Previous Page

nihilist@mainpc - 2024-01-29

Linux Host OS Hardening, Virtualisation and Anti Forensics Setup

In this tutorial we're going to cover why it's important to have an Opensource host-OS and virtualisation software for privacy purposes and we're going to go through all the steps we need to set it up. We'll also cover how to harden the OS using kickstart (which was made by the whonix developers), and we'll look at how to virtualize VMs while still using opensource software.

Initial Setup

Most people talk about opsec, but they don't realize how bad their opsec is. You would'nt barricade your bedroom door before barricading the frontdoor right ? In this case, the hardware and the host OS are the front door, and the rest is inside your house. You are leaving your front door opened when you're using a closed source Host OS (for example Windows, or MacOS, or similar). Hence you need a Linux host OS. for example we're going to setup the latest Debian in this case.


[ mainpc ] [ /dev/pts/4 ] [~/Downloads]
→ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
--2024-01-30 14:53:15--  https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
Resolving cdimage.debian.org (cdimage.debian.org)... 194.71.11.165, 194.71.11.173, 194.71.11.163, ...
Connecting to cdimage.debian.org (cdimage.debian.org)|194.71.11.165|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso [following]
--2024-01-30 14:53:15--  https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
Resolving gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)... 194.71.11.137, 2001:6b0:19::137
Connecting to gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)|194.71.11.137|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 658505728 (628M) [application/x-iso9660-image]
Saving to: ‘debian-12.4.0-amd64-netinst.iso’

debian-12.4.0-amd64-netinst.i 100%[=================================================>] 628.00M  6.85MB/s    in 83s

2024-01-30 14:54:39 (7.55 MB/s) - ‘debian-12.4.0-amd64-netinst.iso’ saved [658505728/658505728]


Then flash it onto an usb stick (heres how you do it from linux below):


[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ lsblk
NAME                     MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda                        8:0    0  3.6T  0 disk
sdb                        8:16   1 14.6G  0 disk
└─sdb1                     8:17   1 14.6G  0 part  /media/nihilist/022E-0C69


[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo umount /media/nihilist/022E-0C69
umount: /media/nihilist/022E-0C69: not mounted.

[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ lsblk
NAME                     MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda                        8:0    0  3.6T  0 disk
sdb                        8:16   1 14.6G  0 disk
└─sdb1                     8:17   1 14.6G  0 part

→ sudo dd if=debian-12.4.0-amd64-netinst.iso of=/dev/sdb1 bs=8M status=progress
[sudo] password for nihilist:
78+1 records in
78+1 records out
658505728 bytes (659 MB, 628 MiB) copied, 45.6007 s, 14.4 MB/s

You can use tools like balenaetcher to do the same from other OSes like Windows.

Now that's done, we need to reboot the host OS and get into the BIOS:

In this case we need to spam the F2 key upon booting to arrive into the BIOS. Then navigate to the Boot selection in order to boot to the USB key. for example it can be :

Here instead you just choose the usb key you flashed the linux image on, and boot onto it. Then do as follows:

Now that's done, follow the installation of the host OS on the harddrive you prefer. Make sure its' not LUKS encrypted, as Kicksecure still didn't fix the ram-wipe feature for LUKS systems (as of 30/01/2024). Besides, a simple LUKS encryption would not be enough in a situation where you are forced to give out your password. (see veracrypt's details on Plausible Deniability.)

Then make sure it has a desktop environment (i recommend cinnamon).

Then let the install finish and then reboot the computer and remove the usb key, it should then boot into a clean host OS.

Host OS Hardening (Debian -> Kicksecure)



Now that we're in our host OS, let's harden it by turning it into a Kicksecure distro:


su -
apt update ; apt full-upgrade ; apt install --no-install-recommends sudo adduser curl apt-transport-tor tor torsocks

/usr/sbin/addgroup --system console

/usr/sbin/adduser nothing console	#replace nothing with your username
/usr/sbin/adduser nothing sudo		#replace nothing with your username

reboot now

After rebooting, install kicksecure like so: (beware it must be done as the user mentionned above. in this case user is nothing:


nothing@debian:~$ sudo apt update -y ; sudo apt full-upgrade -y 
	

Then we download the kicksecure keyring via tor:


nothing@debian:~$ sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc
nothing@debian:~$ echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
	
nothing@debian:~$ sudo apt update -y
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease                            
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease                    
Get:4 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm InRelease [39.6 kB]
Get:5 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 Packages [34.3 kB]
Get:6 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/contrib amd64 Packages [506 B]                
Get:7 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/non-free amd64 Packages [896 B]               
Fetched 75.3 kB in 31s (2,419 B/s)                                                                                                         
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.

nothing@debian:~$ sudo apt full-upgrade -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

sudo apt install --no-install-recommends kicksecure-cli-host -y
#tor connection may crash sometimes, so just relaunch that command again if it fails

Then we do the Post-upgrade steps:


sudo mv /etc/apt/sources.list ~/
sudo touch /etc/apt/sources.list
	
sudo reboot now

Then as you reboot you'll see that grub shows that it's now kicksecure instead of debian:

Next, we make sure that unattended upgrades are activated so that minor package updates are automatically carried out by the system.


nothing@debian:~$ sudo apt install unattended-upgrades apt-listchanges -y
nothing@debian:~$ sudo dpkg-reconfigure -plow unattended-upgrades
	

Next we're going to make sure that the ram gets overwritten upon shutdowns to prevent cold boot attacks.


