blog-contributions/opsec/hypervisorsetup/old.html

486 lines
18 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>antiforensics Setup</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">nihilist`s Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-01-29</ba></p>
<h1>Linux Host OS Hardening, Virtualisation and Anti Forensics Setup </h1>
<img src="0.png" style="width:250px">
<p>In this tutorial we're going to cover why it's important to have an Opensource host-OS and virtualisation software for privacy purposes and we're going to go through all the steps we need to set it up. We'll also cover how to harden the OS using kickstart (which was made by the whonix developers), and we'll look at how to virtualize VMs while still using opensource software. </p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Initial Setup </b></h2>
<p>Most people talk about opsec, but they don't realize how bad their opsec is. You would'nt barricade your bedroom door before barricading the frontdoor right ? In this case, the hardware and the host OS are the front door, and the rest is inside your house. You are leaving your front door opened when you're using a closed source Host OS (for example Windows, or MacOS, or similar). Hence you need a Linux host OS. for example we're going to setup the latest <a href="https://www.debian.org/download">Debian</a> in this case.</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/4 ] [~/Downloads]
→ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
--2024-01-30 14:53:15-- https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
Resolving cdimage.debian.org (cdimage.debian.org)... 194.71.11.165, 194.71.11.173, 194.71.11.163, ...
Connecting to cdimage.debian.org (cdimage.debian.org)|194.71.11.165|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso [following]
--2024-01-30 14:53:15-- https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
Resolving gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)... 194.71.11.137, 2001:6b0:19::137
Connecting to gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)|194.71.11.137|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 658505728 (628M) [application/x-iso9660-image]
Saving to: debian-12.4.0-amd64-netinst.iso
debian-12.4.0-amd64-netinst.i 100%[=================================================>] 628.00M 6.85MB/s in 83s
2024-01-30 14:54:39 (7.55 MB/s) - debian-12.4.0-amd64-netinst.iso saved [658505728/658505728]
</code></pre>
<p>Then flash it onto an usb stick (heres how you do it from linux below):</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 3.6T 0 disk
sdb 8:16 1 14.6G 0 disk
<b>└─sdb1 8:17 1 14.6G 0 part /media/nihilist/022E-0C69</b>
[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo umount /media/nihilist/022E-0C69
umount: /media/nihilist/022E-0C69: not mounted.
[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 3.6T 0 disk
sdb 8:16 1 14.6G 0 disk
<b>└─sdb1 8:17 1 14.6G 0 part</b>
→ sudo dd if=debian-12.4.0-amd64-netinst.iso of=/dev/sdb1 bs=8M status=progress
[sudo] password for nihilist:
78+1 records in
78+1 records out
658505728 bytes (659 MB, 628 MiB) copied, 45.6007 s, 14.4 MB/s
</code></pre>
<p>You can use tools like <a href="https://etcher.balena.io/">balenaetcher</a> to do the same from other OSes like Windows.</p>
<p>Now that's done, we need to reboot the host OS and get into the BIOS:</p>
<img src="1.png" class="imgRz">
<p>In this case we need to spam the F2 key upon booting to arrive into the BIOS. Then navigate to the Boot selection in order to boot to the USB key. for example it can be : </p>
<img src="2.png" class="imgRz">
<img src="3.png" class="imgRz">
<img src="4.png" class="imgRz">
<p>Here instead you just choose the usb key you flashed the linux image on, and boot onto it. Then do as follows:</p>
<img src="5.png" class="imgRz">
<p>Now that's done, follow the installation of the host OS on the harddrive you prefer. <b>Make sure its' not LUKS encrypted</b>, as Kicksecure <a href="https://github.com/dracutdevs/dracut/issues/1888">still didn't fix</a> the ram-wipe feature for LUKS systems (as of 30/01/2024). Besides, a simple LUKS encryption would not be enough in a situation where you are forced to give out your password. (see veracrypt's details on <a href="https://veracrypt.eu/en/Plausible%20Deniability.html">Plausible Deniability</a>.)</p>
<!--<img src="6.png" class="imgRz">-->
<img src="10.png" class="imgRz">
<p>Then make sure it has a desktop environment (i recommend cinnamon).</p>
<img src="7.png" class="imgRz">
