PakSecured Installation & Configuration
Updated for PS-5.4 LiveDVD


Link to PakSecured 2.X installation document


Back To HOME


Minimum System Requirements


Initial Files Install

The installation of PakSecured Linux will destroy any data you have on your harddrive. Make sure that you have a new harddrive or that you have backed up all critical data from your existing harddrive.


The core install method for PakSecured x64 is to boot the LiveDVD, modprobe the driver for your DVD drive, mount the DVD, and exit the init shell.
Once this is done you will have a login prompt - uname: root / no password

Then you modprobe whatever additional drivers you need to see the harddisk and any other devices you require.
Once you can see your harddrive you partition it, temporarily mount the partitions on a directory created in /tmp,
change into the root mount and untar the appropriate tarball image.


So now that the overview is stated, let us walk through the steps of a typical install.

We will assume that this install will be on a VMware or QEMU system.
Once the DVD boots and we are at the initial prompt we need to modprobe the driver for our DVD drive.
You can look to see what the kernel boot messages are at this point using the standard dmesg | more
as there is a busybox install in initrd.
Since we are assuming VMware, almost every VMware system uses the Intel PIIX atapi subsystem
So typing modprobe ata_piix should spit out messages about the DVD drive
Since the boot kernel for the DVD uses devtmpfs, the drive will be /dev/sr0 (or /dev/sr1 if multiple drives)
Now we mount the DVD image onto a specific directory:
mount -t iso9660 /dev/sr0 /cdrom
and exit out of the initrd shell
exit
And at this point the LiveDVD scripts will run creating three "writable" directories on a ramdisk
and also creating a tmpfs mounted on /tmp
The login to the LiveDVD is root with no password
At this point you likely need to install the drivers for the harddisk and whatever other devices (nics, etc) that you need.
Depending on what you selected for the VMware configuration will guide you in selecting the appropriate modules
Note that all the modules available are in the usual location - /lib/modules/5.4.67 for the LiveDVD as of 31-Dec-2020.
For a typical "Generic Linux" selection under VMware you would likely want the LSI SCSI driver
modprobe mptsas or mptspi in the event you have that type of drive
You should see the console messages regarding finding your harddisk and you can also look in dmesg

Now that you can see your hard disk you need to partition it, format the partitions, mount and untar.
So, assuming a 20G drive, we suggest you use gdisk although fdisk is available if you prefer
The partition sizes suggested are:

NOTE that the "swap" should be left alone as a type 83 linux filesystem!!
Now let us create the filesystems for use.
Under the Linux 5.x kernels we prefer to use ext4. But you can use whatever you want so long as you
keep in mind that we do not have or use any volume managers but you are free to compile and add one later.
So assuming we will do ext4,
e2fsck -t ext4 /dev/sda1 and etc BUT NOT /dev/sda4 - Leave that one alone for CryptoSwap to handle later.
Now we have the three core partitions formatted let us do the install
cd /tmp
mkdir sda1
mount -t ext4 /dev/sda1 /tmp/sda1
cd /tmp/sda1
mkdir opt var
mount -t ext4 /dev/sda2 var/
mount -t ext4 /dev/sda3 opt/

Choose which image you would like to use - Server or MultiLib - and then untar it in the root of the new system
cd /tmp/sda1
tar -xvf /DATA/paksecured-5.4.2-Server-lib_firmware-28jan21_1728.tar.xz

Now we have to setup the environment, chroot, compile and install a kernel to run our system
You may have noticed that the kernel listed on the tarball is 5.4.2 but the boot kernel on the DVD was 5.4.67
This is due to the WireGuard backport. We recommend you compile 5.4.67 which is included but we are also running 5.10.11 on many of our systems today.
We will assume 5.4.67 in the steps that follow.
Setup and then chroot:
cd /tmp/sda1
mount -t proc proc proc/
mount -t sysfs sysfs sys/
chroot

At this point you are "inside" the new PS system. Now to compile the kernel.
source /root/.profile ; this is to set the correct paths etc
cd /usr/src/
NOTE that you likely want to use the Linux 5.10.27 kernel located in this directory. You also have a choice here for Linux 5.4.2 which is the kernel source used to build the PakSecured-5X base system but we do not recommend using it. The Linux 5.4.2 source is located in the /usr/src directory as well in case any special headers or information is needed.
In order for the kernel compile to work we need to make sure the linker cache is uptodate
ldconfig -v
Now assuming we choose the recommended kernel
cd /usr/src/linux-5.10.27
make localyesyconfig
; this command converts the modules we have installed to core compiled in drivers
make menuconfig ; now you need to select/configure the kernel to your liking
make ; make the kernel and any modules you have selected additionally
After the compile is done, we are still in the chroot so now we want to install the kernel and any modules
make modules_install
cp arch/x86/boot/bzImage /boot/vmlinuz
; the default kernel name for lilo
cp arch/x86/boot/bzImage /boot/vmlinuz.old ; the backup kernel name for lilo - can be omitted if you edit /etc/lilo/conf
Now you can (and likely should) take a quick look in /etc/lilo.conf to see that it agrees with your setup
then run lilo to install the boot sectors:
lilo -v -v AT this point the system is ready to reboot.
BUT you may want to consider configuring the networking/sshd and other configurations
All of these are in /etc
Networking in particular is in /etc/sysconfig/network-scripts
When all done or just raring to go we need to back out of the chroot
exit
cd /tmp/sda1
umount opt var proc sys
cd /tmp
umount sda1

And we are done.

