Warning #1 about enabling developer mode Warning #2 about enabling developer mode
- Reboot into recovery - Hold down ESC + refresh (F3) and tap the power button
- Once the screen displays the developer mode warning, press Ctrl+D
- Press enter to confirm - this will factory reset your device and erase all local data
- Chromebook will reboot once, wait 30 seconds, beep twice, and reboot again
- The chromebook will begin erasing data and then reboot a final time
- Once at the sign-in screen, enable the legacy BIOS, hit CTRL+ALT+F2
- Once at the console:
> cronos
> sudo bash
> crossystem dev_boot_usb=1 dev_boot_legacy=1
> sudo reboot
- Sign-in and navigate to crouton
- Download crouton
- Add the crouton chrome extension
- Enter the terminal with CTRL+ALT+T and type: (-e switch is for encryption RECOMMENDED)
> shell
$ sudo sh -e ~/Downloads/crouton -r kali-rolling -t xfce,xiwi
- Once the download is complete, to enter the kali chroot enter:
$ sudo enter-chroot -n kali-rolling
or start with
$ sudo startxfce4 -n kali-rolling
- Enter the chroot
- Install and initialize tripwire (have site-key and local-key passphrases ready)
$ apt-get install tripwire
$ tripwire --init
$ rm twcfg.txt twpol.txt
- To update tripwire with missing files, etc, re-generate the policy file and adjust:
$ cd /etc/tripwire
$ twadmin --print-polfile > twpol.txt
- Make edits, e.g.:
$ cat twpol.txt
#
# Standard Debian Tripwire configuration
#
#
# This configuration covers the contents of all 'Essential: yes'
# packages along with any packages necessary for access to an internet
# or system availability, e.g. name services, mail services, PCMCIA
# support, RAID support, and backup/restore support.
#
#
# Global Variable Definitions
#
# These definitions override those in to configuration file. Do not
# change them unless you understand what you're doing.
#
@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;
#
# File System Definitions
#
@@section FS
#
# First, some variables to make configuration easier
#
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed
# infrequently but accessed
# often
SEC_LOG = $(Growing) ; # Files that grow, but that
# should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never
# change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of
# minimal security impact
SIG_MED = 66 ; # Non-critical files that are of
# significant security impact
SIG_HI = 100 ; # Critical files that are
# significant points of
# vulnerability
#
# Tripwire Binaries
#
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
#
# Tripwire Data Files - Configuration Files, Policy Files, Keys,
# Reports, Databases
#
# NOTE: We remove the inode attribute because when Tripwire creates a
# backup, it does so by renaming the old file and creating a new one
# (which will have a new inode number). Inode is left turned on for
# keys, which shouldn't ever change.
# NOTE: The first integrity check triggers this rule and each
# integrity check afterward triggers this rule until a database update
# is run, since the database file does not exist before that point.
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
$(TWVAR)/$(HOSTNAME).twd -> $(SEC_CONFIG) -i ;
$(TWETC)/tw.pol -> $(SEC_BIN) -i ;
$(TWETC)/tw.cfg -> $(SEC_BIN) -i ;
$(TWETC)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWETC)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ;
}
#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
/lib/modules -> $(SEC_CRIT) ;
}
(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
/etc/rc0.d -> $(SEC_BIN) ;
/etc/rc1.d -> $(SEC_BIN) ;
/etc/rc2.d -> $(SEC_BIN) ;
/etc/rc3.d -> $(SEC_BIN) ;
/etc/rc4.d -> $(SEC_BIN) ;
/etc/rc5.d -> $(SEC_BIN) ;
/etc/rc6.d -> $(SEC_BIN) ;
}
#
# Critical executables
#
(
rulename = "Root file-system executables",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/sbin -> $(SEC_BIN) ;
}
#
# Critical Libraries
#
(
rulename = "Root file-system libraries",
severity = $(SIG_HI)
)
{
/lib -> $(SEC_BIN) ;
}
#
# Login and Privilege Raising Programs
#
(
rulename = "Security Control",
severity = $(SIG_MED)
)
{
/etc/passwd -> $(SEC_CONFIG) ;
/etc/shadow -> $(SEC_CONFIG) ;
}
#
# These files change every time the system boots
#
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
/var/lock -> $(SEC_CONFIG) ;
/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
