-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathDebian.mw
More file actions
188 lines (127 loc) · 9.23 KB
/
Debian.mw
File metadata and controls
188 lines (127 loc) · 9.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
{{Header}} {{hide_all_banners}} {{Title|
title=Install {{project_name_long}} inside Debian
}}
{{#seo:
|description={{project_name_short}} can be installed on top of an existing Debian installation.
|image=Download-debian.jpg
}}
[[File:Download-debian.jpg|thumb]]
{{intro|
An existing Debian version <code>{{Stable project version based on Debian version short}}</code> (codename: <code>{{Stable project version based on Debian codename}}</code>) installation can be converted into [[About|{{project_name_short}}]] by installing a {{project_name_short}} deb package. This procedure is also called [[Distribution_Morphing|distro-morphing]].
}}
= Introduction =
There are different options to install {{project_name_short}}. Two options. Choose one.
* '''A)''' (Easier) '''Download:''' Use the [[ISO]] or a different installation option from the [[Download]] page. In that case, you can stop reading this wiki page. <u>or</u>
* '''B)''' (Advanced) '''Distribution morphing method:''' See below.
= Distribution Morphing Introduction =
To increase the chances of success, it is best to start with a minimal Debian <u>installation</u> either,
* '''A)''' Debian {{gui}} (<u>LXQt</u>); <u>or</u>
* '''B)''' Debian {{cli}}
and then install a {{project_name_short}} meta package as documented below.
It is easiest to set the Linux user account name to <code>user</code> during the installation of Debian <code>{{Stable project version based on Debian codename}}</code>.
<u>Debian Live sessions:</u> Distribution morphing a Debian Live ISO is unnecessary and [[unsupported]]. Use Kicksecure [[ISO]] instead. <ref>
Debian Live ISO (live session) is unnecessary and [[unsupported]]. Reasons:
* All changes will be lost on reboot.
* We already offer a live Kicksecure [[ISO]].
* None of the [[security-misc]] kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
* permission-hardener doesn't expect anything under /usr to be read-only.
Use Kicksecure [[ISO]] instead.
</ref>
= Warnings =
* '''SSH configuration:''' In Kicksecure 18 and higher, SSH client and server configuration will be hardened when morphing Debian to Kicksecure. Among other things, this will prevent the use of insecure cryptography and login methods. If morphing a system that is running an SSH server, the system may no longer be accessible over SSH after morphing due to the modified configuration. Arrange for some other means of accessing the machine for reconfiguration if this is a problem.
= Distribution Morphing versus ISO - Differences =
There are some specifics about distro-morphing which the user should be aware.
* '''No creation of usable accounts for the user:''' Neither Linux user account <code>user</code> nor <code>sysmaint</code> will be created. <ref>
{{Github_link|
https://github.com/Kicksecure/dist-base-files/blob/master/debian/dist-base-files.postinst
}}
</ref> The user can continue to use their already existing user account(s).
* '''No default user-sysmaint-split:''' Is not installed by default but can later be installed by the user according to [[sysmaint|<code>user-sysmaint-split</code> documentation]].
* '''No password changes:''' No passwords for any already existing user accounts will be modified. The user can continue to use their already existing passwords. This means passwords for [[Full Disk Encryption]] (pre-boot authentication), <code>sudo</code>, <code>su</code>, [[Login]], etc. will remain the same.
* '''No root account locking:''' The password of the root account will not be locked. The user can manually [[Root#Disable_Root_Account|Disable Root Account]] for better security.
* '''No user account settings changes:''' Any user account settings will remain unchanged.
* '''No user account shell changes:''' The user's default [[shell]] will remain the same.
* '''Autologin:''' Autologin will not be enabled by default. Autologin can be enabled with [[Login#Automatic_Autologin_Configuration|autologinchange]].
* '''Swap / mount / fstab related:''' Swap partition / swap files, mounts, <code>/etc/fstab</code> set up by Debian installer or the user are <u>not</u> disabled or modified during distribution morphing. This might be a concern for users interested in non-persistent [[Live Mode|live mode]].
* '''Desktop environment related:''' For GNOME, KDE, Xfce, LXDE, and any desktop environment other than the current desktop environment Kicksecure is based on (which is LXQt at the time of writing), see [[Other_Desktop_Environments|Other Desktop Environments]].
* [[tirdad]]
= Prerequisites =
{{Prerequisites}}
= Installation =
== Add the {{project_name_short}} Repository ==
{{Project-APT-Repository-Add}}
== Install the {{project_name_short}} Package ==
GUI: Installs the LXQt graphical desktop environment ({{gui}}), default applications and {{cli}}. This is useful if Debian was installed without a graphical desktop environment and you want the {{project_name_short}} graphical desktop environment (LXQt).
