Uwe Hermann - Towards a moderately paranoid Debian laptop setup [Update] - Comments

HOWTO

Uwe Hermann — Sat, 29 Aug 2009 21:06:29 +0200

Maybe I'll update the HOWTO a bit, but there's no need to write a new one, the instructions are pretty much the same for newer Debian versions.

Uwe: Don't you think it's

Anonymous — Mon, 24 Aug 2009 18:03:10 +0200

Uwe:

Don't you think it's time to an not-so-moderated paranoid Debian 5.x laptop setup?

I've my tin foil hat ready!

Enable password in the menu.list

Anonymous — Mon, 17 Aug 2009 02:47:22 +0200

Hi. I got a question. I tried following what you said about putting a password under every title in the menu.list then upon reboot it does seems to put security having to type the password first before you can login to whatever OS installed in your box. But how come I can edit the menu list and delete the line with the password and successfully boot the box before typing the password? Does it suppose to do that? Isn't the password suppose to prevent access to your box? Or, did I miss something?

Great article. Gave me

Anonymous — Sat, 09 May 2009 04:06:57 +0200

Great article. Gave me something to think about.

Nice

Alien23 — Fri, 09 Jan 2009 20:49:28 +0100

Now I know what "sightly paranoid" is meaning :-)

Consider filling your laptop with epoxy for a more difficult physical access (but I guess this would result in overheating problems)
For me, encrypting home + swap is enough. I just came to your site to figure out how I can block the firewire DMA access.

But if I ever need a PC for developing my world dominion plans, I will come back to your HOWTO.

Coldbooting will crack HD encryption

Sigi — Sat, 02 Aug 2008 21:43:19 +0200

It should be noted that, unless the machine has been powered OFF (or hibernated, not suspended) for at least several minutes, it is possible for a determined attacker to overcome any disk encryption by cooling/freezing the RAM modules, transferring them to a different machine and looking for the disk encryption (session) key.

This will obviously render all the nice paranoid tactics void. So make sure you don't leave your machine unattended in a hostile environment unless it has been powered down for at least a few minutes (a few more in winter :-).

PDF of a research article demonstrating the technique

good article, i will write

laptop reviews — Sat, 03 May 2008 23:56:49 +0200

good article, i will write some in my blog about that

Great information!!

Anonymous — Tue, 19 Feb 2008 12:28:47 +0100

Great information!!

luks passphrase

Anonymous — Thu, 08 Nov 2007 04:16:47 +0100

hmmm... putting the partition and passphrase on a cdrom is probably a bad idea. But is it much different than having the passphrase on a usb stick? I think having some kind of way to read a passphrase from somewhere besides the keyboard would be a good thing. Entering a 20 character passphrase on a laptop seems a bit impractical but automatically reading it from somewhere does not. Do you know if there are any plans to support this sort of thing in the future. If it's not a horrible idea (or a less than good one), it would nice to see in the debian installer.

Another ways to get a encrypted filesystem

GooHackle — Wed, 07 Nov 2007 04:47:00 +0100

First of all, very good and complete tutorial! Congratulations.

Now if you want to encrypt only a partition or make a encrypted filesystem over a file you can read this:

How to create a LVM encrypted partition

How to create a portable encrypted file system on a loop file

Passphrase from CDROM

Uwe Hermann — Thu, 01 Nov 2007 18:56:05 +0100

No, but I don't think you want that, it'll make the whole procedure less secure. Anybody who gets that CDROM in his fingers has access to your encrypted files!

Uwe.

I was able to get my boot

Anonymous — Tue, 30 Oct 2007 16:50:00 +0100

I was able to get my boot partition on cdrom by loosely following the instructions found at http://pusling.com/blog/?p=25

Now I'd just like to figure out how to have the Passphrase read from the cdrom so I don't have to enter it during startup. Does anyone know how to accomplish this?

