Difference between revisions of "Gentoo Installation"
(→Kernel) |
(→Kernel) |
||
Line 347: | Line 347: | ||
* Enable active kernel exploit response | * Enable active kernel exploit response | ||
* Under RBAC,enable 'Hide Kernel Processes' | * Under RBAC,enable 'Hide Kernel Processes' | ||
− | + | * Under filesystem protections, restrict /proc to user only | |
− | + | * Under kernel auditing, enable every option except 'ELF TEXT Relocation | |
− | + | * Put the gid to 'audit' | |
− | + | * Enable everything under network protections | |
− | + | * Put the gid to 'services' in 'deny client sockets for group' gid | |
− | + | * Put the gid to 'clients' in 'deny server sockets for group' gid | |
− | + | * Put the gid to blackhole in the 'deny all sockets to any group' gid | |
− | + | * Under logging options, "Add source ip addresses to AVC SeLinux messages" | |
− | + | * Under pax control, change 'MAC system integration' to hook | |
− | + | * Under misc. hardening features, You'll want to enable everything | |
− | + | * Under non-executable pages,Enforce non-executable pages' is enabled | |
− | + | * Back in the main security options window, enable 'Restrict unpriviledged access to the kernel syslog' | |
− | + | * Enable Integrity Measurement Architecture | |
− | + | * Under cryptographic api, we want aes of all flavors, whirlpool, and blowfish | |
− | + | * Uncheck the Hardware Crypto Devices support | |
− | + | * Under device drivers -> multi device support, enable dm_crypt | |
− | + | * Block devices ->loopback device support, enable cryptoloop support | |
− | + | * Under kernel hacking enable strict copy size checks and disable kernel debugging | |
− | + | * Under kernel hacking disable kernel debugging | |
− | + | * Put the gid to 'audit' in the proc gid as well as the kernel auditing pid | |
exit, saving the config | exit, saving the config |
Revision as of 20:33, 25 November 2011
You are viewing an article in progress. This entry is unfinished. |
This article contains too little information, it should be expanded or updated. |
---|
Things you can do to help:
|
You are viewing an article in progress. This entry is unfinished. |
Gentoo is a source-based linux distribution.source-based means every application is compiled locally.
You can download a copy of gentoo Here
To install gentoo you will need to create a bootable LiveCD or LiveUSB.
There are many ways one could create a LiveCD or LiveUSB, but that is outside of the scope of Gentoo Installation
Contents
- 1 Virtual Machine Setup
- 2 Hard Drive Setup
- 3 Base installation and Configuration
- 4 CHROOT
- 5 Installing Software
- 6 Encrypted Home Dir
- 7 Kernel
- 8 Final Configurations
- 9 Bootloader
- 10 xserver
- 11 BASH
- 12 Screen
- 13 Services
- 14 Network Services
- 15 Debugging Services
- 16 Permissions and Security Basics
- 17 Getting Help
- 18 Troubleshooting
Virtual Machine Setup
If you want to set up Gentoo within a virtual machine you will need at least:
- Around 512MB to 1GB of RAM
- At least 10GB HDD
- Networking features enabled
And preferably multiple cores on an x86_64 processor
Hard Drive Setup
ls /dev | grep sd cfdisk /dev/sda
cfdisk will then bring you into an ncurses gui.
Use cfdisk to:
- Create 100MB Partition Bootable at the Beginning
- Create 2048MB Partition at the beginning
- Create remaining free space partition at the beginning
Choose to Write tables to disk, and then exit.
mkfs.ext2 /dev/sda1 mkswap /dev/sda2 mkfs.reiserfs /dev/sda3 mount -t reiserfs /dev/sda3 /mnt/gentoo ; cd /mnt/gentoo wget http://gentoo.arcticnetwork.ca/releases/x86/current-stage3/stage3-i686-20110614.tar.bz2
for the below line, you can simply press the TAB button after stage3 and it will automatically complete the command, just press enter to confirm it
tar xvpjf stage3* swapon /dev/sda2 cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
Okay, now you've set up your hard drives, downloaded a copy of gentoo on your live environment, and copied resolv.conf over. Before continuing make sure you can access the internet.