<p>Then let the install finish and then reboot the computer and remove the usb key, it should then boot into a clean host OS.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Host OS Hardening (Debian -> Kicksecure)</b></h2> </br> </br>
<p>Now that we're in our host OS, let's harden it by turning it into a Kicksecure distro:</p>
<pre><code class="nim">
su -
apt update ; apt full-upgrade ; apt install --no-install-recommends sudo adduser curl apt-transport-tor tor torsocks
/usr/sbin/addgroup --system console
/usr/sbin/adduser nothing console #replace nothing with your username
/usr/sbin/adduser nothing sudo #replace nothing with your username
reboot now
</code></pre>
<p>After rebooting, install kicksecure like so: (beware it must be done as the user mentionned above. in this case user is nothing:</p>
<pre><code class="nim">
nothing@debian:~$ sudo apt update -y ; sudo apt full-upgrade -y
</code></pre>
<p>Then we download the kicksecure keyring via tor:</p>
<pre><code class="nim">
nothing@debian:~$ sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc
nothing@debian:~$ echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
nothing@debian:~$ sudo apt update -y
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Get:4 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm InRelease [39.6 kB]
Get:5 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 Packages [34.3 kB]
Get:6 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/contrib amd64 Packages [506 B]
Get:7 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/non-free amd64 Packages [896 B]
Fetched 75.3 kB in 31s (2,419 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
nothing@debian:~$ sudo apt full-upgrade -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
sudo apt install --no-install-recommends kicksecure-cli-host -y
#tor connection may crash sometimes, so just relaunch that command again if it fails
</code></pre>
<p>Then we do the Post-upgrade steps:</p>
<pre><code class="nim">
sudo mv /etc/apt/sources.list ~/
sudo touch /etc/apt/sources.list
sudo reboot now
</code></pre>
<p>Then as you reboot you'll see that grub shows that it's now kicksecure instead of debian:</p>
<img src="8.png" class="imgRz">
<p>Next, we make sure that unattended upgrades are activated so that minor package updates are automatically carried out by the system.</p>
<pre><code class="nim">
nothing@debian:~$ sudo apt install unattended-upgrades apt-listchanges -y
nothing@debian:~$ sudo dpkg-reconfigure -plow unattended-upgrades
</code></pre>
<img src="9.png" class="imgRz">
<p>Next we're going to make sure that the ram gets overwritten upon shutdowns to prevent cold boot attacks.</p>
<pre><code class="nim">
nothing@debian:~$ sudo apt install --no-install-recommends ram-wipe
</code></pre>
<p>If you are testing from a VM, you need to do the following:</p>
<pre><code class="nim">
nothing@debian:~$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force"' | sudo tee -a /etc/default/grub.d/50_user.cfg
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force"
nothing@debian:~$ sudo update-grub
Generating grub configuration file ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-6.1.0-17-amd64
Found initrd image: /boot/initrd.img-6.1.0-17-amd64
Found linux image: /boot/vmlinuz-6.1.0-15-amd64
Found initrd image: /boot/initrd.img-6.1.0-15-amd64
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
done
</code></pre>
<p>Then you can test if it's working by rebooting and checking the shutdown output logs.Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system. We first make sure that logs are cleared upon startup like so:</p>
<pre><code class="nim">
root@debian:~# cat startup.sh
#!/bin/bash
sudo rm -rf /var/log
sudo rm -rf /dev/shm/*
sudo ln -s /dev/shm /var/log
sudo dmesg -c
sudo dmesg -n 1
sudo dmesg -c
#also uncomment the kernel.printk line in /etc/sysctl.conf to avoid the kernel from printing out errors
root@debian:~# chmod +x startup.sh
root@debian:~# vim /etc/sysctl.conf
root@debian:~# cat /etc/sysctl.conf | grep printk
kernel.printk = 3 4 1 3
root@debian:~# vim /etc/systemd/system/startup.service
root@debian:~# cat /etc/systemd/system/startup.service
[Unit]
Description=Clearing logs at startup
Wants=network.target
After=network-online.target
[Service]
Type=oneshot
ExecStart=/root/startup.sh
TimeoutStartSec=0
[Install]
WantedBy=shutdown.target
root@debian:~# systemctl daemon-reload
root@debian:~# systemctl enable startup
Created symlink /etc/systemd/system/shutdown.target.wants/startup.service → /etc/systemd/system/startup.service.