Installed it, but get Boot Error on boot, though the stick is bo

ShiroiKuma — Thu, 18 Oct 2007 22:41:53 +0200

Hi:

I did something akin to this, though the easier way I think. Installed debian from a netinst CD to a USB stick. Made an unencrypted boot partition and an encrypted partition, using LVM. Installed the system to it.

Then ran:
install-grub --recheck /dev/sda
ran fine...
then in grub ran:
root (hd0,0)
setup (hd0)
ran fine...
Then ran update-grub.
Checked the /boot/grub/menu.lst on the stick, is fine.

But upon boot with the USB inserted, the system halts with a Boot Error.

The USB is bootable though, since I checked prior to install by putting a DebianLive image on it, and it would get me to the Grub menu. But here I don't get to the Grub menu.

The system is there, I can mount the lv's by hand etc.

So how can I make the USB bootable properly and get to the Grub menu upon boot?

Further ideas - Boot from CD-R

han.hof — Fri, 31 Aug 2007 18:53:38 +0200

"The /boot partition is still unencrypted, so an attacker can tamper with it. Boot from a CD-R, forbid booting from hard drive (BIOS)."

Do you know a detailed instruction, how to boot a LUKS-encrypted system (even /boot partition is encrypted!) from CD-R?
Thank you.

check-selinux-installation on current debian sid

skol — Sat, 19 May 2007 12:53:37 +0200

Tanks for the vital info about selinux installation.
But on the current debian sid I got a little problem with the motd check of the check-selinux-installation script. Now it checks /etc/default/rcS for the variable EDITMOTD=no.
I added this line in addition to the recommended steps in your tutorial.
So it passes the test and avoids a misleading error message.
Maybe this will be helpful for other selinux users.

Towards a moderately paranoid Debian laptop setup [Update]

Uwe Hermann — Wed, 27 Sep 2006 17:14:12 +0200

I was planning to set up my laptop from scratch for a while now... so I did.

Preparation

First, go home. No, really! Do all of this at home in a non-hostile, firewalled network. You don't want to be in a crowded place such as a conference where people can shoulder-surf your passwords, nor do you want your network traffic sniffed or MITM'd in a hostile network.
Backup all your data! You'll be wiping your whole drive soon, so make sure you have recent, tested backups.
Get the most recent Debian-installer ISO image (currently etch-beta3), as well as the MD5SUMS and MD5SUMS.sign files:wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/debian-testing-i386-binary-1.iso wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/MD5SUMS wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/MD5SUMS.sign
Run gpg --verify MD5SUMS.sign, which will fail but tell you the signing key ID (88C7C1F7 in this case). Get the key and re-run the verification: gpg --recv-key --keyserver subkeys.pgp.net 88C7C1F7 && gpg --verify MD5SUMS.sign. The output should now say "Good signature from [...]".
Now check the MD5 checksums via md5sum -c MD5SUMS. The output should contain debian-testing-i386-binary-1.iso: OK.
As you now have (somewhat) verified the integrity of the ISO image, burn it on a CD-R: wodim debian-testing-i386-binary-1.iso.
Put trusted versions of some files on a USB thumb drive (or CD-ROM); at least a firewall script, but maybe also your bashrc, bash_logout, inputrc, vimrc, muttrc.
Disconnect your laptop from any kinds of networks. Pull all ethernet cables. Disable WLAN (via hardware killswitch). Disable Bluetooth. Disable/remove Firewire, USB, serial, whatever.
Put on your tin-foil hat (optional).

BIOS

Set a good BIOS boot password (which you need to boot any OS). Set a (different) good BIOS boot setup password (which you need to enter the BIOS).
Disable all boot possibilities in the BIOS, except for CD-ROM. This means it should not be possible to boot via USB, hard drive, network, PXE, Firewire, floppy, whatever. The BIOS setup password helps to prevent tampering with this setting.
Finally, never rely on BIOS passwords alone for security! They can often be circumvented very easily.

