Bootstrap shell script for a hygienic sysadmin environment
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md
cleanroom.sh

README.md

cleanroom

Bootstrap shell script for a hygienic sysadmin environment.

See my blog for the reasoning behind it.

Cleanroom initialises a portable minimal XFCE4 desktop with remote administration and editing tools. Specifically :-

  • Safe web browser [Iceweasel] and mail client [Claws]
  • KeePass Password Manager
  • SSH and standard Linux tools
  • OpenVPN and PPTP VPNs
  • Git and SVN clients
  • Windows RDP & VNC client (password authentication only)
  • Smart Cards for SSH
  • Drivers for most laptop hardware

No attempt has been made to provide anonymous browsing or a full working environment. Cleanroom is aimed at server administrators. (There are several good privacy orientated Linux distributions, my favourite is TAILS.)

No functionality has been provided which is not trivially installable from Debian stable. Cleanroom is not a new Linux distribution, it is only a configuration script of standard packages.

The only "clever" bit is that both the browser and email client are sandboxed into their own user accounts. (Malware could be written to break out through the shared desktop, but separate user accounts should significantly complicate any exploitation attempt.)

Get Started

You will need a Debian netinstall ISO, an SD Card (or USB stick, but this is much slower) and an ethernet connection.

  1. Make a base installation to your card/stick with the netinstall ISO. Use the "Guided - Set-up encrypted LVM" option. Install Standard System Tools only.
  2. Examine (I'm just some random guy on the internet) and execute cleanroom.sh as root.
  3. Read the post-boot instructions
  4. Reboot

Known Issues

  • VIA chipset netbooks (e.g. HP2133 MiniNote) freeze up with stock Debian. TAILS and Linux Mint both work - perhaps there are some hardware support packages worth borrowing.

TODO

  • An "inward" facing browser user which is used only for trusted sites, e.g. AWS control panel. Without this using smart cards for both SSH and secure web access would be risky.
  • Debian Wheezy has packages for HTTPS Everywhere and Perspectives, this may be worth pulling in. The other Firefox methods for installing plugins from the command-line do not appear to work with Iceweasel.
  • RDesktop supports smart cards for RDP in later versions. Might be worth pulling a newer version from Debian Wheezy.
  • SELinux is tempting. I have experimented, but the default policies literally stop XFCE4 from booting. There are also many reported issues with VPNs etc. Perhaps someone more experienced could suggest a suitable policy set?
  • GRSecurity is packaged for Debian, but only as a kernel patch. If there is a simple way to install this that would be great.
  • Cleanroom would be (like any other custom boot media) unuseable with computers implementing UEFI secure boot.
  • Leveraging a filtered DNS service to provide belts-and-braces anti-phising protection.