nothing@debian:~$ sudo apt install --no-install-recommends ram-wipe 
	

If you are testing from a VM, you need to do the following:


nothing@debian:~$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force"' | sudo tee -a /etc/default/grub.d/50_user.cfg
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force"

nothing@debian:~$ sudo update-grub
Generating grub configuration file ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-6.1.0-17-amd64
Found initrd image: /boot/initrd.img-6.1.0-17-amd64
Found linux image: /boot/vmlinuz-6.1.0-15-amd64
Found initrd image: /boot/initrd.img-6.1.0-15-amd64
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
done
	

Then you can test if it's working by rebooting and checking the shutdown output logs.Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system. We first make sure that logs are cleared upon startup like so:


root@debian:~# cat startup.sh
#!/bin/bash
sudo rm -rf /var/log
sudo rm -rf /dev/shm/*

sudo ln -s /dev/shm /var/log

sudo dmesg -c
sudo dmesg -n 1
sudo dmesg -c

#also uncomment the kernel.printk line in /etc/sysctl.conf to avoid the kernel from printing out errors

root@debian:~# chmod +x startup.sh

root@debian:~# vim /etc/sysctl.conf

root@debian:~# cat /etc/sysctl.conf | grep printk
kernel.printk = 3 4 1 3
	

root@debian:~# vim /etc/systemd/system/startup.service

root@debian:~# cat /etc/systemd/system/startup.service
[Unit]
Description=Clearing logs at startup
Wants=network.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/root/startup.sh
TimeoutStartSec=0

[Install]
WantedBy=shutdown.target

root@debian:~# systemctl daemon-reload 

root@debian:~# systemctl enable startup
Created symlink /etc/systemd/system/shutdown.target.wants/startup.service → /etc/systemd/system/startup.service.
	

Then we make sure that logs are being cleared out minutely:


root@debian:~# cat removelogs.sh
#!/bin/bash

rm -rf /dev/shm/*
rm -rf /var/log/*
dmesg -c

root@debian:~# chmod +x removelogs.sh

root@debian:~# crontab -e
	

Then we make sure that logs are cleared out upon shutdown, along with VMs shutdowns if there are any, veracrypt volumes closing, and log cleanups:


root@debian:~# vim shutdown.sh
root@debian:~# cat shutdown.sh
#!/bin/bash

#remove VMs

sudo virsh -c qemu:///system destroy Whonix-Gateway
sudo virsh -c qemu:///system destroy Whonix-Workstation
sudo virsh -c qemu:///system undefine Whonix-Gateway
sudo virsh -c qemu:///system undefine Whonix-Workstation
sudo virsh -c qemu:///system net-destroy Whonix-External
sudo virsh -c qemu:///system net-destroy Whonix-Internal
sudo virsh -c qemu:///system net-undefine Whonix-External
sudo virsh -c qemu:///system net-undefine Whonix-External

#then unmount veracrypt volumes

sudo veracrypt -d  -f

# then cleanup logs

sudo rm -rf /dev/shm/*
sudo rm -rf /var/log/*
sudo dmesg -c

root@debian:~# chmod +x shutdown.sh

root@debian:~# vim /etc/systemd/system/shutdown.service
root@debian:~# cat /etc/systemd/system/shutdown.service
[Unit]
Description=Shutdown Anti forensics
DefaultDependencies=no
Before=shutdown.target reboot.target halt.target

[Service]
Type=oneshot
ExecStart=/root/shutdown.sh
TimeoutStartSec=0

[Install]
WantedBy=shutdown.target reboot.target halt.target
root@debian:~# systemctl daemon-reload
root@debian:~# systemctl enable shutdown
Created symlink /etc/systemd/system/shutdown.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
Created symlink /etc/systemd/system/reboot.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
Created symlink /etc/systemd/system/halt.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
	

Then you can reboot to see that all logs are removed as intended:


sudo reboot now

root@debian:~# ls -lash /var | grep log
   0 lrwxrwxrwx  1 root root     8 Jan 30 14:13 log -> /dev/shm

root@debian:~# tail -f /var/log/*.log 
tail: cannot open '/var/log/*.log' for reading: No such file or directory
tail: no files remaining

root@debian:~# tail -f /dev/shm/*.log 
tail: cannot open '/dev/shm/*.log' for reading: No such file or directory
tail: no files remaining

root@debian:~# dmesg
root@debian:~# 

Virtualisation setup



Next step, we do not virtualize anything using closed-source software like vmware or else. We use QEMU/KVM with virt-manager:


nothing@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils

sudo systemctl enable --now libvirtd

nothing@debian:~# sudo usermod -a -G libvirt nothing
nothing@debian:~# sudo usermod -a -G kvm nothing

nothing@debian:~# sudo vim /etc/libvirt/libvirtd.conf 
nothing@debian:~# cat /etc/libvirt/libvirtd.conf  | grep sock_group
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"

nothing@debian:~#  sudo chmod 770 -R VMs 
nothing@debian:~#  sudo chown nothing:libvirt -R VMs 

nothing@debian:~#  cat /etc/libvirt/qemu.conf
group = "libvirt"
user = "nothing"

nothing@debian:~# systemctl restart libvirtd.service

 virt-manager
	

Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:


nothing@debian:~$ mkdir ISOs
nothing@debian:~$ mkdir VMs

nothing@debian:~$ sudo chmod 770 -R VMs  
nothing@debian:~$ sudo chmod 770 -R ISOs  
	
nothing@debian:~$ sudo chown nothing:libvirt -R VMs
nothing@debian:~$ sudo chown nothing:libvirt -R ISOs

Then you can add the file directories in virt-manager like so:

And now you're all set to start making VMs while maintaining the open-source requirement.

Nihilism

Until there is Nothing left.

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@nowhere.moe (PGP)