Hey, so I booted up QubesOS (4.1.2), and here’s what happened:
started my KeepassXC disposable qubes based on Debian-minimal and unlocked the database
started my sys-net disposable service qube which based on Debian-minimal (only ethernet is attached, not wifi or usb)
started Tor Browser in disposable whonix-workstation qube (whonix-17), which causes depended network qubes to start first (sys-whonix-fw and then sys-whonix)
copy/pasted url for this forum, loaded page, set NoScript to Temp Trusted, page reloaded automatically, typed username (user0), copy/pasted password, and hit enter to login
open new tab, press space bar, select blank space, and cut (to clear qube clipboard)
open profile and each notification in new tab
edit profile About Me, and then start responding to one of the notification posts
type a paragraph
see QubesOS notification saying that sys-audio is starting (?!?!?!?)
sys-audio finishes booting up, so I set audiovm of disposable whonix workstation qube to none, kill KeepassXC, shutdown all qubes, and disconnect ehternet
Okay, so what could have caused this? I am at a loss and don’t actually know how to check logs to see what triggered the starting of the sys-audio qube.
@FranklyFlawless and @fsflover, can either of you (or anyone else) assist me in identifying what caused this anomaly?
Edit: I should add that I do have scripts for starting and shutting down all of my disposable service qubes, and I have launcher items in two separate panels for running these scripts. However, besides the fact that I did not click the launcher to run the startup script for sys-audio, that launcher item is toward the bottom and requires scrolling in order to see and click it.
I do not use sys-audio myself, but I do see a maintained guide for it on the Qubes OS Forum.
I have the camera/microphone hardware kill switch activated nearly all of the time, and use R4.2.1. You may want to upgrade your Qubes OS version to the latest release.
Thank you for the link, but I’ve had this setup working for a while now without issue. I had commented a while ago on the post about setting up a disposable sys-audio service qube based on Debian-minimal. But this issue has never happened before where a qube starts itself. I’m mildly concerned.
I also always have the camera/mic disabled, as I never use them.
I know I need to update, but I need to do backups first and better organize my stuff, and I’ve been procrastinating. But 4.1.2 has not reached EOL yet and is still supported. I still have a few months. And as far as I know, there are still no known exploits that can bypass QubesOS security of currently supported releases.
Also, I’m not a special target, so it’s highly unlikely that this was a hack, but I do take precautions just in case. I’m thinking that there is something that triggered my startup script for sys-audio, and I’d like to check logs to see what that could have been.
So yeah, the problem is not that it is sys-audio. The problem is that a qube started without me triggering it myself.
Okay, wait until @fsflover responds, or you can post in the Qubes OS Forum about this. I think you handled the situation well enough that I would not consider anything compromised.
By the way, you might want to start using it. @jonathon.hall fixed the only issue with it like last year, and having sys-audio will allow you to disable the speakers too.
I will consider it once the Librem 16 is released, the EC firmware is updated, and the Librem Key’s firmware has been rebased to the upstream version first.
Same here, sorry about that. I’ve been procrastinating concerning sys-audio for quite some time although considering it. Qubes forum has many experts on this, so you should ask there.
Hey I found the cause after triggering it again. I accidentally clicked one of my keyboard shortcuts to adjust volume, which each run a command in sys-audio.