Systemcheck with custom hostname?

sapphire993 · February 16, 2026, 5:44pm

say I have a template named “y” and an appvm based on that template named “x”…
I added “hostnamectl set-hostname host” for the rc.local for both of them but it causes issues when I run the systemcheck as “user” on “x”…

systemcheck
[INFO] [systemcheck] x | machine | y TemplateBased AppVM | Mon Feb 16 16:43:57 UTC 2026
[ERROR] [systemcheck] Check 'leaprun check-sudo' result: System misconfiguration detected. No need to panic. This is not a severe issue. However, other tests may be affected due to this.
 
The following command:
leaprun check-sudo ; echo $?
was expected to produce no output with an exit code of zero. The opposite of that happened, indicating an unexpected result.
 
exit_code: 0
 
privilege_escalation_tool_output:
sudo: unable to resolve host host: Temporary failure in name resolution
[ERROR] [systemcheck] Check 'sudo' result: System misconfiguration detected. No need to panic. This is not a severe issue. However, other tests may be affected due to this.
 
The following command:
sudo --non-interactive -- /usr/bin/test -x /usr/bin/test ; echo $?
was expected to produce no output with an exit code of zero. The opposite of that happened, indicating an unexpected result.
 
exit_code: 0
 
privilege_escalation_tool_output:
sudo: unable to resolve host host: Temporary failure in name resolution
[ERROR] [systemcheck] check network interfaces Result: No external network interface found.
 
Recommendation:
https://www.kicksecure.com/wiki/Troubleshooting
 
Debugging information:
Command
ip -o addr show scope global
did not show any output
 
If this error happens only during upgrading or is transient this error can be safely ignored.
 
If you know what you are doing, feel free to disable this check.
Create a file /etc/systemcheck.d/50_user.conf and add:
systemcheck_skip_functions+=" check_network_interfaces "
INFO: Skipping check_qubes_network_interface, because systemcheck_skip_functions includes it.
INFO: Skipping check_tor_bootstrap, because systemcheck_skip_functions includes it.
[INFO] [systemcheck] user-sysmaint-split-check installation check result: Absent
https://www.kicksecure.com/wiki/sysmaint
[INFO] [systemcheck] user-sysmaint-split session detection result: USER Session.
[INFO] [systemcheck] Kicksecure Login Security Check (Colors)
:
+-------+--------------------------------------+
| Users | Password               GUI Autologin |
+-------+--------------------------------------+
| root  | Restricted (Absent)    Disabled      |
| user  | Absent                 Enabled       |
+-------+--------------------------------------+
 
You can adjust these settings using "Manage Passwords" and "Manage GUI Autologin"
in the System Maintenance Panel.
See also:
https://www.kicksecure.com/wiki/Login
https://www.kicksecure.com/wiki/Systemcheck#Physical_Security_Check
[INFO] [systemcheck] Kicksecure APT Repository: Enabled.
When the Kicksecure team releases TRIXIE updates,
they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade)
along with updated packages from the Debian team. Please read https://www.kicksecure.com/wiki/Trust to understand the risk. 
If you want to change this, use:
    sudo repository-dist
[INFO] [systemcheck] Qubes UpdatesProxy Reachability Test: Trying to reach local Qubes UpdatesProxy... PROXY_SERVER: http://127.0.0.1:8082/
[INFO] [systemcheck] Qubes UpdatesProxy Reachability Result: Ok, UpdatesProxy was not reachable.
This is expected because not running in Template.
[INFO] [systemcheck] Qubes UpdatesProxy Connectivity Test: Skipped, because not using --leak-tests (--show-ip), ok.
[INFO] [systemcheck] Debian Package Update Check Result: Skipped. (Because no external network interface detected.)
[INFO] [systemcheck] Please donate!
   See: https://www.kicksecure.com/wiki/Donate

I added the “systemcheck_skip_functions” and I tried to change the /etc/host but these didnt do much…
so I have like two questions from this:

how do I handle all of the above… I dont wanna reveal my hostname to some apps I install etc… yet I wanna have kicksecure with its systemcheck… what do I do???
how the hell this working…
[INFO] [systemcheck] x | machine | y TemplateBased AppVM | Mon Feb 16 16:43:57 UTC 2026

how does it knows the template’s name???
does this mean even if I change the hostname to host apps I install will still be able to know the name of my template and appvm ???