Installation / Setting up full-disk encryption using dm-crypt

Insert the installer CD and boot in expert-mode (don't hit ENTER when you boot, but rather type "expert").
As for networking: select "Do not configure the network at this time". We'll fix and enable networking later.
Partitioning:
- Select manual partitioning. Remove all partitions (if any). Create a 100 MB /boot (ext3) as primary partition, and make the rest of the hard drive one huge partition which has "Use as:" set to "physical volume for encryption".
- The standard options for cipher, key size, IV mode etc. should be fine (AES, 256 bit, CBC-ESSIV-SHA256, dm-crypt).
- After the erasing is done (this is important!), use the whole encrypted space as "physical volume for LVM". Then select "Configure the Logical Volume Manager". Create one big volume group and a bunch of logical volumes for the various partitions we'll use (lv-root, lv-usr, lv-var, lv-tmp, lv-swap, lv-home).
- It is extremely important that your swap space is encrypted (in this case it is, as all partitions except for /boot reside on a dm-crypt device)! Never set up unencrypted swap!
Enable shadow passwords. Allow login as root (I feel confident that I won't do stupid things as root).
Choose a good root password, and a (different) good user password. Don't enter a full name for the user.
Choose the latest kernel (old kernels might have security issues). Do not participate in popcon.
Do not install any tasks (no "desktop", no "base system"). We want the smallest installation possible, and add only the packages we really need. Fewer packages means fewer security issues (statistically).
That's it. Eject the CD-ROM, reboot, change the BIOS to only allow booting from hard drive.

Post-installation tasks

Enter the USB thumb drive, copy all config-files to /root and /home/uwe. Log out and log in again to make ~/.bashrc and ~/.inputrc take effect.
Enable the firewall: mkdir /etc/rc.boot && cp fw_laptop /etc/rc.boot && chmod 700 /etc/rc.boot/fw_laptop && sh /etc/rc.boot/fw_laptop
Shut down all networked daemons (if any): /etc/init.d/foo stop.
Tighten home-directory permissions: chmod 700 /root /home/uwe.
Edit /etc/passwd: give all users except for root, sync, uucp and your user account /usr/sbin/nologin as login shell. None of these accounts really needs a valid login shell (nologin will log any login attempts for those accounts).
Edit /etc/group: remove your user account from the dialout, cdrom, and floppy group. The groups audio, video, and plugdev can stay.

Edit /etc/fstab: add some mount options such as ro, nosuid, noexec, or nodev as you see fit. Example:

/dev/mapper/vg--whole-lv--root /     ext3 defaults,errors=remount-ro      0 0
/dev/sda2                      /boot ext3 defaults,nodev,nosuid,noexec,ro 0 0
/dev/mapper/vg--whole-lv--home /home ext3 defaults,nodev,nosuid           0 0
/dev/mapper/vg--whole-lv--tmp  /tmp  ext3 defaults,nodev,nosuid           0 0
/dev/mapper/vg--whole-lv--usr  /usr  ext3 defaults,nodev,ro               0 0
/dev/mapper/vg--whole-lv--var  /var  ext3 defaults,nodev                  0 0
/dev/mapper/vg--whole-lv--swap none  swap sw                              0 0
/dev/scd0 /media/cdrom iso9660 noauto,nodev,nosuid,noexec,uid=uwe,gid=uwe 0 0

If you have read-only (ro) file systems, configure Apt so that it can remount them read-write when installing/removing packages. Add this to /etc/apt/apt.conf:
```
DPkg
{
  Pre-Invoke { "mount -o remount,rw /usr; mount -o remount,rw /boot"; }
  Post-Invoke { "mount -o remount,ro /usr; mount -o remount,ro /boot"; }
}
```
Fix the GRUB configuration. Replace the "password foo" line (which contains the GRUB password in plain-text) from your /boot/grub/menu.lst with a "password --md5 $1$1234567890..." line, where the MD5 hash ($1$1234567890...) can be generated with grub-md5-crypt. Additionally, add such a password line after each "title" line in the GRUB config-file, so that nobody can boot any OS installed on the laptop without a password!