</code></pre>
<p>Then we make sure that logs are being cleared out minutely:</p>
<pre><code class="nim">
root@debian:~# cat removelogs.sh
#!/bin/bash
rm -rf /dev/shm/*
rm -rf /var/log/*
dmesg -c
root@debian:~# chmod +x removelogs.sh
root@debian:~# crontab -e
</code></pre>
<p>Then we make sure that logs are cleared out upon shutdown, along with VMs shutdowns if there are any, veracrypt volumes closing, and log cleanups:</p>
<pre><code class="nim">
root@debian:~# vim shutdown.sh
root@debian:~# cat shutdown.sh
#!/bin/bash
#remove VMs
sudo virsh -c qemu:///system destroy Whonix-Gateway
sudo virsh -c qemu:///system destroy Whonix-Workstation
sudo virsh -c qemu:///system undefine Whonix-Gateway
sudo virsh -c qemu:///system undefine Whonix-Workstation
sudo virsh -c qemu:///system net-destroy Whonix-External
sudo virsh -c qemu:///system net-destroy Whonix-Internal
sudo virsh -c qemu:///system net-undefine Whonix-External
sudo virsh -c qemu:///system net-undefine Whonix-External
#then unmount veracrypt volumes
sudo veracrypt -d -f
# then cleanup logs
sudo rm -rf /dev/shm/*
sudo rm -rf /var/log/*
sudo dmesg -c
root@debian:~# chmod +x shutdown.sh
root@debian:~# vim /etc/systemd/system/shutdown.service
root@debian:~# cat /etc/systemd/system/shutdown.service
[Unit]
Description=Shutdown Anti forensics
DefaultDependencies=no
Before=shutdown.target reboot.target halt.target
[Service]
Type=oneshot
ExecStart=/root/shutdown.sh
TimeoutStartSec=0
[Install]
WantedBy=shutdown.target reboot.target halt.target
root@debian:~# systemctl daemon-reload
root@debian:~# systemctl enable shutdown
Created symlink /etc/systemd/system/shutdown.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
Created symlink /etc/systemd/system/reboot.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
Created symlink /etc/systemd/system/halt.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
</code></pre>
<p>Then you can reboot to see that all logs are removed as intended:</p>
<pre><code class="nim">
sudo reboot now
root@debian:~# ls -lash /var | grep log
0 lrwxrwxrwx 1 root root 8 Jan 30 14:13 log -> /dev/shm
root@debian:~# tail -f /var/log/*.log
tail: cannot open '/var/log/*.log' for reading: No such file or directory
tail: no files remaining
root@debian:~# tail -f /dev/shm/*.log
tail: cannot open '/dev/shm/*.log' for reading: No such file or directory
tail: no files remaining
root@debian:~# dmesg
root@debian:~#
</pre></code>
<p></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Virtualisation setup</b></h2> </br> </br>
<p>Next step, we do not virtualize anything using closed-source software like vmware or else. We use QEMU/KVM with virt-manager:</p>
<pre><code class="nim">
nothing@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils
sudo systemctl enable --now libvirtd
nothing@debian:~# sudo usermod -a -G libvirt nothing
nothing@debian:~# sudo usermod -a -G kvm nothing
nothing@debian:~# sudo vim /etc/libvirt/libvirtd.conf
nothing@debian:~# cat /etc/libvirt/libvirtd.conf | grep sock_group
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
nothing@debian:~# sudo chmod 770 -R VMs
nothing@debian:~# sudo chown nothing:libvirt -R VMs
nothing@debian:~# cat /etc/libvirt/qemu.conf
group = "libvirt"
user = "nothing"
nothing@debian:~# systemctl restart libvirtd.service
virt-manager
</code></pre>
<p>Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:</p>
<img src="11.png" class="imgRz">
<pre><code class="nim">
nothing@debian:~$ mkdir ISOs
nothing@debian:~$ mkdir VMs
nothing@debian:~$ sudo chmod 770 -R VMs
nothing@debian:~$ sudo chmod 770 -R ISOs
nothing@debian:~$ sudo chown nothing:libvirt -R VMs
nothing@debian:~$ sudo chown nothing:libvirt -R ISOs
</code></pre>
<p>Then you can add the file directories in virt-manager like so:</p>
<img src="13.png" class="imgRz">
<img src="12.png" class="imgRz">
<p>And now you're all set to start making VMs while maintaining the open-source requirement.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://matrix.to/#/#nowheremoe:nowhere.moe">Matrix Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>