| Comments

Building a secure Gentoo Linux kiosk system - part 1

This is a two part guide to setup and configure a completely locked down kiosk Linux system that can be used in kiosk booths or as in my case as a client system for Call Centers with a web driven backend. Nice thing is that to have your agents work on different systems (Web Backends), you can update all workstations in batch to point to a new “URL” (backend system) that they need to work on. Agents can’t fiddle with the system and break things… No Microsoft licensing costs… No viruses… Cheap hardware… The list goes on.


  • Download and burn the minimal installation CD.
  • Boot with the minimal live CD. (If it hangs at “Scanning… wd7000” reboot and boot with gentoo noload=pata_qdi)

Preparing the live CD environment:

Giving the live CD a root password:

1

passwd root

Starting the SSH daemon and check system IP address:

1
2

/etc/init.d/sshd start
ifconfig

Now you can SSH to the live CD environment and start the install process:

1

ssh root@gentoo_ip_address

Configuring disk partitions and filesystems:

  • Press p to print partition layout to see if all looks good.
  • Press w to write the partition table.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

fdisk /dev/hda
o
n
p
1
default cylinders
+128M
n
p
2
default cylinders
+2048M
n
p
3
default cylinders
default size

Applying the filesystems and activate the swap partition:

1
2
3
4

mke2fs /dev/hda1
mke2fs -j /dev/hda3
mkswap /dev/hda2
swapon /dev/hda2

Mounting the new partitions:

1
2
3

mount /dev/hda3 /mnt/gentoo
mkdir /mnt/gentoo/boot
mount /dev/hda1 /mnt/gentoo/boot

Getting stage3 and portage: (Substitute where stage filename differs)

1
2
3
4
5

cd /mnt/gentoo
wget ftp://ftp.is.co.za/linux/distributions/gentoo/releases/x86/current-stage3/stage3-i486-20100126.tar.bz2
tar xvjpf stage3-*.tar.bz2
wget ftp://ftp.is.co.za/linux/distributions/gentoo/releases/snapshots/current/portage-latest.tar.bz2
tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr

Configuring compile options:

1

vi /mnt/gentoo/etc/make.conf

Add the following two lines and save the make.conf file.

1
2

FEATURES="ccache distlocks fixpackages parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch"
INPUT_DEVICES="evdev"

1

mkdir -p /mnt/gentoo/usr/lib/ccache/bin

Set the Gentoo mirrors and sync:

1
2

mirrorselect -i -o >> /mnt/gentoo/etc/make.conf
mirrorselect -i -r -o >> /mnt/gentoo/etc/make.conf

For local South African mirrors:

1

vi /mnt/gentoo/etc/make.conf
  • add http://ftp.leg.uct.ac.za/pub/linux/gentoo to GENTOO_MIRRORS
  • replace SYNC="rsync://ftp.leg.uct.ac.za/gentoo-portage"

DNS configuration:

1

cp -L /etc/resolv.conf /mnt/gentoo/etc/

Mounting filesystems and CHROOT into the newly created environment:

Mounting /proc and /dev filesystems:

1
2

mount -t proc none /mnt/gentoo/proc
mount -o bind /dev /mnt/gentoo/dev

CHROOT into the newly created environment:

1
2
3
4

chroot /mnt/gentoo /bin/bash
env-update
source /etc/profile
export PS1="(chroot) $PS1"

Syncing portage:

1

emerge --sync

Checking if make.profile link looks good:

1

ls -FGg /etc/make.profile

Adding custom USE FLAGS to make.conf:

1

vi /etc/make.conf

And make the USE flags line look like this:

1

USE="server zlib nsplugin motif nptl -debug -pic -xcb -gnome -kde -qt3 -qt4 dbus hal nptl X xorg -dmx -ipv6 -kdrive -minimal -sdl -tslib ssl alsa oss midi jpeg png xulrunner nspr nss ntp caps unicode" (or what else you want or don't want between quotes)

Updating portage:

1

emerge portage

Setting the timezone:

1

cp /usr/share/zoneinfo/Africa/Johannesburg /etc/localtime

Compiling the kernel:

Emerging the Gentoo kernel sources:

1

emerge gentoo-sources

Doing some manual kernel configuration: (NOTE: for kernel 2.6.31-r6)

1
2
3
4
5

cd /usr/src/linux

(If you're going to recompile your kernel, remember to make "make clean" first)

make menuconfig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

Processor type and features
 [*] Support for old Pentium 5 / WinChip machine checks

File systems
 <*> Second extended fs support                                                                          
        [*]   Ext2 extended attributes                                                                             
 [*]   Ext2 POSIX Access Control Lists                  
 [*]   Ext2 Security Labels
 [*]   Ext2 execute in place support
File systems
 CD-ROM/DVD Filesystems  --->
  <*> UDF file system support
File systems
 DOS/FAT/NT Filesystems  ---> 
  <*> NTFS file system support
  [*] NTFS write support
File systems
 Network File Systems  --->
  <*> CIFS support (advanced network filesystem, SMBFS successor) 
  [*] CIFS statistics                                                                           
            [*] Extended statistics                                                        
             [*] Support legacy servers which use weaker LANMAN security                                      
            [*] Kerberos/SPNEGO advanced session setup                                                
           [*] CIFS extended attributes                                                          
            [*] CIFS POSIX Extensions
                                                