Networking, Upgrading and Apt-secure

Now that we have a small, hardened system, it should be reasonably safe to enable networking. Add this to /etc/network/interfaces:
```
auto eth0
iface eth0 inet dhcp
  pre-up /etc/rc.boot/fw_laptop
```
Run /etc/init.d/networking restart. The firewall script will run every time the network is started.
Now add this (tweak as you see fit) to /etc/apt/sources.list: deb http://ftp.de.debian.org/debian unstable main deb-src http://ftp.de.debian.org/debian unstable main
Time for upgrading: apt-get update && apt-get dist-upgrade. All packages are GnuPG-signed and will be verified by Apt. The installer already ships the required key (for 2006), so everything should just work. Still, you should read about SecureApt.
Install the rest of your system now, and restore your data from backups.
Use sysv-rc-conf to disable all daemons you don't want to start per default: sysv-rc-conf foo off.
Install and set up Samhain (or any other file integrity checker): apt-get install samhain. You want to be notified if your system files are being tampered with (e.g. replaced by a rootkit).
Install and configure Tor for anonymous browsing. More details here.
Install and configure more security-related programs, e.g. logcheck, snort, rkhunter, chkrootkit, tiger, sxid, etc.

SELinux

Now install and set up SELinux. This section is based on notes from Erich Schubert (thanks!), and will soon appear in the SELinuxSetup wiki page, too.

Install the base packages and an SELinux policy: apt-get install selinux-basics selinux-policy-refpolicy-targeted.
Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line to enable SELinux upon booting.
In /etc/pam.d/login uncomment the "session required pam_selinux.so multiple" line. Do the same in /etc/pam.d/ssh if you have ssh installed.
In /etc/default/rcS set FSCKFIX=yes.
In /etc/init.d/bootmisc.sh search for "Update motd" and comment the two lines below that line. Then rm /var/run/motd.
If you have exim installed, you must either install postfix or write an exim policy, as none currently exists. But even postfix needs some fixing (no pun intended ;-). Disable chroot-support (change all "chroot" fields to "n" in /etc/postfix/master.cf and execute echo 'SYNC_CHROOT="n" >> /etc/default/postfix').
Use check-selinux-installation to check for common SELinux problems on Debian (such as the above mentioned).
touch /.autorelabel. Reboot. touch /.autorelabel (again). Reboot (again).
Done. You should now have a working SELinux system. If no critical audit errors appear and you feel comfortable with SELinux, enable enforcing mode via setenforce 1 or by adding enforcing=1 to the kernel command line in /boot/grub/menu.lst.

Behaviour

Never leave your laptop unattended!
Always lock your terminal (using vlock) when you move more than 30 cm away from the laptop!
Don't run insecure and/or closed-source software (which you can never trust!). No NVIDIA/ATI drivers, no VMware, no Google Earth, no Flash Plugin (except for Gnash maybe), no Adobe Acrobat. You get the idea.
Keep the number of installed packages small and try to configure each of them as secure as possible.
Never enable networking or WLAN or Bluetooth if you don't absolutely have to.
Trust no one. Don't let other people use you laptop, don't give out shell accounts.

Further ideas

The /boot partition is still unencrypted, so an attacker can tamper with it. Boot from a CD-R, forbid booting from hard drive (BIOS). Sign/mark the CD-R physically, so you'll know when someone replaced your CD-R with his own, back-doored one.
Another idea is to use an additionaly USB thumb drive or CD-ROM or smartcard for two-factor authentication.
Install another Debian into a QEMU image. Use it as a sandbox for stuff you don't trust: qemu -snapshot -net none foo.img.
At all costs, disable Firewire! If possible via hardware or BIOS, or at least don't load the drivers and/or fix them (page 19).
Replace the proprietary, closed-source BIOS with LinuxBIOS, if possible.

That's it. You can take off that stupid tin-foil hat now.

Update 2006-09-29: Fixed typos. Mentioned sxid. Added two-factor authentication.