Secure Linux Install: Tamper Protection

TL;DR

Make your Linux install more secure against tampering by using a read-only root filesystem, strong boot passwords, file integrity monitoring (AIDE), and regular security updates. This guide explains how.

1. Read-Only Root Filesystem

The biggest impact comes from making the root filesystem read-only after booting. This prevents attackers from modifying system files even if they gain access.

1. Remount Root as Read-Only: After a successful boot, remount the root partition as read-only.

   sudo mount -o remount,ro /

2. Edit fstab: To make this permanent, edit /etc/fstab. Find the line for your root partition (usually `/`) and add `ro` to the options.

   UUID=your-uuid / ext4 ro 0 1

3. Overlay Filesystem: Use an overlay filesystem (like tmpfs) for writable areas. This allows you to save logs, temporary files, and configuration changes without modifying the read-only root.

   sudo mkdir /overlay

   sudo mount -t tmpfs tmpfs /overlay -o size=1G

   Add a line like this to /etc/fstab:

   tmpfs /overlay tmpfs defaults,noatime,mode=1777 0 0

4. Bind Mounts: Bind mount directories from the overlay filesystem onto the root filesystem to make them writable.

   sudo mount --bind /overlay/var /var

   Add similar lines for other writable directories (e.g., `/tmp`, `/run`) in a startup script or systemd service file.

2. Secure Boot

Secure Boot helps ensure that only trusted software loads during the boot process.

1. Enable Secure Boot: This is usually done through your UEFI/BIOS settings. The exact steps vary by manufacturer.
2. Set a Strong Boot Password: Protect your UEFI/BIOS settings with a strong password to prevent unauthorized changes.

3. File Integrity Monitoring (AIDE)

AIDE creates a database of file attributes and alerts you if any files are changed.

1. Install AIDE:

   sudo apt install aide

2. Initial Database Creation: Run AIDE to create the initial database. This will take some time.

   sudo aide --init

3. Configure AIDE: Edit /etc/aide.conf to specify which files and directories to monitor. Pay attention to rules for important system binaries, libraries, and configuration files.
4. Regular Checks: Schedule regular checks using a cron job or systemd timer.

   sudo crontab -e

   Add a line like this:

   0 3 * * * /usr/bin/aide --check

5. Review Reports: Regularly review the AIDE reports (usually in `/var/log/aide`) for any detected changes.

4. Regular Security Updates

Keep your system up-to-date with the latest security patches.

1. Automatic Updates: Configure automatic security updates using tools like unattended-upgrades.

   sudo apt install unattended-upgrades

2. Manual Updates: Regularly run manual updates:

   sudo apt update && sudo apt upgrade

5. Consider Immutable Operating Systems

Distributions like Fedora Silverblue and Endless OS are designed with immutability in mind, making them inherently more resistant to tampering.