Debian Linux (Kali 2) with Fsprotect – APT and malware resistance through non-persistence part 2

In *, Data at rest, Hacking, Malware, Physical Security, Research, Tutorial by [email protected]

In order to setup a non persistent Linux system in Debian linux I used fsprotect. What fsprotect essentially does is transparently mount a RAM file system over the read-only root file system. Any changes that are made are only made to the RAM file system and not the hard disk. This is kind of like Deep Freeze or Reboot Restore RX for Linux. So far I have used fsprotect for the past year and have had no issues. I use it on my external facing system for obvious reasons.

Setting this up in Debian (tested on Kali 2) is easy.

Step 1. Run the following command in terminal

sudo apt-get install fsprotect

Step 2. Copy the following text to a new text file and save it as unpersist.sh. Make unpersist.sh executable (chmod +x unpersist.sh). Run in terminal ./unpersist.sh

#unpersist.sh – Turn persistence off (Changes to system are wiped on reboot)
#Create the grub file
cat <<EOF > /etc/default/grub 
# If you change this file, run ‘update-grub’ afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n ‘Simple configuration’

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash fsprotect=auto”
#GRUB_CMDLINE_LINUX_DEFAULT=”quiet”
GRUB_CMDLINE_LINUX=””

# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD …)
#GRUB_BADRAM=”0x01234567,0xfefefefe,0x89abcdef,0xefefefef”

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
#GRUB_GFXMODE=640×480

# Uncomment if you don’t want GRUB to pass “root=UUID=xxx” parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY=”true”

# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE=”480 440 1″
EOF

#Update grub
update-grub

Step 3. Copy the following text to a new text file and save it as persist.sh. Make persist.sh executable (chmod +x persist.sh).

#persist.sh – Turn persistence on (Changes to system are saved to hard disk)
#Create the grub file
cat <<EOF > /etc/default/grub
# If you change this file, run ‘update-grub’ afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n ‘Simple configuration’

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
#GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash fsprotect=auto”
GRUB_CMDLINE_LINUX_DEFAULT=”quiet”
GRUB_CMDLINE_LINUX=””

# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD …)
#GRUB_BADRAM=”0x01234567,0xfefefefe,0x89abcdef,0xefefefef”

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
#GRUB_GFXMODE=640×480

# Uncomment if you don’t want GRUB to pass “root=UUID=xxx” parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY=”true”

# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE=”480 440 1″
EOF

#Update grub
update-grub

Step 4. reboot, make some changes to your system, reboot again and verify they did not persist. All changes to your system are made to RAM filesystem so when you reboot the changes are gone.

Thats it! You may need to modify unpersist.sh to work on your system. The way I have it set for my system is fsprotect=auto which allocates 50% of RAM for read-only filesystem.

I created the scripts to streamline the turning on and turning off persistence. In order to make changes to the system to do things like install updates persistence has to be on. Obviously it would be a problem if you could turn persistence on from the non-persistent session. In order to do this

1. Reboot and select recovery mode from the Grub menu
2. Log in and run persist.sh from command line
3. Reboot to a persistent system
4. Apply updates and make required changes
5. Run unpersist.sh and reboot.

Source: New feed