you can test this by pinging google:
ping -c 2 google.com
if it isn't working, try the following:
you might need to do this each time you reboot |
ifconfig eth0 down && ifconfig eth0 up dhcpcd eth0
Base installation and Configuration
Remember the number in the output of this command, you will need it later. |
grep -ci "processor" /proc/cpuinfo
Download & Extract portage to /mnt/gentoo/usr/
cd /mnt/gentoo/usr/ wget http://gentoo.arcticnetwork.ca/releases/snapshots/current/portage-latest.tar.bz2 tar xvjf portage-latest.tar.bz2
Open make.conf in nano.
cd /mnt/gentoo/etc/ nano make.conf
Modify make.conf as follows:
Do not modify the CHOST, this will cause problems! |
CFLAGS="-fstack-protector-all -fforce-addr -Os -pipe -march=native" CXXFlags="${CFLAGS}" FEATURES="metadata-transfer sandbox candy parallel-fetch" USE="gtk truetype postgres freetype jpg jpeg png gif imap ttf winscp passwd scp X gnutls mysql v4l2 extras lisp threads ithreads acpi bash-completion bzip2 crypt cracklib css ctype apache2 curl curlwrappers dbus encode ftp gcj gd geoip udev ipv6 lua ncurses nsplugin python readline sockets socks5 sqlite sse sse2 ssl suid unicode vim-syntax xml php perlsuid" #Replace Y with the output of the grep command and X with the returned number +1. For one core, you'd have "--jobs=1" and "-j2". MAKEOPTS="-jX -s" # Only use the below line if you have a multicore CPU or multiple processors # EMERGE_DEFAULT_OPTS="--jobs=Y --load-average=1.5" PORTAGE_NICENESS="12"
CHROOT
You will have to return to this part each time you reboot until the installation is finished. |
mount /dev/sda3 /mnt/gentoo swapon /dev/sda2 mount /dev/sda1 /mnt/gentoo/boot mount -o bind /dev /mnt/gentoo/dev mount -t proc none /mnt/gentoo/proc chroot /mnt/gentoo /bin/bash --login
You only need to run gcc-config the first time around.
gcc-config 1
env-update
The following line helps remember where you are.
export PS1="chroot) $PS1"
Installing Software
This requires a working internet connection, test your connection with ping:
ping -c 2 google.com
If you cannot ping, try issuing the following:
echo nameserver 4.2.2.1 > /etc/resolv.conf echo nameserver 4.2.2.2 >> /etc/resolv.conf
Sync your repos:
emerge -q --sync
if it tells you that an update to portage is availible then do the following
emerge -q portage
otherwise, continue from here:
emerge -q axel
Let's edit make.conf again:
nano -w /etc/make.conf
# put this at the bottom of make.conf FETCHCOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}" RESUMECOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}" # ^x Y Enterto save and quit
Now that you're package manager is set up, execute the following command:
emerge -qN pciutils coreutils baselayout hardened-sources world
Encrypted Home Dir
create /crypt/ directory to store home.dm
mkdir /crypt touch /crypt/home.dm
Install cryptsetup
echo "sys-fs/cryptsetup static-libs" >> /etc/portage/package.use emerge -q cryptsetup
replace XXX in the command below with the size in GB (Gigabytes) you want your home to be. if you are not sure, run 'df -h' and use perhaps a quarter of the size of sda3
dd if=/dev/zero of=/crypt/home.dm bs=1024 count=$(head -1 /etc/make.conf|awk '{print XXX * 1024^2}')
losetup /dev/loop1 /crypt/home.dm
cryptsetup luksFormat -h whirlpool -c blowfish /dev/loop1
cryptsetup luksOpen /dev/loop1 home
emerge -q reiserfsprogs
mkfs.reiserfs /dev/mapper/home
mount -o loop /dev/mapper/home /home
open /etc/init.d/home in nano: nano /etc/init.d/home
make the file look like this:
######### #!/sbin/runscript # Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: $ depend() { true } start() { losetup /dev/loop1 /crypt/home.dm cryptsetup luksOpen /dev/loop1 home mount -o loop /dev/mapper/home /home } stop() { umount /home cryptsetup luksClose home losetup -d /dev/loop1 } restart() { stop start } ##########
Once you're done with that:
chmod +x /etc/init.d/home rc-update add home default
Kernel
DOUBLE CHECK THAT YOU ARE IN A CHROOT BEFORE DOING THIS! ls /mnt/gentoo should return FILE NOT FOUND |
If ls /mnt/gentoo returns something other than file not found, do the following |
mount /dev/sda3 /mnt/gentoo
mount /dev/sda1 /mnt/gentoo/boot
swapon /dev/sda2
mount -t proc none /mnt/gentoo/proc
mount -o bind /dev /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash --login
Otherwise continue on here:
cd /usr/src/linux
groupadd audit grep audit /etc/group groupadd blackhole grep blackhole /etc/group
confirm you get stuff returned to you after each grep. these numbers you're seeing are GIDs for RBAC |
groupadd clients grep clients /etc/group groupadd services grep services /etc/group
again, confirm you are getting information when you grep. you probably want to write those id's down |
wget http://paste.pocoo.org/raw/430946
mv 430946 .config
now you can
emerge -q wgetpaste
lspci -n | wgetpaste
open provided url in browser, paste into the following website or:
passwd
type in a password twice
/etc/init.d/sshd start
download PuTTy on your main/host pc and use it to connect to the ipaddress of the vm/box, you can find out the ip with
ifconfig
you connect on port 22 (ssh)
lspci -n
copy and paste this to the following website: http://kmuto.jp/debian/hcl/
if you need to, take a note of each entry under 'drivers'
make menuconfig
search for 'dm_crypt' with the / key from the main menu - this should open a search box. you will see the location of dm_crypt in the menu, and whether it is [=y] (enabled) or [=n] (disabled) you want to find it and enable it. do not set it as 'M', that will make it a module and for security reasons you are not using loadable modules. do this for each driver on the above website, and make sure that they are all enabled some, such as graphics, can be safely missed out (get vesa, instead) - if you have any worries, ask in #questions on irc replace every - in a driver name with a _
also, verify that all the following settings are correct:
- Disable loadable module support
- Disable virtualization on the kernel
- Under general options, change kernel compression mode to lzma
- Under processor type and features, you'll want to either A. Put the processor type, if it's in the list or B. Select generic if unsure
- In filesystems, you only want reiserfs depending on how you set it up. You do not want ext2 -- if it is enabled, (Second Extended FS Support), DISABLE THIS.
- Under security options, enable grsecurity
- Under address space protection
- Enable active kernel exploit response
- Under RBAC,enable 'Hide Kernel Processes'
- Under filesystem protections, restrict /proc to user only
- Under kernel auditing, enable every option except 'ELF TEXT Relocation
- Put the gid to 'audit'
- Enable everything under network protections
- Put the gid to 'services' in 'deny client sockets for group' gid
- Put the gid to 'clients' in 'deny server sockets for group' gid
- Put the gid to blackhole in the 'deny all sockets to any group' gid
- Under logging options, "Add source ip addresses to AVC SeLinux messages"
- Under pax control, change 'MAC system integration' to hook
- Under misc. hardening features, You'll want to enable everything
- Under non-executable pages,Enforce non-executable pages' is enabled
- Back in the main security options window, enable 'Restrict unpriviledged access to the kernel syslog'
- Enable Integrity Measurement Architecture
- Under cryptographic api, we want aes of all flavors, whirlpool, and blowfish
- Uncheck the Hardware Crypto Devices support
- Under device drivers -> multi device support, enable dm_crypt
- Block devices ->loopback device support, enable cryptoloop support
- Under kernel hacking enable strict copy size checks and disable kernel debugging
- Under kernel hacking disable kernel debugging
- Put the gid to 'audit' in the proc gid as well as the kernel auditing pid
exit, saving the config
# put the number of processors you have +1 instead of ?, for example -j5 if you have 4 cores make -j?
# make sure boot is mounted, this should NOT say file not found, exit from chroot and remount /mnt/gentoo/boot, then chroot in again if you get an error ls /boot
# replace XXX below with your architecture (x86 for 32bit, x86_64 for 64bit) cp /usr/src/linux/arch/XXX/boot/bzImage /boot/bzImage # if you ever need to repeat this, make clean before reconfiguring your kernel and adding/removing stuff # you can read much more about kernel configuration at kernel-seeds.org, this website contains premade, stripped # kernels and step-by-step guides on configuring your own kernel from scratch, with detailed notes on every option # it's great to check out if you are unsure about anything, and will really help the learning process :)