prevent access to internal harddisk of the PC

Technical issues/questions of an intermediate or advanced nature.
Post Reply
user0815
White ninja
White ninja
Posts: 12
Joined: 22 Jan 2019, 11:46
Distribution: CINNAMON-v4.0-x86_64

prevent access to internal harddisk of the PC

Post#1 by user0815 » 02 Feb 2019, 17:31

Dear All,
Can someone please advise how to completely deny access to the built-in hard disk of the computer? I tried the cheat code nohd, but I believe this code just leave the hard disk unmounted. GParted still have access to the hard disk when opened. When working in an insecure environment, I want to leave the hard disk completely "untouched", so no malware can be loaded from/to hard disk. It should work similar to the bankix project from Ct magazin https://heise.de/-284099, sorry that it is available only in german. Does anyone know a good way how to do it? Thanks.

AcnapyxoB
White ninja
White ninja
Posts: 13
Joined: 24 Dec 2014, 10:15
Distribution: 4.0 XFCE x64
Location: Bulgaria

Re: prevent access to internal harddisk of the PC

Post#2 by AcnapyxoB » 02 Feb 2019, 17:38

Try with noauto cheatcode.

User avatar
Rava
Contributor
Contributor
Posts: 2024
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 4.0 x86-64 XFCe
Location: Forests of Germany

Re: prevent access to internal harddisk of the PC

Post#3 by Rava » 03 Feb 2019, 00:23

https://www.heise.de/ct/artikel/Sichere ... 84099.html says
Wir empfehen, c't Bankix mittels UNetbootin auf einem USB-Stick mit Schreibschutzschalter oder einer SD-Speicherkarte zu installieren – wobei es insbesondere bei SD-Karten entscheidend ist, den Schreibschutz zu überprüfen, da dessen Funktion einzig vom verwendeten Kartenleser abhängt. Alternativ können Sie das ISO-Image auf eine DVD brennen
I presume you are not bothered by that issue named in the above quote? Especially the one that you have to make sure the read-only switch on a SD-card depends on the card reader alone and is not a hardware switch that really sets the card itself into a read-only, no writing mode?
Projekt c't Bankix ist eingestellt
c't Bankix war ein von Ubuntu abgeleitetes Live-Linux-Betriebssystem, das speziell für sicheres Online-Banking konzipiert wurde. Es wurde von Mitte 2008 bis 2016 entwickelt und unterstützt, genauere Informationen zum Projektende finden Sie in den Kommentaren.
So, it is no longer maintained since mid of 2016.

I know the anti virus / virus scan CDs or DVDs ct packed with some special anti virus / virus scan magazines for some time, these they have not been able to offer without the magazine due to the restrictive licenses of some of the virus scanners provided.

But I presume there should be no such issues with bankix. Do you know of a source where one could download the most recent bankix? At least when we have one to test, we might figure out if this system differs from Porteus when started with the cheatcode "noauto hohd".
_____________________________________________

Then again, the article states explicitly
Die wichtigste Sicherheitsfunktion ist, dass die im Rechner verbauten Festplatten (SATA, PATA) von c't Bankix aus unerreichbar sind – dazu haben wir eine spezielle Änderung in den Linux-Kernel integriert.
Of course, since Linux can only have one kernel, it is not possible for Porteus to have that patch included in the standard Porteus flavour. I presume you will understand why that cannot be.

When it comes to such issues with a specialized Porteus Kernel Builder kernel, especially one that has a rare patch like the mentioned (and sadly they don't go into any details in that article, but maybe the ct magasin you still have with such bankix has more details on that patch), I suggest you head over to one of neko's posts. A good start might be this one Porteus Kernel Builder He is the resident Porteus Linux kernel guru and might be able to either direct you to the patches needed, or maybe is even willing to create such a patched Porteus Linux kernel for you. But that depends on him, I can not guarantee anything, what free time he has for such extra adventures I don't know, but usually he is helpful to all polite requests concerning Porteus special kernels.

