Arch Linux

kz8rt3

Member

Registered: 2014-07-13

Posts: 5

How do I create a Read-Only System on my laptop?

For anti-forensic and security reasons I have been searching how I can create a read only system on my laptops internal SSD. I basically want to create a LiveCD on my SSD.

I would assume I could install everything I need and change the fstab to read-only but I am unsure how to route all the system writes and other things I have no idea about to RAM.

Basically I would like to leave no trace in the first place so nothing at all could be recovered from the drive.

I am assuming I would at least need this in my fstab:

tmpfs           /tmp            tmpfs   nodev,nosuid,rw      0       0
tmpfs           /var/tmp      tmpfs   nodev,nosuid,rw      0       0
tmpfs           /var/log       tmpfs   nodev,nosuid,rw      0       0

Thanks.

Last edited by kz8rt3 (2014-07-13 13:51:30)

Slithery

Administrator

From: Norfolk, UK

Registered: 2013-12-01

Posts: 5,776

Re: How do I create a Read-Only System on my laptop?

Personally I'd use ArchISO to create a custom LiveCD and then just image that onto your SSD.

Last edited by Slithery (2014-07-13 14:00:53)

---

No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

kz8rt3

Member

Registered: 2014-07-13

Posts: 5

Re: How do I create a Read-Only System on my laptop?

Personally I'd use ArchISO to create a custom LiveCD and then just image that onto your SSD.

Interesting, thanks. I am looking to share the system as well so having a custom ISO would be sweet. But it all seems a bit much and i was also hoping to have a system bigger than what would fit on a DVD. I was thinking of building the system and then just making an image of that system.

Last edited by kz8rt3 (2014-07-13 14:05:45)

ANOKNUSA

Member

Registered: 2010-10-22

Posts: 2,141

Re: How do I create a Read-Only System on my laptop?

1) Is there some particular reason the hassle of using a rolling-release distribution to create a non-upgradeable system is preferable to just encrypting your disk? Preventing access to a filesystem in the first place is more secure than merely preventing the filesystem from being changed.

2) Please forgive me if I presume too much here, but these two quotes taken together:

For anti-forensic and security reasons I have been searching how I can create a read only system on my laptops internal SSD.

I am looking to share the system as well...

...seem to imply that you don't trust the people you'll be sharing the system with.

---

Linux != Windows  ::  Ask Questions the Smart Way  ::  Configs

kz8rt3

Member

Registered: 2014-07-13

Posts: 5

Re: How do I create a Read-Only System on my laptop?

Please pardon the details of this post, it is mostly to keep track of what I am doing but it might be of assitance to others so...

OK so here is more completely what I would live to make:

A read only file system, about 20GB, that boot directly into a user called "user". It must be able to configure wireless and wired connections (resolv.conf symlink is causing me issues) and mount external drives (I assume I can mount /media to tmpfs?)

A 60 to 80 GB partition that can be encytpted however the user wants.

Systems includes

Cinnamon Desktop
Firefox (with some default config, bookmarks, etc)
Adobe Flash Player
Tor Browser
VLC Media Player
Evince
EOG
Brasero
Libreoffice
Transmission
Gedit
Gparted
Gnome Terminal

This is the batch file I use to install  the system. Three separate files and I put them on a usb and mount it after booting from the USB. The first is the initail set up, the second is for when I am in ch-root and the third is for booting into root and setting up the user.

Arch Install Script
These files will be found here shortly: https://archive.org/details/ArchInstallScript

ASS 1

#!/bin/bash

####Arch System Script 1 (ass1)
#This script is designed for a Thinkpad T430 with an Intel 530 120GB SSD
#To mount the USB ans run the script issue the commands below
#   mkdir /mnt/ass
#   mount /dev/sdb1 /mnt/ass
#   /mnt/ass/ass1

#Set up the wireless network
wifi-menu

#Set Up Drive
#Create two ext4 partitions in cgdisk (I am working on an sgdisk script)
#Partition 1 should be 20GB
sgdisk --zap-all /dev/sda
cgdisk /dev/sda

#Create the File system
mkfs -t ext4 /dev/sda1
mkfs -t ext4 /dev/sda2

#Mount the first partition
mount /dev/sda1 /mnt

#Install the Base System
pacstrap -i /mnt base base-devel

#Generate an fstab
genfstab -U -p /mnt >> /mnt/etc/fstab
#nano /mnt/etc/fstab

#Chroot
arch-chroot /mnt /bin/bash

ASS 2

#!/bin/bash

####Arch System Script 2 (ass2)
#This script is designed for a Thinkpad T430 with an Intel 530 120GB SSD
#To mount the USB ans run the script issue the commands below
#   mkdir /mnt/ass
#   mount /dev/sdb1 /mnt/ass
#   /mnt/ass/ass2