NOTE that the DVD does not have a clean way to umount itself (yet) so halt/reboot will simply stop the processes and not the system

Best bet is to run halt and then turn the system off, extract the DVD (Remove from VMware config), and boot the system again
And now you should have a Login to the PakSecured system
Might want to set a passwd for root and tech (only two "real" users on system) unless done in chroot.

More documentation is coming. The man pages for PS-2.X can help some as much of the networking is still similar in function
Included below are some tail sections of the PS-2.X install document to help with networking etal.
Otherwise feel free to ping us and ask


Thank you!!

Back To HOME



ORIGINAL PS-2.X INSTALL: Final Phase - PakSecured Configuration


Once the system has rebooted with your new kernel image you will be given a standard login prompt. You may now login as root to the system. Note that as part of the previous installation phases several parts of the system were configured. These are as follows.

A user called "tech" was created

Tech has the password you assigned in the install

tech's ssh keys were generated

System SSH keys were generated

The basic networking as entered in the install process was configured.

You will now want to perform any advanced configuration of the system. The initial networking values you entered during the install process have already been saved, so you should have device eth0 already functional. You can check this by entering the following commands:

--> ip addr (will show the address you entered for eth0)

--> ip route (will show the route for the gateway you entered)

Note that this system does not have ifconfig or route installed. The only networking utilities are ip, tc, and the set from Alexey's iputils package.

PakSecured is designed to allow for simple operation through a global firewall system configuration file. All standard networking is performed through standard independent configuration files such as listed below. Within the global configuration file is allowance for calling scripts to perform advanced policy routing structures. The following listing provides some of the relevant files for configuring and maintaining the system.

Networking configuration files and the advanced policy scripts are located in /etc/sysconfig/network-scripts/.

Within this directory are the ip4cfg-{network} configuration files for the network interface cards. You should already have an ip4cfg-eth0 in this directory from the install.

There is a sample-ip4cfg provided as a template to configure any other interfaces you may need. (ip4cfg-eth1, ip4cfg-tr0, ...) Note that you cannot use the ip4cfg-* files from any other distribution as they do not use Policy Routing.

The routes needed for the system on startup are contained within the ip4cfg-routes file in this directory as well. Look inside that file for the current routing setup and some samples for additional routes.

Also within this directory are some sample files for performing advanced policy routing structures. The mail.fw file is a simple single machine policy for allowing a unique route for a single machine. Note that this file also contains the commands for setting up the firewalling functions that are associated with the policy.

On the CD you can find some advanced configuration files that implement parts of the book examples. These files would be placed into this directory for use.

pakfw.config

The global configuration file for the firewall part of the system is the pakfw.config file located in /etc/sysconfig. The file is commented. Note that many of the sections in the file contain loop structures. This is one of the more powerful uses of the configuration structures. To best illustrate how it works consider the final section, MISC.

MISC_HIGH=0

MISC0="mail.fw"

MISC1=""

MISC2=""


As you can see there are variables that are numbered consecutively. These are the actual run variables. In this case the MISC0 variable contains the name mail.fw. The loop variable is the MISC_HIGH variable.

When the loop variable is set to 0 as it is here then this section is deactivated even if the global logic variable MISC (located at the top of pakfw.config) is set. This loop variable controls the number of procedures that would be run. So if you want to run the mail.fw script you can set the MISC_HIGH variable to 1. Note that this is one greater than the number of the variable. This is where the looping comes in. Say you wanted to code up all 8 examples from Chapter 5 of Policy Routing with LInux to run as MISC additions. Then you would set the loop variable MISC_HIGH to 9 and place the names of the files you created to run the examples in the appropriate lines. You may end up with a MISC section that looks like this.

MISC_HIGH=9

MISC0="example5.1"

MISC1="example5.2"

MISC2="example5.3"

MISC3="example5.4"

MISC4="example5.5"

MISC5="example5.6"

MISC6="example5.7"

MISC7="example5.8"


Now the fun part is that you can also set the loop variable to 3 in which case you would only run examples 5.1 - 5.3.

These variables control the information needed to run the system. If you want to see how these variables are used look in the function definitions. These are located in /etc/rc.d/init.d and are the pakfw.functions and pakvpn.functions files. There are other function definitions that are located in /etc/sysconfig/network-scripts.

Enjoy your PakSecured system.


Back To HOME