1. Type in terminal:
Code: Select all
wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
2. Subsequently, transfer the data onto a USB flash drive:
Code: Select all
lsblk
/*(choose sdb1 here and in the next line type the Mountpoint)*/.
sudo umount /media/user/000E-0C00
lsblk
/*(with sdb1 again)*/.
sudo dd if=debian-12.4.0-amd64-netinst.iso of=/dev/sdb1 bs=8M status=progress
/*(and put your password)*/.
One may utilise tools such as BalenaEtcher to perform a similar operation from alternative OS such as Windows.
3. To proceed, it is necessary to access the BIOS. Subsequently, navigate to the Boot selection menu to designate the USB key as the boot device. Within the BIOS settings, adjust the OS Type to 'Other OS', set Launch CSM to 'Auto', and select the boot device as 'UEFI: Patriot Memory PMAP'. Following this, choose the USB key with the Linux image for booting. Proceed with the graphical installation process, ensuring that the host OS is installed on the preferred encrypted LUKS-enabled hard drive. Once installed, configure a desktop environment such as Cinnamon. Upon completion of the installation, reboot the system without the USB key to initiate a clean boot into the host OS.
4. HOST OS HARDENING. While operating within our host OS, let us undertake a series of fundamental measures to fortify its security:
Code: Select all
su -
apt update ; apt full-upgrade ; apt install --no-install-recommends sudo adduser curl apt-transport-tor tor torsocks
usermod -aG sudo nothing
sudo apt update -y ; sudo apt full-upgrade -y
Subsequently, it's imperative to ensure that unattended upgrades are enabled, facilitating the automatic execution of minor package updates by the system:
Code: Select all
sudo apt install unattended-upgrades apt-listchanges -y
sudo dpkg-reconfigure -plow unattended-upgrades
When prompted "Automatically download and install stable updates?" select "<Yes>".
Subsequently, we shall proceed to eliminate unnecessary components from our Host OS. Primarily, we will focus on removing all system and kernel logs from the system:
Code: Select all
su -
crontab -e # run it as the root user!
chmod +x startup.sh
vim /etc/sysctl.conf
cat /etc/sysctl.conf | grep printk
In this manner, we are ensuring meticulous clearance of log files and kernel output.