Patrick · February 16, 2026, 10:48pm

It’s not a systemcheck issue. Systemcheck is only the messenger notifying a system configuration issue. As it reports:

sudo --non-interactive – /usr/bin/test -x /usr/bin/test ; echo $?
was expected to produce no output with an exit code of zero. The opposite of that happened, indicating an unexpected result.

So instead of no output, the hostname issue has been output. This can be confusing, cause follow-up issues, hence reported.

The issue is:

hostname configuration: /etc/hosts vs /etc/hostname. If you change the hostname, you must also update /etc/hosts.
sudo issue: sudo performing hostname lookups by default I consider this very strange behavior and a bug but upstream sudo won’t agree. See also: https://superuser.com/questions/429790/sudo-command-trying-to-search-for-hostname

Qubes feature. Not my design.

qubesdb-read /qubes-base-template

Also see:

qubesdb-multiread /

Patrick · February 16, 2026, 10:50pm

Might also be of interest:

sapphire993 · February 17, 2026, 11:11am

got it… so the best way is to run a script to modify the hosts in the rc.locals right?

also reegarding the systemcheck… what do I need to add in the systemcheck_skip_functions so it won’t check for updates please?

I’m so frigging frustrated and angry at the same time right now…
are there any options in your opinion to do something about it??? like right now… what can I do?
I checked how it’s done in the whonix and tried to do the same with the hostname and the hosts file… anything else I should do?

like I read the System Identity Camouflage and Virtual Machine Cloaking and I get it… but I don’t wanna reveal my templates names… how the heck is this even a thing…
please please please tell me you have any kind of a solution to this one

Patrick · February 17, 2026, 8:03pm

1 question = 1 forum thread please.

Whonix: Off-topic in this forum.

systemcheck hardening, Prevent Running APT

sapphire993 · February 18, 2026, 4:02pm

yeah sorry… Im kinda new to all of these

thanks… this helped

nah bro I didnt mean it like that… I didnt mean to ask you to develop something but to like suggest me anything… like what you do for example? I mean it’s leaking some real important data to potentially malicious app… because I name my templates uniquely etc you know?

just if you have any suggestions you know? or advice etc

Patrick · February 19, 2026, 10:00am

A solution similar to:

Dom0 timezone leak - Whonix 17, Qubes R4.2 - Qubes-Whonix - Whonix Forum
Stop leaking dom0 timezone to Qubes-Whonix · Issue #8381 · QubesOS/qubes-issues · GitHub

And/or less perfect, arguably incomplete, but good defense in depth:

An blocking early boot systemd unit that’s starting a script using qubesdb-rm.

Patrick · February 20, 2026, 6:09pm

github.com/QubesOS/qubes-issues

Add controls for qubesdb data

opened 08:30PM - 19 Feb 26 UTC

RandyTheOtter

C: core P: default

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… The problem you're addressing (if any) Information accessible through qubesdb is sensitive for certain use cases, but currently there is no good way to control it: https://github.com/QubesOS/qubes-issues/issues/8381 https://forum.qubes-os.org/t/stop-leaking-template-name-in-appvm/39537 ### The solution you'd like Ability to configure what qubes have access to what data. RPC policy comes to mind but this of course is up to the developer. Even something as simple as a toggle that prevents dom0 from sharing any qubesdb data is valuable. ### The value to a user and who that user might be Users can prohibit untrusted domains from accessing sensitive data. Mostly useful for improved privacy, to avoid fingerprinting. This also makes it marginally harder for an attacker to collect system information. ### Completion criteria checklist (This section is for developer use only. Please do not modify it.)

Patrick · February 20, 2026, 6:20pm

FranklyFlawless · February 20, 2026, 7:21pm

Patrick · February 22, 2026, 4:22pm

Correction:

In 2015, at the time of writing around a decade ago, was discussed here: