Safe reinstall of Sysresc on USB stick that was exposed onli

Post questions about how to make a customized SystemRescueCd, and if you have problems to install new packages. Please read the handbook first.
tryngf
Posts: 6
Joined: 12 Aug 2013, 09:38

Safe reinstall of Sysresc on USB stick that was exposed onli

Postby tryngf » 21 Apr 2014, 02:34

Safe reinstall of Sysresc on USB stick that was exposed online
==============================================================
I am currently researching:
Air-gapped Gentoo install, Tentative
https://forums.gentoo.org/viewtopic-p-7524170.html

I tried installing with Gentoo Live CD, but I figured out soon that I would be
much better off with System Rescue CD. Have just a few peeves with Sysresc, but
the benefits are overwhelming.

This is my way of cleaning a USB stick that was mounted on a system that is
exposed online, and which can by means of USB, then, introduce means of
intrusion/attack/you name it, into the offline network, and, sure, into my
air-gapped to remain Gentoo which I am building.

I can't mount and execute the usb_inst.sh script below on any of my Grsecurity
protected systems; that is one of the drawbacks of Grsecurity, but, as with
Sysrec, with Grsec the benefits are overwhelming.

But I can use a method on any system, and even if it has nothing installed on
it (I only have to be able to access the Sysresc ISO from that system), to
probably clean reinstall the Sysrec onto the USB stick, from that system.

It is simply a matter of booting, surely with the parameter docache given on
the command line, which completely (I'm writing for beginners newer in
GNU/Linux than me, bear with me, advanced people) liberates the USB device from
any tasks. All the Sysresc, once booted, is in RAM.

And then, find which device it is, and if on that system you have, say, just
one HDD, than it will be the /dev/sdb which is the USB stick.

###########################################################################
WARNING: Do not do this if you don't understand. If you do this on the wrong
device, you could zero out that other wrong device, such as your (only/one of
the) HDD(s) in that machine!
###########################################################################

So:

Code: Select all

dd if=/dev/zero of=/dev/sdX


That can take long.

But during that time, you can prepare and mount the known-good (checked by its
sum), so when the zeroing is done, you can proceed with reinstalling Sysresc
onto the zeroed-clean USB.

Surely, /mnt/somewhere/ below is the mounted device such as a partition on your
HDD where you have the systemrescuecd-x86-4.2.0-beta001.iso (or some
other/later Sysresc).

Code: Select all

losetup -f

Tells you which first loop device is free.

Code: Select all

losetup /dev/loop1  /mnt/somewhere/systemrescuecd-x86-4.2.0-beta001.iso

That is not yet mounting it, no!

Because I also like to mount ISO's or dd device dumps and such read only. The
safest way I found to do that is (setting them up on a loop device, such as the
line above), and now crucially:

Code: Select all

blockdev --setro /dev/loop1

That set's that device ro, "set ro".
And sure, it's good to check:

Code: Select all

blockdev --getro /dev/loop1

(get ro, get if the status is ro)

Must return "1". Else, if it is "0", it is not mounted read-only. Meaning, next
time you check the checksum of the ISO, it may not be the same. I know for my
dd-dumps it happened not to remain the same as it previously was, if I didn't
mount succeed in mounting them ro.

Code: Select all

mount /dev/loop1  /mnt/S

S is for Sysresc

Code: Select all

ls -l /mnt/S

[email protected] /mnt/S % ls -l /mnt/S/
total 273733
drwxrwxr-x 1 root root      2048 Jan 26  2013 boot
drwxr-xr-x 1 root root      2048 Oct 20 15:18 bootdisk
drwxr-xr-x 1 root root      2048 Dec 31  2012 bootprog
drwxr-xr-x 1 root root      2048 Mar 12 07:36 efi
drwxrwxr-x 1 root root      4096 Mar 12 07:36 isolinux
drwxr-xr-x 1 root root      2048 Feb 14 20:17 ntpasswd
-rw-rw-r-- 1 root root      2349 Jan 26  2013 readme.txt
-rw-r--r-- 1 root root 280264704 Mar 12 07:36 sysrcd.dat
-rw-r--r-- 1 root root        45 Mar 12 07:36 sysrcd.md5
drwxr-xr-x 1 root root      2048 Dec 31  2012 usb_inst
-rwxr-xr-x 1 root root     15889 Mar 24  2013 usb_inst.sh
-rw-rw-r-- 1 root root       877 Jan 26  2013 usbstick.htm
-rw-r--r-- 1 root root        14 Mar 12 07:36 version
[email protected] /mnt/S %

That's the regular listing of this Sysresc dir.

Code: Select all

cd  /mnt/S/
./usb_inst.sh


You can see there the USB stick you are getting ready to reinstall. But don't
yet do it, if it isn't finished being zeroed!

Since all this while the USB stick itself was/is still zeroed with:

Code: Select all

dd if=/dev/zero of=/dev/sdX


And the zeroing is finally done.

Now you can check that device in the interface that presented itself to you
when you issued the command ./usb_inst.sh, and it will be clean installed from
the verified source.

I know that Sysresc on that USB stick that was exposed online could, esp. if,
say, the attacker knows that you would use this method, could already in theory
have been adapted to surmount even this barrier of this method.

And so the real solution is having a Sysresc CD USB stick offline all the time, and using only it for this reinstall

I know this is, nevertheless, even in the most perfect of ways, not unsurmountable
defence against some (surely those products exist) retail Stuxnet variants, cheaper editions for small regimes such as the neocommie cliqué currently in power in my country, but reinstalling from a Sysresc that was mounted on a system exposed online, is sooo much less safe yet!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Return to “Customization and installing new packages”

Who is online

Users browsing this forum: No registered users and 1 guest