#Set up the wireless network
wifi-menu

#Choose Locale (uncomment en_US.UTF-8 UTF-8)
nano /etc/locale.gen
locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf

#Enter Timezone
ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

#Setup hardware clock to UTC
hwclock --systohc --utc

#Setup hostname
echo "enter hostname"
read hostname
echo $hostname > /etc/hostname

#Add hostname to hosts
nano /etc/hosts

#Create initial ramdisk environment
mkinitcpio -p linux

#Set root password
passwd

#Install some software
pacman -Sy dialog gptfdisk sudo syslinux rsync wpa_supplicant iw 

#Install syslinux bootloader
syslinux-install_update -iam

#Fix syslinux.cfg - chand /dev/sda3 to /dev/sda1 to
#make sure the stsem can boot!
nano /boot/syslinux/syslinux.cfg

echo "Now you can exit and reboot!"
exit

ASS3 - This script needs the most work.

#!/bin/bash

####Arch System Script 3 (ass3)
#This script is designed for a Thinkpad T430 with an Intel 530 120GB SSD
#To mount the USB ans run the script issue the commands below
#   mount /dev/sdb1 /mnt/ass
#   /mnt/ass/ass3

#Set up the wireless network
wifi-menu

#Make sure pacman is up to date
pacman -Syy

#Create the User and its password
useradd -m -g users -G audio,lp,optical,storage,video,wheel,games,power,scanner -s /bin/bash user
passwd user

#Add user to root
# Once vi launches use arrow key to scroll to the line:
#             # %wheel    ALL=(ALL) ALL
#press ‘x’ twice to uncomment the line. Then exit vi (press ESC then “:” then “wq” then press ENTER).
visudo

#Install Software
#XORG
pacman -S xorg-server xorg-server-utils xorg-apps xf86-video-intel xf86-input-synaptics

#Fonts
pacman -S ttf-liberation ttf-dejavu

#Setup autologin
/usr/lib/lightdm/lightdm/lightdm-set-defaults --autologin=user
groupadd autologin
gpasswd -a user autologin

#Install Cinnamon and other desktop utilities
pacman -S cinnamon seahorse gksu acpid faenza-icon-theme
systemctl enable acpid.service

#Install Network Manager
pacman -S network-manager-gnome
systemctl enable NetworkManager

#Install User Software
pacman -S firefox flashplugin tor transmission-gtk vlc evince eog brasero libreoffice-writer libreoffice-calc gedit gparted gnome-terminal 

#Setup autologin
touch /etc/systemd/system/getty@tty1.service.d/autologin.conf
echo "[Service]" >> /etc/systemd/system/getty@tty1.service.d/autologin.conf
echo "ExecStart=" >> /etc/systemd/system/getty@tty1.service.d/autologin.conf
echo "ExecStart=-/usr/bin/agetty --autologin user --noclear %I 38400 linux" >> /etc/systemd/system/getty@tty1.service.d/autologin.conf
systemctl enable getty@tty1.service

Last edited by kz8rt3 (2014-07-13 18:32:07)

kz8rt3

Member

Registered: 2014-07-13

Posts: 5

Re: How do I create a Read-Only System on my laptop?

1) Is there some particular reason the hassle of using a rolling-release distribution to create a non-upgradeable system is preferable to just encrypting your disk? Preventing access to a filesystem in the first place is more secure than merely preventing the filesystem from being changed.

2) Please forgive me if I presume too much here, but these two quotes taken together:

For anti-forensic and security reasons I have been searching how I can create a read only system on my laptops internal SSD.

I am looking to share the system as well...

...seem to imply that you don't trust the people you'll be sharing the system with.

Some clarification.

I want the disk to be read only so no data is written to the disk making sure nothing is ever written to the disk so that nothing can ever be recovered. I do not want to save any data to the disk; caches, logs, etc... Even so, a read only system is the best system to share with anyone.

What I meant by sharing the system was sharing the operating system so they can install it themselves.

The system would be upgradeable by simply changing the disk to "rw" temporarily.

kz8rt3

Member

Registered: 2014-07-13

Posts: 5

Re: How do I create a Read-Only System on my laptop?

Eh, nevermind.

Last edited by kz8rt3 (2014-07-13 22:27:16)