Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Gentoo Installation"

From NetSec
Jump to: navigation, search
(Kernel)
(Kernel)
Line 347: Line 347:
 
* Enable active kernel exploit response
 
* Enable active kernel exploit response
 
* Under RBAC,enable 'Hide Kernel Processes'
 
* Under RBAC,enable 'Hide Kernel Processes'
  * Under filesystem protections, restrict /proc to user only
+
* Under filesystem protections, restrict /proc to user only
  * Under kernel auditing, enable every option except 'ELF TEXT Relocation
+
* Under kernel auditing, enable every option except 'ELF TEXT Relocation
  * Put the gid to 'audit'
+
* Put the gid to 'audit'
  * Enable everything under network protections
+
* Enable everything under network protections
  * Put the gid to 'services' in 'deny client sockets for group' gid
+
* Put the gid to 'services' in 'deny client sockets for group' gid
  * Put the gid to 'clients' in 'deny server sockets for group' gid
+
* Put the gid to 'clients' in 'deny server sockets for group' gid
  * Put the gid to blackhole in the 'deny all sockets to any group' gid
+
* Put the gid to blackhole in the 'deny all sockets to any group' gid
  * Under logging options, "Add source ip addresses to AVC SeLinux messages"
+
* Under logging options, "Add source ip addresses to AVC SeLinux messages"
  * Under pax control, change 'MAC system integration' to hook
+
* Under pax control, change 'MAC system integration' to hook
  * Under misc. hardening features, You'll want to enable everything
+
* Under misc. hardening features, You'll want to enable everything
  * Under non-executable pages,Enforce non-executable pages' is enabled
+
* Under non-executable pages,Enforce non-executable pages' is enabled
  * Back in the main security options window, enable 'Restrict unpriviledged access to the kernel syslog'
+
* Back in the main security options window, enable 'Restrict unpriviledged access to the kernel syslog'
  * Enable Integrity Measurement Architecture
+
* Enable Integrity Measurement Architecture
  * Under cryptographic api, we want aes of all flavors, whirlpool, and blowfish
+
* Under cryptographic api, we want aes of all flavors, whirlpool, and blowfish
  * Uncheck the Hardware Crypto Devices support
+
* Uncheck the Hardware Crypto Devices support
  * Under device drivers -> multi device support, enable dm_crypt
+
* Under device drivers -> multi device support, enable dm_crypt
  * Block devices ->loopback device support, enable cryptoloop support
+
* Block devices ->loopback device support, enable cryptoloop support
  * Under kernel hacking enable strict copy size checks and disable kernel debugging
+
* Under kernel hacking enable strict copy size checks and disable kernel debugging
  * Under kernel hacking disable kernel debugging
+
* Under kernel hacking disable kernel debugging
  * Put the gid to 'audit' in the proc gid as well as the kernel auditing pid
+
* Put the gid to 'audit' in the proc gid as well as the kernel auditing pid
  
 
exit, saving the config
 
exit, saving the config

Revision as of 20:33, 25 November 2011

RPU0j.png You are viewing an article in progress. This entry is unfinished.
This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.
RPU0j.png You are viewing an article in progress. This entry is unfinished.



Gentoo is a source-based linux distribution.source-based means every application is compiled locally.

You can download a copy of gentoo Here

To install gentoo you will need to create a bootable LiveCD or LiveUSB.

There are many ways one could create a LiveCD or LiveUSB, but that is outside of the scope of Gentoo Installation


Virtual Machine Setup

If you want to set up Gentoo within a virtual machine you will need at least:

  • Around 512MB to 1GB of RAM
  • At least 10GB HDD
  • Networking features enabled

And preferably multiple cores on an x86_64 processor



Hard Drive Setup

  ls /dev | grep sd
  cfdisk /dev/sda


cfdisk will then bring you into an ncurses gui.

Use cfdisk to:

  1. Create 100MB Partition Bootable at the Beginning
  2. Create 2048MB Partition at the beginning
  3. Create remaining free space partition at the beginning


Choose to Write tables to disk, and then exit.



mkfs.ext2 /dev/sda1
mkswap /dev/sda2
mkfs.reiserfs /dev/sda3
mount -t reiserfs /dev/sda3 /mnt/gentoo ; cd /mnt/gentoo
wget http://gentoo.arcticnetwork.ca/releases/x86/current-stage3/stage3-i686-20110614.tar.bz2

for the below line, you can simply press the TAB button after stage3 and it will automatically complete the command, just press enter to confirm it

tar xvpjf stage3*
swapon /dev/sda2
cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf

Okay, now you've set up your hard drives, downloaded a copy of gentoo on your live environment, and copied resolv.conf over. Before continuing make sure you can access the internet.

