Paranoid Gentoo: Level 1
Posted: Sat Jun 15, 2024 5:51 pm
In the never-ending cycle of Distro hopping, and my needs never quite being met, I have finally taken the Gentoo pill. To balance usability and security (and reproducibility!) I have started the "Paranoid Gentoo" project.
This guide will set-up a moderately hardened Gentoo environment with full GUI and sound, ext4 filesystem, and using the musl-hardened stage. The target system is an x86 Thinkpad T430s
Level 2 will feature SELinux and btrfs with LUKS encryption and separate partitioning for /var /tmp and /etc, along with daemon replacements for minimality and security.
Level 3 will include further hardening and mitigations provided by Kicksecure, Graphene OS, and the Plague Kernel
Level 4 will be implementing the same features on a RISC-V SoC
Feel free to ask questions or make suggestions.
Initial Gentoo Install
First liveboot some linux distro. Whatever it is doesn't really matter. I livebooted Artix-xfce, but any distro will work. Better to have a GUI so you can follow the handbook and google as needed from the same device while installing.
File System Setup
Stage 3 Install
Configuring the Kernel
/etc/fstab for ext4 basic system
Rest of the Owl
Initial System Setup
Use Flags to Remember:
Introspection is a GNOME/GTK developer thing and packages that use it struggle or fail to compile on musl systems
WiFi
Making Terminal Better
Setup Wayland Desktop (Sway)
https://wiki.gentoo.org/wiki/Recommended_applications
Add "wayland" to USE flags in /etc/portage/make.conf
wiki.gentoo.org/wiki/Sway#Starting_Sway_without_elogind_or_systemd
Use the .bash_profile script, start sway with "dbus-run-session sway"
Web Browser
Screenshot Tool
https://wiki.archlinux.org/title/Screen_capture#Wayland
Image Viewer
Launcher and Status Bar
Pipewire
Add "pulseaudio dbus" to make.conf USE flags
System Hardening
iptables
Then
Sysctl Edits
Boot Paramaters
Add the following parameters to your 'GRUB_CMDLINE_LINUX=' line in /etc/default/grub
Microcode Hardening
Also add the following to your /etc/default/grub line (This is assuming a Thinkpad t430s, if different hardware, check "grep -r . /sys/devices/system/cpu/vulnerabilities/"
Disable CPU Freqency Scaling
It's also a good idea to disable CPU frequency scaling
https://www.tomshardware.com/news/intel ... rypto-keys
Blacklist Old Kernel Modules
Virtual Machines for Compartmentalization
Some applications will not compile under Musl, and its also good to generally have a fleet of ready VMs for compartmentalization of uses. It's not quite Qubes, but it benefits.
Making a GUI VM with Plague OS https://bencrypted.gitlab.io/post/3/
This guide will set-up a moderately hardened Gentoo environment with full GUI and sound, ext4 filesystem, and using the musl-hardened stage. The target system is an x86 Thinkpad T430s
Level 2 will feature SELinux and btrfs with LUKS encryption and separate partitioning for /var /tmp and /etc, along with daemon replacements for minimality and security.
Level 3 will include further hardening and mitigations provided by Kicksecure, Graphene OS, and the Plague Kernel
Level 4 will be implementing the same features on a RISC-V SoC
Feel free to ask questions or make suggestions.
Initial Gentoo Install
First liveboot some linux distro. Whatever it is doesn't really matter. I livebooted Artix-xfce, but any distro will work. Better to have a GUI so you can follow the handbook and google as needed from the same device while installing.
File System Setup
Code: Select all
cfdisk /dev/sda #dos, linux filesystem. Make 3 partitions, 1G /dev/sda1 RAM*2 /dev/sda2 +100% /dev/sda3
mkfs.ext4 -T small /dev/sda1
mkswap /dev/sda2
mkfs.ext4 /dev/sda3
Code: Select all
mkdir -p /mnt/gentoo
mount /dev/sda3 /mnt/gentoo
cd /mnt/gentoo
wget $link-to-gentoo-musl-openrc-hardened
tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner
vim /mnt/gentoo/etc/portage/make.conf
MAKEOPTS="-j8" (RAM/2<=Threads)
GENTOO_MIRRORS="https://gentoo.osuosl.org/"
cp --dereference /etc/resolv.conf /mnt/gentoo/etc/
mount --types proc /proc /mnt/gentoo/proc`
mount --rbind /sys /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --bind /run /mnt/gentoo/run
mount --make-slave /mnt/gentoo/run
mount --make-rslave /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/sys
chroot /mnt/gentoo/ /bin/bash
source /etc/profile
export PS1="(chroot) ${PS1}"
mount /dev/sda1 /boot
emerge-webrsync
eselect profile list | grep musl | grep hardened
emerge --info | grep \^USE
nano /etc/portage/make.conf ^ Paste output of USE into make.conf, USE="....."
