Clipboard: Disabled
- Drag'n'Drop: Disabled
@@ -664,8 +789,15 @@ VBoxManage modifyvm "Ubuntu-24.04" --drag-and-drop disabled
### 4b: Disable Shared Folders
+โ
*Tested*
+
+**Why:** A shared folder mounts a host path inside the guest. Any process running in the
+guest โ including malware โ with access to the filesystem can read, modify, or delete
+files on the host through that mount point. This is one of the most significant
+guest-to-host attack surfaces in a VM setup.
+
**GUI:**
-```md
+```
Settings โ Shared Folders
- Remove any shared folder entries unless explicitly required
```
@@ -683,35 +815,35 @@ VBoxManage sharedfolder remove "Ubuntu-24.04" --name "FOLDER-NAME"
### 4c: Configure Network Isolation
-Choose the network mode that matches your use case and threat model.
+โ
*Tested (NAT, Host-Only, Not Attached)* ยท ๐ *Researched (NAT Network, Internal, Bridged)*
-**Network Mode Overview**
+Choose the network mode that matches your use case. The principle is minimum necessary
+access โ don't give the VM more network exposure than the task requires.
-| Mode | Internet | Host Access | VM-to-VM | Use Case |
-|------|----------|-------------|----------|----------|
-| NAT | โ
| โ | โ | General use, outbound internet needed |
-| NAT Network | โ
| โ | โ
| Multi-VM setups needing internet |
-| Host-Only | โ | โ
| โ
| Development, host communication needed |
-| Internal Network | โ | โ | โ
| Isolated lab, VM-to-VM only |
-| Not Attached | โ | โ | โ | Full isolation, no network needed |
-| Bridged | โ
| โ
| โ
| โ ๏ธ VM exposed to physical network โ not recommended for hardened setups |
+**Network Mode Comparison**
-> ๐ For most hardened setups, **Host-Only** or **Not Attached** are preferred.
-> Use the minimum network access your use case requires.
-> Bridged mode exposes the VM directly to your physical network and
-> should be avoided unless explicitly required.
+| Mode | Internet | Host Access | VM-to-VM | Use Case | When to Choose |
+|------|----------|-------------|----------|----------|----------------|
+| NAT | โ
| โ | โ | General use, outbound internet needed | Default safe choice when internet access is required |
+| NAT Network | โ
| โ | โ
| Multi-VM setups needing internet | Multiple VMs that need to communicate and reach the internet |
+| Host-Only | โ | โ
| โ
| Development, host communication needed | Local dev/testing where internet isn't needed but host access is |
+| Internal Network | โ | โ | โ
| Isolated lab, VM-to-VM only | Simulating a network without exposing anything to the host |
+| Not Attached | โ | โ | โ | Full isolation | Analysis of untrusted software; no network needed at all |
+| Bridged | โ
| โ
| โ
| โ ๏ธ VM exposed to physical network | Avoid unless explicitly required โ VM is treated as a full network peer |
----
+> ๐ **For most hardened setups:** use **Host-Only** or **Not Attached**.
+>
+> NAT is the VirtualBox default and is a reasonable starting point, but it still
+> provides internet access. If your use case doesn't require internet, Not Attached
+> is the most secure option.
+>
+> Bridged mode places the VM directly on your physical network, where it is visible
+> to other devices and subject to the same threats as any physical machine on that network.
+> Avoid it for hardened or sensitive workloads.
**GUI (All Platforms):**
-```md
-Settings โ Network โ Adapter 1 โ Attached to:
-- NAT
-- NAT Network
-- Host-Only Adapter
-- Internal Network
-- Not Attached
-- Bridged Adapter (not recommended)
+```
+Settings โ Network โ Adapter 1 โ Attached to: [choose mode]
```
**CLI:**
@@ -725,22 +857,20 @@ VBoxManage modifyvm "Ubuntu-24.04" --nic1 nat
VBoxManage natnetwork add --netname "SecureNet" --network "10.0.2.0/24" --enable
VBoxManage modifyvm "Ubuntu-24.04" --nic1 natnetwork --natnetwork1 "SecureNet"
-# Host-Only โ no internet, VM can communicate with host and other VMs
-# Replace "vboxnet0" with your host-only adapter name
+# Host-Only โ no internet, VM can communicate with host and other VMs on same adapter
+# Replace "vboxnet0" with your host-only adapter name (see tip below)
VBoxManage modifyvm "Ubuntu-24.04" --nic1 hostonly --hostonlyadapter1 "vboxnet0"
# Internal Network โ no internet, no host access, VM-to-VM only
-# Replace "intnet" with your chosen internal network name
-# This name must match across all VMs that need to communicate
+# The name "intnet" is arbitrary โ must match across all VMs that need to communicate
VBoxManage modifyvm "Ubuntu-24.04" --nic1 intnet --intnet1 "intnet"
# Not Attached โ full network isolation
VBoxManage modifyvm "Ubuntu-24.04" --nic1 none
# Bridged โ not recommended for hardened setups
-# VM is exposed directly to your physical network
-# Replace "eth0" with your actual host network interface name
-# Run 'ip link show' on Linux or 'ipconfig' on Windows to find it
+# VM appears as a device on your physical network
+# Replace "eth0" with your actual host network interface (run 'ip link show' to find it)
VBoxManage modifyvm "Ubuntu-24.04" --nic1 bridged --bridgeadapter1 "eth0"
```
@@ -757,15 +887,22 @@ VBoxManage modifyvm "Ubuntu-24.04" --nic1 bridged --bridgeadapter1 "eth0"
### 4d: Disable USB Access
+โ
*Tested*
+
+**Why:** USB passthrough gives the guest direct access to physical USB hardware on the host.