}
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
#/root/mail -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
#/root/.xsession-errors -> $(SEC_CONFIG) ;
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.tcshrc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.gnome_private -> $(SEC_CONFIG) ;
#/root/.gnome-desktop -> $(SEC_CONFIG) ;
#/root/.gnome -> $(SEC_CONFIG) ;
#/root/.esd_auth -> $(SEC_CONFIG) ;
#/root/.elm -> $(SEC_CONFIG) ;
#/root/.cshrc -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
#/root/.bash_profile -> $(SEC_CONFIG) ;
#/root/.bash_logout -> $(SEC_CONFIG) ;
#/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
#/root/.Xresources -> $(SEC_CONFIG) ;
#/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#/root/.ICEauthority -> $(SEC_CONFIG) ;
}
#
# Critical devices
#
(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
)
{
/dev -> $(Device) ;
#/proc -> $(Device) ;
/proc/acpi -> $(Device) ;
/proc/asound -> $(Device) ;
/proc/buddyinfo -> $(Device) ;
/proc/bus -> $(Device) ;
/proc/cgroups -> $(Device) ;
/proc/cmdline -> $(Device) ;
/proc/consoles -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/crypto -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/diskstats -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/driver -> $(Device) ;
/proc/execdomains -> $(Device) ;
/proc/fb -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/fs -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/iomem -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/irq -> $(Device) ;
/proc/kallsyms -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/key-users -> $(Device) ;
/proc/keys -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/kpagecount -> $(Device) ;
/proc/kpageflags -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/misc -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/mtrr -> $(Device) ;
/proc/net -> $(Device) ;
/proc/pagetypeinfo -> $(Device) ;
/proc/partitions -> $(Device) ;
/proc/sched_debug -> $(Device) ;
/proc/schedstat -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/self -> $(Device) ;
/proc/slabinfo -> $(Device) ;
/proc/softirqs -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/swaps -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/sysrq-trigger -> $(Device) ;
/proc/sysvipc -> $(Device) ;
/proc/timer_list -> $(Device) ;
/proc/timer_stats -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/version -> $(Device) ;
/proc/vmallocinfo -> $(Device) ;
/proc/vmstat -> $(Device) ;
/proc/zoneinfo -> $(Device) ;
}
#
# Other configuration files
#
(
rulename = "Other configuration files",
severity = $(SIG_MED)
)
{
/etc -> $(SEC_BIN) ;
}
#
# Binaries
#
(
rulename = "Other binaries",
severity = $(SIG_MED)
)
{
/usr/local/sbin -> $(SEC_BIN) ;
/usr/local/bin -> $(SEC_BIN) ;
/usr/sbin -> $(SEC_BIN) ;
/usr/bin -> $(SEC_BIN) ;
}
#
# Libraries
#
(
rulename = "Other libraries",
severity = $(SIG_MED)
)
{
/usr/local/lib -> $(SEC_BIN) ;
/usr/lib -> $(SEC_BIN) ;
}
#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
/usr -> $(SEC_INVARIANT) (recurse = 0) ;
#/var -> $(SEC_INVARIANT) (recurse = 0) ;
#/var/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
}
- Re-sign the policy file and re-init the database
$ twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile ./site.key /etc/tripwire/twpol.txt
$ tripwire --init
$ rm twpol.txt
- Run tripwire
$ tripwire --check
- List current config
$ iptables -L -v
$ ip6tables -L -v
- Flush rules examples
$ iptables -t nat -F
$ iptables -t mangle -F
$ iptables -F
$ iptables -X
$ ip6tables -F
- Set default policies
$ iptables -P INPUT DROP
$ iptables -P OUTPUT DROP
$ iptables -P FORWARD DROP
- Allow localhost (if you need it)
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A OUTPUT -i lo -j ACCEPT
- Append rules (DNS, HTTP, HTTPS)
$ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlan0 -p udp -m udp --dport 53 -j ACCEPT
$ iptables -A OUTPUT -o wlan0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
$ iptables -A OUTPUT -o wlan0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
- save yo tables
$ /sbin/iptables-save
- Disable IP spoofing
- If no network,
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
- If network:
$ vi /etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
$ sysctl -p
- Consider application firewall as well