Blog | G5 Cyber Security

Secure Linux Install: Tamper Protection

G5 Cyber Security

TL;DR

Make your Linux install more secure against tampering by using a read-only root filesystem, strong boot passwords, file integrity monitoring (AIDE), and regular security updates. This guide explains how.

1. Read-Only Root Filesystem

The biggest impact comes from making the root filesystem read-only after booting. This prevents attackers from modifying system files even if they gain access.

  1. Remount Root as Read-Only: After a successful boot, remount the root partition as read-only. 
    sudo mount -o remount,ro /
  2. Edit fstab: To make this permanent, edit /etc/fstab. Find the line for your root partition (usually `/`) and add `ro` to the options. 
    UUID=your-uuid / ext4 ro 0 1
  3. Overlay Filesystem: Use an overlay filesystem (like tmpfs) for writable areas. This allows you to save logs, temporary files, and configuration changes without modifying the read-only root. 
    sudo mkdir /overlay
    sudo mount -t tmpfs tmpfs /overlay -o size=1G

    Add a line like this to /etc/fstab:

    tmpfs /overlay tmpfs defaults,noatime,mode=1777 0 0
  4. Bind Mounts: Bind mount directories from the overlay filesystem onto the root filesystem to make them writable. 
    sudo mount --bind /overlay/var /var

    Add similar lines for other writable directories (e.g., `/tmp`, `/run`) in a startup script or systemd service file.

2. Secure Boot

Secure Boot helps ensure that only trusted software loads during the boot process.

  1. Enable Secure Boot: This is usually done through your UEFI/BIOS settings. The exact steps vary by manufacturer.
  2. Set a Strong Boot Password: Protect your UEFI/BIOS settings with a strong password to prevent unauthorized changes.

3. File Integrity Monitoring (AIDE)

AIDE creates a database of file attributes and alerts you if any files are changed.

  1. Install AIDE: 
    sudo apt install aide
  2. Initial Database Creation: Run AIDE to create the initial database. This will take some time. 
    sudo aide --init
  3. Configure AIDE: Edit /etc/aide.conf to specify which files and directories to monitor. Pay attention to rules for important system binaries, libraries, and configuration files.
  4. Regular Checks: Schedule regular checks using a cron job or systemd timer. 
    sudo crontab -e

    Add a line like this:

    0 3 * * * /usr/bin/aide --check
  5. Review Reports: Regularly review the AIDE reports (usually in `/var/log/aide`) for any detected changes.

4. Regular Security Updates

Keep your system up-to-date with the latest security patches.

  1. Automatic Updates: Configure automatic security updates using tools like unattended-upgrades. 
    sudo apt install unattended-upgrades
  2. Manual Updates: Regularly run manual updates: 
    sudo apt update && sudo apt upgrade

5. Consider Immutable Operating Systems

Distributions like Fedora Silverblue and Endless OS are designed with immutability in mind, making them inherently more resistant to tampering.

Exit mobile version