<h1>Linux Host OS Hardening, Virtualisation and Anti Forensics Setup </h1>
<imgsrc="0.png"style="width:250px">
<p>In this tutorial we're going to cover why it's important to have an Opensource host-OS and virtualisation software for privacy purposes and we're going to go through all the steps we need to set it up. We'll also cover how to harden the OS using kickstart (which was made by the whonix developers), and we'll look at how to virtualize VMs while still using opensource software. </p>
</div>
</div><!-- /row -->
</div><!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<divid="anon3">
<divclass="container">
<divclass="row">
<divclass="col-lg-8 col-lg-offset-2">
<h2><b>Initial Setup </b></h2>
<p>Most people talk about opsec, but they don't realize how bad their opsec is. You would'nt barricade your bedroom door before barricading the frontdoor right ? In this case, the hardware and the host OS are the front door, and the rest is inside your house. You are leaving your front door opened when you're using a closed source Host OS (for example Windows, or MacOS, or similar). Hence you need a Linux host OS. for example we're going to setup the latest <ahref="https://www.debian.org/download">Debian</a> in this case.</p>
<p>You can use tools like <ahref="https://etcher.balena.io/">balenaetcher</a> to do the same from other OSes like Windows.</p>
<p>Now that's done, we need to reboot the host OS and get into the BIOS:</p>
<imgsrc="1.png"class="imgRz">
<p>In this case we need to spam the F2 key upon booting to arrive into the BIOS. Then navigate to the Boot selection in order to boot to the USB key. for example it can be : </p>
<imgsrc="2.png"class="imgRz">
<imgsrc="3.png"class="imgRz">
<imgsrc="4.png"class="imgRz">
<p>Here instead you just choose the usb key you flashed the linux image on, and boot onto it. Then do as follows:</p>
<imgsrc="5.png"class="imgRz">
<p>Now that's done, follow the installation of the host OS on the harddrive you prefer. <b>Make sure its' not LUKS encrypted</b>, as Kicksecure <ahref="https://github.com/dracutdevs/dracut/issues/1888">still didn't fix</a> the ram-wipe feature for LUKS systems (as of 30/01/2024). Besides, a simple LUKS encryption would not be enough in a situation where you are forced to give out your password. (see veracrypt's details on <ahref="https://veracrypt.eu/en/Plausible%20Deniability.html">Plausible Deniability</a>.)</p>
<!--<img src="6.png" class="imgRz">-->
<imgsrc="10.png"class="imgRz">
<p>Then make sure it has a desktop environment (i recommend cinnamon).</p>
<imgsrc="7.png"class="imgRz">
<p>Then let the install finish and then reboot the computer and remove the usb key, it should then boot into a clean host OS.</p>
</div>
</div><!-- /row -->
</div><!-- /container -->
</div><!-- /white -->
<divid="anon2">
<divclass="container">
<divclass="row">
<divclass="col-lg-8 col-lg-offset-2">
<h2><b>Host OS Hardening (Debian -> Kicksecure)</b></h2></br></br>
<p>Now that we're in our host OS, let's harden it by turning it into a Kicksecure distro:</p>
Found initrd image: /boot/initrd.img-6.1.0-17-amd64
Found linux image: /boot/vmlinuz-6.1.0-15-amd64
Found initrd image: /boot/initrd.img-6.1.0-15-amd64
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
done
</code></pre>
<p>Then you can test if it's working by rebooting and checking the shutdown output logs.Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system. We first make sure that logs are cleared upon startup like so:</p>
<pre><codeclass="nim">
root@debian:~# cat startup.sh
#!/bin/bash
sudo rm -rf /var/log
sudo rm -rf /dev/shm/*
sudo ln -s /dev/shm /var/log
sudo dmesg -c
sudo dmesg -n 1
sudo dmesg -c
#also uncomment the kernel.printk line in /etc/sysctl.conf to avoid the kernel from printing out errors
root@debian:~# chmod +x startup.sh
root@debian:~# vim /etc/sysctl.conf
root@debian:~# cat /etc/sysctl.conf | grep printk
kernel.printk = 3 4 1 3
root@debian:~# vim /etc/systemd/system/startup.service
Created symlink /etc/systemd/system/shutdown.target.wants/startup.service → /etc/systemd/system/startup.service.
</code></pre>
<p>Then we make sure that logs are being cleared out minutely:</p>
<pre><codeclass="nim">
root@debian:~# cat removelogs.sh
#!/bin/bash
rm -rf /dev/shm/*
rm -rf /var/log/*
dmesg -c
root@debian:~# chmod +x removelogs.sh
root@debian:~# crontab -e
</code></pre>
<p>Then we make sure that logs are cleared out upon shutdown, along with VMs shutdowns if there are any, veracrypt volumes closing, and log cleanups:</p>