Device Drivers  ---> 
 <M> Sound card support  --->
  <M> Advanced Linux Sound Architecture  --->
                        <M> Sequencer support
                        <M> Sequencer dummy client                                                                            
                        <M> OSS Mixer API                                                                               
                        <M> OSS PCM (digital audio) API                                                                        
                        [*] OSS PCM (digital audio) API - Include plugin system                                             
                        [*] OSS Sequencer API                                                                                    
                        <M> HR-timer backend support                                                                             
                        [*] Use HR-timer as default sequencer timer
                        [ ] Support old ALSA API   
  PCI sound devices  --->
   <M> Intel/SiS/nVidia/AMD/ALi AC97 Controller
   <M> VIA 82C686A/B, 8233/8235 AC97 Controller
 Graphics support --->
            <*> /dev/agpgart (AGP Support) --->
   <*> ALI chipset support
   <*> ATI chipset support
   <*> NVIDIA nForce/nForce2 chipset support
   <*> VIA chipset support
  <*> Direct Rendering Manager (XFree86 4.1.0 and higher DRI support)  --->
   <*> ATI Radeon
   <*> Intel I810 
  -*- Support for frame buffer devices  --->
                        [*] Enable firmware EDID
   [ ] Enable Tile Blitting Support
   [*] VESA VGA graphics support
                        <*> nVidia Framebuffer Support
                         [*] Enable DDC Support
                        <*> Intel 810/815 support (EXPERIMENTAL)
   <*> Matrox acceleration
                        <*> ATI Radeon display support
                [ ] Bootup logo  --->
 Network device support  --->
  [*] Ethernet (10 or 100Mbit)  --->
   <*> 3c590/3c900 series (592/595/597) "Vortex/Boomerang" support
   <*> 3cr990 series "Typhoon" support
   <*> Broadcom 440x/47xx ethernet support
   [*] Support for older RTL-8129/8130 boards
   [*] Ethernet (1000 Mbit)  --->
   <*> Intel(R) 82575/82576 PCI-Express Gigabit Ethernet support
   <*> JMicron(R) PCI-Express Gigabit Ethernet support
   <*> Broadcom CNIC support

Bus options (PCI etc.)  ---> 
 [*] Enable deprecated pci_find_* API

Kernel hacking --->
 [*] Enable unused/obsolete exported symbols

Compiling and installing the new kernel:

1
2

make && make modules_install
cp arch/i386/boot/bzImage /boot/kernel-2.6.31-gentoo-r6

If you have kernel modules that you want to load automatically, follow this documentation.

Creating new fstab and configuring mount points at boot:

Note that mount points must be defined as sda although your harddrive is hda. The new kernels does not recognize hda anymore.

1

vi /etc/fstab

1
2
3
4
5
6
7

/dev/sda1               /boot           ext2            noauto,noatime          1 2
/dev/sda2               none            swap            sw                      0 0
/dev/sda3               /               ext3            noatime                 0 1
/dev/cdrom              /mnt/cdrom      auto            noauto,user             0 0
#/dev/fd0               /mnt/floppy     auto            noauto                  0 0
proc                    /proc           proc            defaults                0 0
shm                     /dev/shm        tmpfs           nodev,nosuid,noexec     0 0

Configuring the network settings:

1

vi /etc/conf.d/hostname

1

HOSTNAME="your_preferred_FQDN_hostname"

1

vi /etc/conf.d/net.eth0

1
2
3
4

dns_domain_lo="your_preferred_domain_name"
#config_eth0=( "192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255" )
#routes_eth0=( "default via 192.168.0.1" )
config_eth0=( "dhcp" )

Adding the networking config to the default runlevel:

1

rc-update add net.eth0 default

Configure the hosts file:

1

vi /etc/hosts

Set the root password:

1

passwd root

Installing essential system tools:

1
2
3
4
5
6
7
8

emerge syslog-ng
rc-update add syslog-ng default
emerge logrotate
emerge vixie-cron
rc-update add vixie-cron default
emerge jfsutils
emerge dhcpcd
emerge net-misc/ntp

Configuring the clock and NTP:

Configure the clock:

1

vi /etc/conf.d/clock

Setting the timezone:

1
2

CLOCK="local"
TIMEZONE="Johannesburg"

Configuring NTP:

1

vi /etc/ntp.conf

1

server ntp.time.za.net

Adding the NTP daemon to the default runlevel:

1

rc-update add ntpd default

1

rm /etc/adjtime

NOTE: date 012514262010 (for 14:26PM 2010-01-25) Format is: MMDDhhmm[[CC]YY][.ss]

1
2
3
4
5
6
7
8
9
10
11

hwclock --local --systohc
cd /
touch currtime
find . -cnewer /currtime -exec touch {} \; (Don't worry about errors)
rm -rf /currtime

rc-update add sshd default
rc-update del netmount

emerge mingetty
emerge sudo

Configure the bootloader:

1

emerge grub

1

vi /boot/grub/grub.conf

1
2
3
4
5
6

default 0
timeout 1
#splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title Gentoo Linux 2.6.31-r6
root (hd0,0)
kernel /boot/kernel-2.6.31-gentoo-r6 root=/dev/sda3

1
2

grep -v rootfs /proc/mounts > /etc/mtab
grub-install --no-floppy /dev/hda

If you want smaller fonts in the CLI:

1

vi /etc/rc.conf

1

CONSOLEFONT="default8x9"

Exit CHROOT, umounting mount points and rebooting into the new system:

1
2
3
4

exit
cd
umount /mnt/gentoo/boot /mnt/gentoo/dev /mnt/gentoo/proc /mnt/gentoo
reboot

Follow part 2 for the rest of the setup.

Comments