Building a secure Gentoo Linux kiosk system - part 1
This is a two part guide to setup and configure a completely locked down kiosk Linux system that can be used in kiosk booths or as in my case as a client system for Call Centers with a web driven backend. Nice thing is that to have your agents work on different systems (Web Backends), you can update all workstations in batch to point to a new “URL” (backend system) that they need to work on. Agents can’t fiddle with the system and break things… No Microsoft licensing costs… No viruses… Cheap hardware… The list goes on.
mount /dev/hda3 /mnt/gentoo
mkdir /mnt/gentoo/boot
mount /dev/hda1 /mnt/gentoo/boot
Getting stage3 and portage: (Substitute where stage filename differs)
12345
cd /mnt/gentoo
wget ftp://ftp.is.co.za/linux/distributions/gentoo/releases/x86/current-stage3/stage3-i486-20100126.tar.bz2
tar xvjpf stage3-*.tar.bz2
wget ftp://ftp.is.co.za/linux/distributions/gentoo/releases/snapshots/current/portage-latest.tar.bz2
tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
Configuring compile options:
1
vi /mnt/gentoo/etc/make.conf
Add the following two lines and save the make.conf file.
Processor type and features
[*] Support for old Pentium 5 / WinChip machine checks
File systems
<*> Second extended fs support
[*] Ext2 extended attributes
[*] Ext2 POSIX Access Control Lists
[*] Ext2 Security Labels
[*] Ext2 execute in place support
File systems
CD-ROM/DVD Filesystems --->
<*> UDF file system support
File systems
DOS/FAT/NT Filesystems --->
<*> NTFS file system support
[*] NTFS write support
File systems
Network File Systems --->
<*> CIFS support (advanced network filesystem, SMBFS successor)
[*] CIFS statistics
[*] Extended statistics
[*] Support legacy servers which use weaker LANMAN security
[*] Kerberos/SPNEGO advanced session setup
[*] CIFS extended attributes
[*] CIFS POSIX Extensions
Device Drivers --->
<M> Sound card support --->
<M> Advanced Linux Sound Architecture --->
<M> Sequencer support
<M> Sequencer dummy client
<M> OSS Mixer API
<M> OSS PCM (digital audio) API
[*] OSS PCM (digital audio) API - Include plugin system
[*] OSS Sequencer API
<M> HR-timer backend support
[*] Use HR-timer as default sequencer timer
[ ] Support old ALSA API
PCI sound devices --->
<M> Intel/SiS/nVidia/AMD/ALi AC97 Controller
<M> VIA 82C686A/B, 8233/8235 AC97 Controller
Graphics support --->
<*> /dev/agpgart (AGP Support) --->
<*> ALI chipset support
<*> ATI chipset support
<*> NVIDIA nForce/nForce2 chipset support
<*> VIA chipset support
<*> Direct Rendering Manager (XFree86 4.1.0 and higher DRI support) --->
<*> ATI Radeon
<*> Intel I810
-*- Support for frame buffer devices --->
[*] Enable firmware EDID
[ ] Enable Tile Blitting Support
[*] VESA VGA graphics support
<*> nVidia Framebuffer Support
[*] Enable DDC Support
<*> Intel 810/815 support (EXPERIMENTAL)
<*> Matrox acceleration
<*> ATI Radeon display support
[ ] Bootup logo --->
Network device support --->
[*] Ethernet (10 or 100Mbit) --->
<*> 3c590/3c900 series (592/595/597) "Vortex/Boomerang" support
<*> 3cr990 series "Typhoon" support
<*> Broadcom 440x/47xx ethernet support
[*] Support for older RTL-8129/8130 boards
[*] Ethernet (1000 Mbit) --->
<*> Intel(R) 82575/82576 PCI-Express Gigabit Ethernet support
<*> JMicron(R) PCI-Express Gigabit Ethernet support
<*> Broadcom CNIC support
Bus options (PCI etc.) --->
[*] Enable deprecated pci_find_* API
Kernel hacking --->
[*] Enable unused/obsolete exported symbols
Compiling and installing the new kernel:
12
make && make modules_install
cp arch/i386/boot/bzImage /boot/kernel-2.6.31-gentoo-r6
If you have kernel modules that you want to load automatically, follow this documentation.
Creating new fstab and configuring mount points at boot:
Note that mount points must be defined as sda although your harddrive is hda.
The new kernels does not recognize hda anymore.