CLI: This does not change your graphical desktop environment. This package provides better kernel hardening, improved entropy, and [[About#Hardening_by_Default|other security features]].
{{IconSet|h1|1}} Update your package lists.
{{CodeSelect|code=
sudo apt update
}}
{{IconSet|h1|2}} Install a {{project_name_short}} meta package.
Select a version.
{{meta_package_installation}}
{{IconSet|h1|3}} Troubleshooting (optional).
Only if you run into issues, see the footnote. <ref>
If <code>apt</code> returns an error about <code>console-common</code> when installing the Kicksecure package, install <code>console-common</code> first:
<code>sudo apt install console-common</code>
Then try installing the Kicksecure package again. Meta package installation has been completed. Please proceed with the post-installation steps below.
</ref> Otherwise, proceed to the next step.
{{IconSet|h1|4}} Next.
== Install mokutil ==
<code>mokutil</code> is a utility for managing Machine Owner Keys. These keys are used to allow non-mainline kernel modules to work even if Secure Boot is enabled. The <code>mokutil</code> package in Debian is not available for all CPU architectures, and thus cannot be depended upon by {{project_name_short}}'s packages. It has to be installed separately.
Notes:
* If the installation fails with the message <code>Error: Unable to locate package mokutil</code>, it is most likely not available for your system's CPU architecture. You may skip installing <code>mokutil</code> if this is the case.
* See also [[Secure Boot]].
{{Install Package|package=
mokutil
}}
== Install tirdad ==
[https://github.com/Kicksecure/tirdad <code>tirdad</code>] is a Linux kernel module that increases the system's security when using TCP network connections. It randomizes TCP Initial Sequence Numbers (ISNs) to prevent data leakage. Installing <code>tirdad</code> will install a Linux kernel, which is undesirable in containers, so therefore <code>tirdad</code> cannot be depended upon by {{project_name_short}}'s metapackages. It has to be installed separately.
Notes:
* <u>Optional.</u> If you are installing {{project_name_short}} into a container, you may skip this step.
{{Install Package|package=
tirdad
}}
== Post-Installation ==
{{Box|text=
{{IconSet|h1|1}} Enable the <code>/etc/apt/sources.list.d/derivative.sources</code> {{project_name_short}} APT repository.
Can be done using the [[Project-APT-Repository|{{project_name_short}} repository tool]].
Two options. Choose one. Either using,
* '''A)''' <u>CLI:</u> {{CodeSelect|inline=true|code=
sudo repository-dist --enable --repository stable
}}, <u>or</u>
* '''B)''' <u>GUI:</u> <code>Start Menu</code> → <code>System</code> → <code>Derivative Repository</code> → <code>choose either "Stable", "Stable Proposed Updates", "Testers", or "Developers" repository</code>
See the tool's wiki page for more detailed documentation if needed.
{{IconSet|h1|2}} Disable the extrepo <code>{{project_name_short_lowercase}}</code> APT repository.
Only needed in case the user has chosen the extrepo signing key adding method above.
This is to avoid a duplicate {{project_name_short}} repository.
{{CodeSelect|lang=bash|code=
sudo extrepo disable {{project_name_short_lowercase}}
}}
{{IconSet|h1|3}} Check APT sources.
Check if some APT sources in <code>/etc/apt/sources.list</code> should be kept.
Move the original <code>/etc/apt/sources.list</code> file out of the way (or delete it) because it is replaced by {{project_name_short}}'s <code>/etc/apt/sources.list.d/debian.sources</code>.
{{CodeSelect|lang=bash|code=
sudo mv /etc/apt/sources.list ~/
}}
{{IconSet|h1|4}} Create an empty <code>/etc/apt/sources.list</code> file.
{{CodeSelect|lang=bash|code=
sudo touch /etc/apt/sources.list
}}
{{IconSet|h1|5}} Add your Linux account user name to group <code>privleap</code>.
<u>Note:</u> Replace account <code>user</code> with your actual user name.
{{CodeSelect|lang=bash|code=
sudo /usr/sbin/adduser user privleap
}}
{{IconSet|h1|6}} ''Optional:'' Set the onionized Debian repositories.
If onion repository sources are preferred, follow these {{whonix_wiki
|wikipage=Onionizing_Repositories#Onionize_debian.sources
|text=Debian onion repositories instructions.
}}.
{{IconSet|h1|7}} Done.
The {{project_name_short}} installation is complete.
}}
= Footnotes =
<references />
{{Footer}}
[[Category:Documentation]]