Then again, our main developer, brokenman, is quite interested in my for now abandoned approach in creating modules for a Porteus that turns it into a security audit. See my post here: Vulnerability scanners
having a specialized kernel with disabled reading of the harddisk would not help here, since some of these tools are for analysing the hardware and having an audit of what malware was found.
___________________________________

Anyway, when it comes to possible malware infected machines? You know of the latest trend (that is now already some years old…) in that "business", creating a virtual machine during boot time that loads prior the kernel or any other code loaded from any OS, including Linux?
The "real OS" is just running in that malware VM. When the PC you are concerned about does have such malware already installed, you will be out of luck, since this malware already controls everything on that machine, and usually no malware scanner can detect anything since the VM of the malware has complete control over what any later started software is able to see, or not to see.
Cheers!
Yours Rava

user0815
White ninja
White ninja
Posts: 12
Joined: 22 Jan 2019, 11:46
Distribution: CINNAMON-v4.0-x86_64

Re: prevent access to internal harddisk of the PC

Post#4 by user0815 » 08 Feb 2019, 16:45

@AcnapyxoB: noauto wouldn´t really help, since it just "..does not mount any devices during startup.
Every disk needs to be mounted manually in order to access it". The internal hard drive can still be mounted by accident or a malware. I am looking for an option to deny access on kernel level. I know it´s a bit "paranoia", and there are things such as changing default passwords, switch firewall to strict mode etc which you can do, but I want a safe live usb system which you can use in an environment with high risk of malware infection. The ctbankix was once a good option to do this, but now they stopped maintenance years ago.
@Rava
The main reason why I am exploring Porteus is that I like it more than ctbankix. It´s much more light weight, boot faster, and the idea of copy2ram ensures after removing the usb flash drive makes sure no malware can touch your Porteus settings and you will have a fresh version next time. The only remaining Achilles heel is the access to internal hard drive. Thank you for the detailed advice. I will try to build the kernel myself. There is a hint given by the author of ctbankix how to do it for Ubuntu here
https://www.heise.de/forum/c-t/Kommenta ... 7862/show/.
It is just a one-line change when building the kernel:

Code: Select all

--- linux-2.6.28/include/linux/libata.h 2008-12-25 00:26:37.000000000 +0100
+++ linux-2.6.28/include/linux/libata.h 2009-08-05 17:43:25.000000000 +0200
@@ -1257,7 +1257,7 @@

 static inline unsigned int ata_dev_enabled(const struct ata_device *dev)
 {
-       return ata_class_enabled(dev->class);
+       return dev->class == ATA_DEV_ATAPI; /* optical drives only (mid) */
 }
 static inline unsigned int ata_dev_disabled(const struct ata_device *dev)
I have no idea whether this will work for Slackware.

Cheers.

User avatar
Rava
Contributor
Contributor
Posts: 2024
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 4.0 x86-64 XFCe
Location: Forests of Germany

Re: prevent access to internal harddisk of the PC

Post#5 by Rava » 08 Feb 2019, 17:45

user0815 wrote:
08 Feb 2019, 16:45
I have no idea whether this will work for Slackware.
Kernel patching is independent when it comes to the distribution. This

Code: Select all

--- linux-2.6.28/include/linux/libata.h 2008-12-25 00:26:37.000000000 +0100
+++ linux-2.6.28/include/linux/libata.h 2009-08-05 17:43:25.000000000 +0200
@@ -1257,7 +1257,7 @@

 static inline unsigned int ata_dev_enabled(const struct ata_device *dev)
 {
-       return ata_class_enabled(dev->class);
+       return dev->class == ATA_DEV_ATAPI; /* optical drives only (mid) */
 }
 static inline unsigned int ata_dev_disabled(const struct ata_device *dev)
looks like a diff to me. And it heavily depends on the source code of the kernel you try to patch. It is done here for linux-2.6.28/include/linux/libata.h which is a quite outdated kernel.

But you could, instead of applying the diff directly, just replace

Code: Select all

return ata_class_enabled(dev->class);
with

Code: Select all

return dev->class == ATA_DEV_ATAPI; /* optical drives only (mid) */
When the recent code has something else instead of

Code: Select all

return ata_class_enabled(dev->class);
patching the kernel is not that easy. Remember, recent stable kernel is 4.20.7, that is a long way from 2.6.28.
Cheers!
Yours Rava

Post Reply