you can test this by pinging google:

ping -c 2 google.com

if it isn't working, try the following:

c3el4.png you might need to do this each time you reboot
   
    ifconfig eth0 down && ifconfig eth0 up
    dhcpcd eth0



Base installation and Configuration

RPU0j.png Remember the number in the output of this command, you will need it later.
grep -ci "processor" /proc/cpuinfo

Download & Extract portage to /mnt/gentoo/usr/

   cd /mnt/gentoo/usr/
   wget http://gentoo.arcticnetwork.ca/releases/snapshots/current/portage-latest.tar.bz2
   tar xvjf portage-latest.tar.bz2

Open make.conf in nano.

   cd /mnt/gentoo/etc/
   nano make.conf


Modify make.conf as follows:

RPU0j.png Do not modify the CHOST, this will cause problems!
 CFLAGS="-fstack-protector-all -fforce-addr -Os -pipe -march=native"
    CXXFlags="${CFLAGS}"


    FEATURES="metadata-transfer sandbox candy parallel-fetch"

    USE="gtk truetype postgres freetype jpg jpeg png gif imap ttf winscp passwd scp X gnutls mysql v4l2 extras lisp threads ithreads acpi bash-completion bzip2 crypt cracklib css ctype apache2 curl curlwrappers dbus encode ftp gcj gd geoip udev ipv6 lua ncurses nsplugin python readline sockets socks5 sqlite sse sse2 ssl suid unicode vim-syntax xml php perlsuid"

    #Replace Y with the output of the grep command and X with the returned number +1. For one core, you'd have "--jobs=1" and "-j2".

    MAKEOPTS="-jX -s"
#   Only use the below line if you have a multicore CPU or multiple processors
#   EMERGE_DEFAULT_OPTS="--jobs=Y --load-average=1.5"
    PORTAGE_NICENESS="12"

    





CHROOT

c3el4.png You will have to return to this part each time you reboot until the installation is finished.


   mount /dev/sda3 /mnt/gentoo
   swapon /dev/sda2
   mount /dev/sda1 /mnt/gentoo/boot
   mount -o bind /dev /mnt/gentoo/dev
   mount -t proc none /mnt/gentoo/proc
   chroot /mnt/gentoo /bin/bash --login

You only need to run gcc-config the first time around.

   gcc-config 1 
   env-update

The following line helps remember where you are.

   export PS1="chroot) $PS1"

Installing Software

This requires a working internet connection, test your connection with ping:

 ping -c 2 google.com

If you cannot ping, try issuing the following:

echo nameserver 4.2.2.1 > /etc/resolv.conf
echo nameserver 4.2.2.2 >> /etc/resolv.conf

Sync your repos:

 emerge -q --sync

if it tells you that an update to portage is availible then do the following

 emerge -q portage

otherwise, continue from here:

   emerge -q axel

Let's edit make.conf again:


   nano -w /etc/make.conf
   # put this at the bottom of make.conf
   FETCHCOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}"
   RESUMECOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}"
   # ^x Y Enterto save and quit


Now that you're package manager is set up, execute the following command:

   emerge -qN pciutils coreutils baselayout hardened-sources world

Encrypted Home Dir

create /crypt/ directory to store home.dm

   mkdir /crypt
   touch /crypt/home.dm

Install cryptsetup

   echo "sys-fs/cryptsetup static-libs" >> /etc/portage/package.use
   emerge -q cryptsetup


replace XXX in the command below with the size in GB (Gigabytes) you want your home to be. if you are not sure, run 'df -h' and use perhaps a quarter of the size of sda3

   dd if=/dev/zero of=/crypt/home.dm bs=1024 count=$(head -1 /etc/make.conf|awk '{print XXX * 1024^2}')


   losetup /dev/loop1 /crypt/home.dm
   cryptsetup luksFormat -h whirlpool -c blowfish /dev/loop1
   cryptsetup luksOpen /dev/loop1 home
   emerge -q reiserfsprogs
   mkfs.reiserfs /dev/mapper/home
   mount -o loop /dev/mapper/home /home

open /etc/init.d/home in nano: nano /etc/init.d/home


make the file look like this:


   #########
   #!/sbin/runscript
   # Copyright 1999-2011 Gentoo Foundation
   # Distributed under the terms of the GNU General Public License v2
   # $Header: $
   depend() {
   true
   }
   start() {
   losetup /dev/loop1 /crypt/home.dm
   cryptsetup luksOpen /dev/loop1 home
   mount -o loop /dev/mapper/home /home
   }
   stop() {
   umount /home
   cryptsetup luksClose home
   losetup -d /dev/loop1
   }
   restart() {
   stop
   start
   }
   ##########