ACCEPT_LICENSE="\*"
emerge --ask --verbose --update --deep --newuse @world
emerge --ask sys-libs/timezone-data
nano /etc/env.d/00musl
TZ="/usr/share/zoneinfo/America/New_York"
env-update && source /etc/profile && export PS1="(chroot) ${PS1}"
Code: Select all
emerge --ask sys-kernel/linux-firmware
emerge --ask sys-firmware/intel-microcode
echo "sys-kernel/installkernel dracut grub" >> /etc/portage/package.use
emerge --ask sys-kernel/gentoo-kernel-bin
emerge --ask net-misc/networkmanager sys-fs/btrfs-progs sys-fs/cryptsetup sys-fs/lvm2 sys-kernel/installkernel
Code: Select all
/dev/sda1 /boot ext4 defaults 0 2
/dev/sda2 none swap sw 0 0
/dev/sda3 / ext4 defaults,noatime 0 1
/dev/cdrom /mnt/cdrom auto noauto,user 0 0
Code: Select all
echo tux > /etc/hostname
emerge --ask net-misc/dhcpcd
rc-update add dhcpcd default
rc-service dhcpcd start
passwd
nano /etc/rc.conf # Nothing should be altered but feel free to review the comments
emerge grub
grub-install /dev/sda
emerge --ask app-admin/sysklogd sys-process/cronie net-misc/chrony sys-apps/mlocate app-shells/bash-completion net-wireless/iw net-wireless/wpa_supplicant networkmanager
rc-update add sysklogd default
rc-update add cronie default
rc-update add chronyd default
rm stage3*
exit
umount -a
reboot
Use Flags to Remember:
Introspection is a GNOME/GTK developer thing and packages that use it struggle or fail to compile on musl systems
Code: Select all
echo '*/* -introspection -nls -vala' >> /etc/portage/package.use
Code: Select all
wpa_passphrase SSIDWhatever PasswordWhatever
wpa_supplicant -B -c /etc/wpa_supplicant.conf -i wlp3s0
dhcpcd -n wlp3s0
Code: Select all
emerge htop tmux
emerge dev-vcs/git
echo "net-misc/networkmanager tools" >> /etc/portage/package.use
emerge networkmanager
emerge doas
echo "permit usr" > /etc/doas.conf
echo "x11-terms/alacritty wayland" >> /etc/portage/package.use
emerge alacritty
https://wiki.gentoo.org/wiki/Recommended_applications
Add "wayland" to USE flags in /etc/portage/make.conf
Code: Select all
echo "gui-wm/sway X man" >> /etc/portage/package.use
emerge --ask sway swaybg
etc-update
echo "sys-auth/seatd server" >> /etc/portage/package.use
emerge --ask sys-auth/seatd
gpasswd -a usr video
gpasswd -a usr seat
rc-update add seatd default
rc-service seatd start
mkdir -p ~/.config/sway
cp /etc/sway/config ~/.config/sway
Use the .bash_profile script, start sway with "dbus-run-session sway"
Web Browser
Code: Select all
emerge app-eselect/eselect-repository
eselect repository add librewolf git https://codeberg.org/librewolf/gentoo.git
emaint -r librewolf sync
echo "www-client/librewolf clang hardened openh264 pulseaudio wayland geckodriver" >> /etc/portage/package.use
emerge --ask --autounmask=y --autounmask-write www-client/librewolf
https://wiki.archlinux.org/title/Screen_capture#Wayland
Code: Select all
emerge --ask grim
swaymsg -t get_tree | jq -r '.. | select(.focused?) | .rect | "\(.x),\(.y) \(.width)x\(.height)"' | grim -g - screenshot.png
Code: Select all
echo "media-gfx/imv gif heif icu jpeg jpegxl png svg tiff" >> /etc/portage/package.use
emerge --ask media-gfx/imv
Code: Select all
eselect repository enable guru
emerge --sync guru
emerge -s i3status
echo "x11-misc/i3status-rust pipewire" >> /etc/portage/package.use
echo "dev-lang/lua readline -deprecated" >> /etc/portage/package.use
emerge --ask --autounmask=y --autounmask-write x11-misc/i3status-rust
echo "dev-libs/bemenu wayland" >> /etc/portage/package.use
emerge --ask bemenu
Add "pulseaudio dbus" to make.conf USE flags
Code: Select all
usermod -aG pipewire usr
usermod -aG audio usr
usermod -aG video usr
echo "media-video/vlc flac mp3 ogg opus pulseaudio" >> /etc/portage/package.use
emerge --ask media-video/vlc
echo "media-video/pipewire flatpak sound-server" >> /etc/portage/package.use
emerge --ask media-libs/libpulse media-video/pipewire media-video/wireplumber
emerge --ask --verbose --changed-use --update --deep @world
cp /usr/share/pipewire/pipewire.conf ~/.config/pipewire/pipewire.conf
mkdir -p /run/usr/1000/
chown usr /run/usr/1000/
chmod -R 700 /run/usr/1000
iptables
Code: Select all
emerge --ask net-firewall/iptables
rc-update add iptables default
mkdir -p /etc/iptables && vim /etc/iptables/rules.v4
Code: Select all
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
COMMIT
Code: Select all
iptables-restore < /etc/iptables/rules.v4 && iptables-save && rc-service iptables start
Code: Select all
# Hides kernel pointers
kernel.kptr_restrict=2
# Restricts kernel log
kernel.dmesg_restrict=1
# Reduces info leakage of kernel during boot
kernel.printk=3 3 3 3
# Reduce attack surface of ebpf
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
