Simple stateless VM image for redacting credit card images
Old production redaction often uses an insecure method of pulling images, often PCI-DSS sensitive ones, off onto employee production computers for redaction, either using the default paint application or Adobe Acrobat. With the telemetry often included in modern Adobe products and the lack of security of pulling sesitive data onto employee computers (with extra oversight required to ensure it doesn't stay there), there needs to be a better solution.
Virtualizing an environment for redaction seems like the golden ticket, with Linux offering a robust control over even low-level system settings -- the environment isn't locked down in the way Microsoft or Apple machines are, thus is capable of being customized radically. Debian was chosen for the distro of the project because of their Live Build capability, which automates the creation of a stateless, customizable disk image.
By running entirely in memory, the system is able to prevent users from inadvertently saving images to their local storage. Firewall settings can be granularly managed with ufw and the build hook located in the config/hooks directory. The VM doesn't share a clipboard with its host and utilizes the barebones Openbox window manager to ensure that OOB activities don't occur.
The image, which can be run on bare-metal (e.g., VMware ESXi) and hosted hypervisors (e.g., VMware Workstation), is able to be run from any modern hypervisor. It is recommeneded to use a local hypervisor (VirtualBox works well here) because RDP won't need to be implemented, increasing attack surface.
For the autostart script located at build/image/config/includes.chroot/etc/skel/.config/openbox/autostart, the actual hostname being used has been replaced with asterisks for security reasons. Change those share names to your Samba shares to get dolphin to open them at startup.
Performing a live build requires an installation of Debian and an internet connection. This can easily be virtualized if it isn't desirable to install on bare-metal -- I recommend VMware ESXi for a type 1 hypervisor or Oracle Virtualbox.
The main system resources stressed in the process will be the disk (both for space and i/o) and the CPU (mostly for compression). For best possible performance here, I would recommend:
- x86_64 CPU with at least 2 cores
- Minimum of 2GB of RAM, though more would be helpful
- Have at least 25GB of disk space available in the build directory
- Have a strong network connection with port 80 (and probably port 443) open
Download a Debian ISO from a mirror here. It is best practice to select a mirror in the same country you live in (I also typically select a school, anything .edu), as the download will be faster, as well as to verify the checksums and signature. Instructions on verifying your Debian image authenticity can be found here. Once the image is downloaded and authenticity has been verified, the build process can begin.
Additional information about the requirements for the Live Build process can be found in the documentation.
Live building an organization's ISO can be a lengthy process if multiple customizations are desired. For this reason, it makes the most sense to perform this process once and keep the disk image in a centralized secure location, either a file server or an FTP site. A new image doesn't need to be created for each user. To build the image:
- Install live-build within the VM
sudo apt update
sudo apt install live-build- Create a Working Directory
mkdir ~/mylive- Configure the image
lb config \
--architecture amd64 \
--distribution bookworm \
--debian-installer none \
--archive-areas "main contrib non-free non-free-firmware" \
--bootappend-live "boot=live components splash quiet" \
--chroot-squashfs-compression-type lz4The live-build is being told that we should target 64-bit, use Debian 13 (Bookworm), skip the installer (we want a pure live system).
System compression will default to xz. Different schemes should be able to be specified with --compression.
- Choose Packages
With one package per line:
nano config/package-lists/my.list.chrootopenbox
xorg
lightdm
xterm
kolourpaint
smbclient
cifs-utils
dolphin
feh
qt6-image-formats-plugins
qt5-image-formats-plugins
plymouth
plymouth-themes
plymouth-x11
plymouth-label
ufw- Build the Image and Clean Up After Yourself
sudo lb build
sudo lb cleanThis may take a while. When this finishes, there will be a file called live-image-amd64.hybrid.iso in ~/mylive.
NB - If you already built once and need to again, use the same directory. Do the lb config command, then the sudo lb clean, then the sudo lb build. That'll ensure any updates to config/ are applied to the live build.
When this process is complete, all that's left to do is copy the ISO image located in the ~/mybuild directory out of the VM and test it. This can be done in the same previously selected hypervisor. If the RedactOS splash shown above shows, the smb shares mount, and KolourPaint opens, the build was successful. For troubleshooting of any specific errors in the live-build process, see either the Live Build manual or the Help section below.
Launch the image in the hypervisor of choice. If given the option to select unattended install, don't -- there is not an installation happening here in the traditional sense. VirtualBox is recommended in most cases, both for MacOS and Windows (Linux as well, if you choose to use it). UTM is also available on the Mac.
General resources on the Debian Live Build process can be found in the manual
- Hardening of UFW hook
- Auto login made smoother
- Inactivity timer (xautolock)
- QOL features (e.g., refresh button in dolphin shares)
- Disable unnecessary boot services
- Sudo access hardening
- Handle unreachable at boot SMB shares (i.e., should a message be shown or possibly immediate silent crash?)
Contributors names and contact info
Ryan Piazza
Github
- V0.1 - Bonsai
This project is licensed under the GNU General Public License - see the LICENSE.md file for details
Thanks is due to the Debian Live project and their development team, as well as to the Debian User Forums, which was invaluable in assisting with several esoteric errors in the build process.