Once you're done with that:

   chmod +x /etc/init.d/home
   rc-update add home default

Kernel

RPU0j.png DOUBLE CHECK THAT YOU ARE IN A CHROOT BEFORE DOING THIS! ls /mnt/gentoo should return FILE NOT FOUND
c3el4.png If ls /mnt/gentoo returns something other than file not found, do the following
   mount /dev/sda3 /mnt/gentoo
   mount /dev/sda1 /mnt/gentoo/boot
   swapon /dev/sda2
   mount -t proc none /mnt/gentoo/proc
   mount -o bind /dev /mnt/gentoo/dev
   chroot /mnt/gentoo /bin/bash --login

Otherwise continue on here:


   cd /usr/src/linux
   groupadd audit

   grep audit /etc/group

   groupadd blackhole

   grep blackhole /etc/group


RPU0j.png confirm you get stuff returned to you after each grep. these numbers you're seeing are GIDs for RBAC
   groupadd clients

   grep clients /etc/group

   groupadd services

   grep services /etc/group


RPU0j.png again, confirm you are getting information when you grep. you probably want to write those id's down
   wget http://paste.pocoo.org/raw/430946
   mv 430946 .config

now you can

   emerge -q wgetpaste
   lspci -n | wgetpaste

open provided url in browser, paste into the following website or:

   passwd

type in a password twice

   /etc/init.d/sshd start

download PuTTy on your main/host pc and use it to connect to the ipaddress of the vm/box, you can find out the ip with

   ifconfig

you connect on port 22 (ssh)

   lspci -n

copy and paste this to the following website: http://kmuto.jp/debian/hcl/


if you need to, take a note of each entry under 'drivers'



   make menuconfig
search for 'dm_crypt' with the / key from the main menu - this should open a search box.
you will see the location of dm_crypt in the menu, and whether it is [=y] (enabled) or [=n] (disabled)
you want to find it and enable it. do not set it as 'M', that will make it a module and for security reasons you are not using
loadable modules.
do this for each driver on the above website, and make sure that they are all enabled
some, such as graphics, can be safely missed out (get vesa, instead) - if you have any worries, ask in #questions on irc
replace every - in a driver name with a _
also, verify that all the following settings are correct:
  • Disable loadable module support
  • Disable virtualization on the kernel
  • Under general options, change kernel compression mode to lzma
  • Under processor type and features, you'll want to either A. Put the processor type, if it's in the list or B. Select generic if unsure
  • In filesystems, you only want reiserfs depending on how you set it up. You do not want ext2 -- if it is enabled, (Second Extended FS Support), DISABLE THIS.
  • Under security options, enable grsecurity
  • Under address space protection
  • Enable active kernel exploit response
  • Under RBAC,enable 'Hide Kernel Processes'
  • Under filesystem protections, restrict /proc to user only
  • Under kernel auditing, enable every option except 'ELF TEXT Relocation
  • Put the gid to 'audit'
  • Enable everything under network protections
  • Put the gid to 'services' in 'deny client sockets for group' gid
  • Put the gid to 'clients' in 'deny server sockets for group' gid
  • Put the gid to blackhole in the 'deny all sockets to any group' gid
  • Under logging options, "Add source ip addresses to AVC SeLinux messages"
  • Under pax control, change 'MAC system integration' to hook
  • Under misc. hardening features, You'll want to enable everything
  • Under non-executable pages,Enforce non-executable pages' is enabled
  • Back in the main security options window, enable 'Restrict unpriviledged access to the kernel syslog'
  • Enable Integrity Measurement Architecture
  • Under cryptographic api, we want aes of all flavors, whirlpool, and blowfish
  • Uncheck the Hardware Crypto Devices support
  • Under device drivers -> multi device support, enable dm_crypt
  • Block devices ->loopback device support, enable cryptoloop support
  • Under kernel hacking enable strict copy size checks and disable kernel debugging
  • Under kernel hacking disable kernel debugging
  • Put the gid to 'audit' in the proc gid as well as the kernel auditing pid

exit, saving the config

   # put the number of processors you have +1 instead of ?, for example -j5 if you have 4 cores
   make -j?
   # make sure boot is mounted, this should NOT say file not found, exit from chroot and remount /mnt/gentoo/boot, then chroot in again if you get an error
   ls /boot
   # replace XXX below with your architecture (x86 for 32bit, x86_64 for 64bit)
   cp /usr/src/linux/arch/XXX/boot/bzImage /boot/bzImage
   # if you ever need to repeat this, make clean before reconfiguring your kernel and adding/removing stuff
   # you can read much more about kernel configuration at kernel-seeds.org, this website contains premade, stripped
   # kernels and step-by-step guides on configuring your own kernel from scratch, with detailed notes on every option
   # it's great to check out if you are unsure about anything, and will really help the learning process :)

Final Configurations

Bootloader

xserver

BASH

Screen

Services

Network Services

Debugging Services

Permissions and Security Basics

Getting Help

Troubleshooting