+A compromised guest could interact with USB storage (data exfiltration), HID devices
+(keyboard/mouse injection), or USB firmware. If the VM doesn't need USB, disable all controllers.
+
**GUI:**
-```md
+```
Settings โ USB
- Uncheck "Enable USB Controller"
```
**CLI:**
```bash
-# Disable all USB controllers (OHCI = USB 1.1, EHCI = USB 2.0, xHCI = USB 3.0)
+# Disable all USB controllers
+# OHCI = USB 1.1 | EHCI = USB 2.0 | xHCI = USB 3.0
VBoxManage modifyvm "Ubuntu-24.04" --usbohci off
VBoxManage modifyvm "Ubuntu-24.04" --usbehci off
VBoxManage modifyvm "Ubuntu-24.04" --usbxhci off
@@ -775,18 +912,26 @@ VBoxManage modifyvm "Ubuntu-24.04" --usbxhci off
### 4e: Take a Clean Snapshot
+โ
*Tested*
+
+**Why:** A snapshot captures the complete VM state at a point in time. If the VM is
+later compromised or misconfigured, you can restore to a known-good baseline rather
+than rebuilding from scratch. The post-harden snapshot is your recovery point โ
+treat it as permanent.
+
**GUI:**
-```md
+```
Machine โ Take Snapshot โ Name: "Post-Harden Baseline"
```
**CLI:**
```bash
# Take a snapshot of the current VM state
-VBoxManage snapshot "Ubuntu-24.04" take "Post-Harden Baseline" --description "Clean hardened baseline"
+VBoxManage snapshot "Ubuntu-24.04" take "Post-Harden Baseline" \
+ --description "Clean hardened baseline โ Ubuntu 24.04, VirtualBox 7.x"
```
-> ๐ Snapshots allow rollback if the VM is later compromised or misconfigured.
+> ๐ Snapshots are stored within the VM directory. They are not external backups.
> Take a new snapshot after any significant configuration change.
@@ -811,7 +956,7 @@ Confirm the VM is secure and establish a maintenance routine.
- [ ] Shared folders removed or restricted
- [ ] USB controller disabled
- [ ] Network mode configured per threat model (see Step 4c)
-- [ ] Clean snapshot taken
+- [ ] Clean snapshot taken and labeled
**Ubuntu OS**
- [ ] System fully updated
@@ -821,8 +966,8 @@ Confirm the VM is secure and establish a maintenance routine.
- [ ] No unnecessary services running
- [ ] Login requires password
-**Ubuntu OS โ Optional Steps**
-- [ ] AppArmor active and enforcing
+**Ubuntu OS โ Optional Steps Applied**
+- [ ] AppArmor active and enforcing (not complain mode)
- [ ] sysctl hardening applied (if applicable)
- [ ] SSH hardened or port 22 confirmed closed (if applicable)
- [ ] Audit logging enabled (if applicable)
@@ -850,14 +995,17 @@ systemctl --failed
### 5c: Snapshot Strategy
-```md
-- Post-Harden Baseline โ taken after Step 4 (never delete)
-- Post-Update โ taken after major system updates
-- Pre-Change โ taken before any configuration changes
+```
+Snapshot Name When to Take
+โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
+Post-Harden Baseline After completing Step 4 โ never delete this
+Post-Update After major system updates
+Pre-Change Before any configuration changes
```
-> ๐ Label snapshots clearly with dates or descriptions.
-> VirtualBox snapshots do not replace external backups.
+> ๐ Label snapshots with dates or descriptions.
+> VirtualBox snapshots do not replace external backups โ they only protect
+> against changes within the VM, not against host-level failures.
@@ -875,9 +1023,11 @@ systemctl --failed
4. [Ubuntu โ Security Guide](https://ubuntu.com/security)
5. [Ubuntu โ UFW Documentation](https://help.ubuntu.com/community/UFW)
6. [Ubuntu โ Automatic Updates](https://help.ubuntu.com/community/AutomaticSecurityUpdates)
+7. [Linux Kernel โ sysctl documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/)
+8. [linux-audit โ auditd project](https://github.com/linux-audit/audit-userspace)
---
-## Good Luck!
+*Authored and maintained by SaltedBytes. Last reviewed: 2026. Tested on Ubuntu 24.04 LTS / VirtualBox 7.x.*