# Prevents unprivileged users from loading vulnerable line disciplines
dev.tty.ldisc_autoload=0
# Mitigates use-after-free flaws
vm.unprivileged_userfaultfd=0
# kexec can be used to load another (malicious) kernel at runtime, disable
kernel.kexec_load_disabled=1
# Sysrq exposes a lot of debugging info, disable
kernel.sysrq=0
# Only privileged users can create namespaces (will require bubblewrap-suid, may break flatpaks)
kernel.unprivileged_userns_clone=0
# Restricts vulnerable performance events
kernel.perf_event_paranoid=3
# Network stack hardening
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
# Userspace hardening
# Ptrace often used to inspect/alter memory, restrict
kernel.yama.ptrace_scope=2
# Enable ASLR
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
# Restrict symlinks, prevent TOCTOU races
fs.protected_symlinks=1
fs.protected_hardlinks=1
# Prevents file creation in world writable directories
fs.protected_fifos=2
fs.protected_regular=2
Add the following parameters to your 'GRUB_CMDLINE_LINUX=' line in /etc/default/grub
Code: Select all
# Disables slab merging, mitigates heap exploitation
slab_nomerge
# Enables zeroing of memory during allocation and free
init_on_alloc=1 init_on_free=1
# Randomises page allocator freelists
page_alloc.shuffle=1
# Enables Page Table Isolation, prevents some KASLR bypasses
pti=on
# Randomizes kernel stack offset on each call
randomize_kstack_offset=on
# Disables obsolete and old vsyscals often uses in ROP attacks
vsyscall=none
# Disables the info-leaky debugfs
debugfs=off
# Disables ipv6
ipv6.disable=1
# Lockdown userspace, kernel modules have to be signed !! I do not have this on mine because I self compile my kernel !!
# module.sig_enforce=1
# lockdown=confidentiality
Also add the following to your /etc/default/grub line (This is assuming a Thinkpad t430s, if different hardware, check "grep -r . /sys/devices/system/cpu/vulnerabilities/"
Code: Select all
# Mitigates CPU vulnerabilities
spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force
# Disables hyperthreading
mitigations=auto,nosmt
It's also a good idea to disable CPU frequency scaling
https://www.tomshardware.com/news/intel ... rypto-keys
Code: Select all
emerge --ask sys-power/cpupower
cpupower frequency-set -u 2.9GHz && cpupower frequency-set -d 2.9GHz && cpupower frequency-set -f 2.9GHz
Code: Select all
install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
install n-hdlc /bin/false
install ax25 /bin/false
install netrom /bin/false
install x25 /bin/false
install rose /bin/false
install decnet /bin/false
install econet /bin/false
install af_802154 /bin/false
install ipx /bin/false
install appletalk /bin/false
install psnap /bin/false
install p8023 /bin/false
install p8022 /bin/false
install can /bin/false
install atm /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install ksmbd /bin/true
install gfs2 /bin/true
install vivid /bin/false
install bluetooth /bin/false
install btusb /bin/false
install uvcvideo /bin/false
Some applications will not compile under Musl, and its also good to generally have a fleet of ready VMs for compartmentalization of uses. It's not quite Qubes, but it benefits.
Code: Select all
echo "app-emulation/libvirt pcap qemu virt-network numa fuse macvtap vepa" >> /etc/portage/package.use
emerge --ask app-emulation/libvirt
echo "app-emulation/qemu pipewire spice gtk vnc usbredir" >> /etc/portage/package.use
emerge --ask app-emulation/qemu
emerge --ask app-emulation/virt-viewer \# We arent installing virt-manager because of 'introspection' bullshittery and bloat
gpasswd -a usr kvm
usermod -aG libvirt usr
usermod -aG qemu usr
rc-update add libvirtd default
rc-update add libvirt-guests default
ps -ef | awk -e '/qemu/ && !/awk/' | sed -e 's/[^/]*//' -e 's/ -/\n\t-/g'
Code: Select all
echo "dev-libs/libdbusmenu gtk -gtk3" >> /etc/portage/package.use
echo "net-misc/remmina -appindicator rdp spice ssh vnc" >> /etc/portage/package.use
emerge --ask net-misc/remmina
qemu-img create void.img 20G
qemu-system-x86_64 -accel kvm -nic user,model=virtio-net-pci -boot d -cdrom void-glibc-xfce.iso -m 1024 -smp cores=1 -drive format=raw,file=void-glibc.img
sudo void-installer
# Go through installer, use local-install option to keep XFCE environment
xbps-install tmux htop vim wireguard-tools tor torbrowser net-tools tigervnc
x0vncserver --SecurityTypes=None
qemu-system-x86_64 -accel kvm -nic user,model=virtio-net-pci,hostfwd=tcp::50022-:22 -m 1024 -smp cores=1 -drive format=raw,file=void-glibc.img
ssh -p 50022 usr@127.0.0.1 -L 6900:localhost:5900
Connect with remmina over VNC, 127.0.0.1:6900
xbps-install -Su