This repository contains the Live-Armor Guide, a guide to building custom Linux live images for security sandboxing using tools from the Debian Live Systems project and Grsecurity.
The live-build
directory contains an example configuration for Debian
live-build
that can be used as a starting point for building a custom live image.
This configuration is based on the one covered in the Guide.
-
Install live-build 5.0.
-
Create an empty directory that will contain your live image configuration and build data.
-
Change to your live image directory and run:
lb config
-
Copy the
live-build/config
tree of this repository into theconfig
subdirectory thatlb config
just created, for example by usingcp -r
. -
Edit
config/binary
and add theunion=overlay
and optionallylive-config.noroot
kernel boot parameters to theLB_BOOTAPPEND_LIVE
andLB_BOOTAPPEND_LIVE_FAILSAFE
variables.If you added
live-config.noroot
to disable sudo, choose your root password by runningmkpasswd
(part of the whois package) and replace the argument tousermod -p
inconfig/hooks/0510-root-password.hook.chroot
with the output ofmkpasswd
.If you did not add
live-config.noroot
and are therefore using the default unprotected sudo access method, deleteconfig/hooks/0510-root-password.hook.chroot
.Note: The default login credentials are username
user
and passwordlive
. -
Edit
config/chroot
and changeLB_UNION_FILESYSTEM="aufs"
toLB_UNION_FILESYSTEM="overlay"
. -
Inspect the list of custom packages in
config/package-lists/my.list.chroot
and make any desired changes. -
Add
.deb
package files to theconfig/packages.chroot
directory:- Your custom live system kernel package, with a name that begins
with
linux-image
. See the Guide for instructions on configuring and building a custom kernel. live-boot
andlive-boot-initramfs-tools
packages patched for OverlayFS support. See the Guide for instructions.live-config
andlive-config-systemd
package versions that match thelive-boot
version, for example from Debianexperimental
.
- Your custom live system kernel package, with a name that begins
with
-
Re-run
lb config
. -
Build your live image:
lb build 2>&1 | tee build.log
This configuration has been tested with the following software versions:
- Debian jessie
- Linux kernel version 3.18.x
- live-build 5.0a3
- live-boot and live-config 5.0a1, with live-boot patched for OverlayFS support
- QEMU 2.1