The actual guide (because while the Arch Linux Wiki is "S+ Tier," it's very difficult for someone with no command-line experience to install the OS and obtain a GUI):
-Note: This setup does not use a "remote header." Refer to the Wiki for details of how to set up a remote boot partition with a remote header (combine with a Nitrokey Flash Drive that has flashable firmware for maximum efficiency, doublewrap with a USB Rubber Ducky that types a 512 character password for maximum FBI rage).
-Note: Firefox is backdoored on Arch Linux. Firejailing it is a suitable precaution, but I recommend replacing Firefox with the TOR BROWSER and using a copy of it as a PLAINTEXT BROWSER REPLACEMENT.
https://github.com/netblue30/firejail/blob/master/etc/firefox.profile (was altered into alphabetical profiles... curious move, Pentagon.)
https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/firefo...
https://www.ghacks.net/2018/11/26/can-you-use-the-tor-browser-without-tor-connection/
https://www.reddit.com/r/TOR/comments/jtpfg8/how_do_i_disable_tor_network_i_just_want_to_use/
extensions.torlauncher.start_tor = FALSE
network.dns.disabled = FALSE
network.proxy.socks_remote_dns = FALSE
network.proxy.type 0
On Linux:
env TOR_SKIP_LAUNCH=1 TOR_TRANSPROXY=1 ./path/to/your/install/of/start-tor-browser.desktop
On Windows:
#Double Click the browser
FREQUENTLY USED COMMANDS
----------
----------
sudo screen /dev/ttyUSB0 115200
#for console
lsusb
blkid
lsblk
who
#frequently used "show commands"
PACMAN FU:
----------
----------
pacman-key --refresh-keys
#Having Key Trouble?
pacman -Sy
#SYNC PACKAGE DATABASE
pacman -Syy
#SYNC PACKAGE DATABASE BY FORCE
pacman -S PACKAGENAME
#INSTALL PACKAGE
pacman -Sw PACKAGENAME
pacman -S PACKAGENAME
#INSTALL PACKAGE OFFLINE
pacman -Su
#UPGRADE PACKAGES
pacman -Suw
pacman -Su
#UPGRADE PACKAGES OFFLINE
pacman -Rs PACKAGENAME
#UNINSTALL A PACKAGE AND ITS DEPENDENCIES (THAT AREN’T REQUIRED BY OTHER PACKAGES)
pacman -Rsc PACKAGENAME
#UNINSTALL A PACKAGE AND ITS DEPENDENCIES (AND ALL PACKAGES THAT DEPEND ON TARGET)
<bash>
BINARY RENAMING/PATCHING PROCEDURE:
----------
----------
<bash>
#Relevant binaries that I have seen spawned by Nation State Actors on my system:
sudo mv /usr/share/defaults/at-spi2/accessibility.conf.old /usr/share/defaults/at-spi2/accessibility.conf
sudo mv /usr/bin/dbus-launch.old /usr/bin/dbus-launch
sudo mv /usr/bin/dbus-send.old /usr/bin/dbus-send
sudo mv /usr/lib/qt/libexec/QtWebEngineProcess.old /usr/lib/qt/libexec/QtWebEngineProcess
sudo mv /usr/bin/chromium.old /usr/bin/chromium
sudo mv /usr/bin/gmenudbusmenuproxy.old /usr/bin/gmenudbusmenuproxy
sudo mv /usr/lib/gvfsd-trash.old /usr/lib/gvfsd.trash
#Manually download the keyring if you get “Invalid or Corrupted package (PGP signature)” when you perform
“pacman -Syuw”:
#sudo pacman -Sy archlinux-keyring
sudo pacman -Syuw
sudo killall dhcpcd
sudo ip link set INTERFACE down
sudo killall MyKillscript
#/boot is an attack surface and isn’t required once the PC is booted.
sudo mount /dev/sda1 /boot
sudo pacman -Su
sudo mv /usr/share/defaults/at-spi2/accessibility.conf /usr/share/defaults/at-spi2/accessibility.conf.old
sudo mv /usr/bin/dbus-launch /usr/bin/dbus-launch.old
sudo mv /usr/bin/dbus-send /usr/bin/dbus-send.old
sudo mv /usr/lib/qt/libexec/QtWebEngineProcess /usr/lib/qt/libexec/QtWebEngineProcess.old
sudo mv /usr/bin/chromium /usr/bin/chromium.old
sudo mv /usr/bin/gmenudbusmenuproxy /usr/bin/gmenudbusmenuproxy.old
sudo mv /usr/lib/gvfsd-trash /usr/lib/gvfsd.trash.old
#Check xorg settings to disable abstract sockets (which can be exploited remotely):
sudo nano /usr/bin/sddm/sddm.conf.d/defaults.conf
sudo nano /usr/lib/sddm/sddm.conf.d/default.conf
#add this to the ServerArguments section of the file:
[X11]
ServerArguments=-nolisten tcp -nolisten local
shutdown -r now
EMERGENCY RESCUE PROCEDURES:
----------
----------
cryptsetup open --type luks /dev/sda2 lvm
mount /dev/vol0/root /mnt
mount /dev/sda1 /mnt/boot
arch-chroot /mnt /bin/bash
#To Close:
exit (the chroot)
umount /mnt/boot
umount /mnt
vgchange -a n vol0
cryptsetup luksClose lvm
Now let's get busy:
FORMAT THE DRIVES:
--------------------------
-List Drives:
lsblk
-Partition the Drives:
gdisk /dev/sdX
#(careful here, you may want to use a different drive for detached luks header)
One partition (1), first sector 2048 (default), next sector “513MB” (the extra MB is for buffer). Hex code EF00 (EFI SYSTEM)
Another partition (1), first sector (default), next sector should be the remainder of the drive. Hex code 8E00 (Linux LVM)
-List the created partitions:
gdisk -l /dev/sdX
CREATE AND OPEN LUKS CONTAINER FOR INITIAL INSTALL (where X is the drive number):
https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Encrypted_syst...
--------------------------
#DETACHED LUKS HEADER (REFER TO THE WIKI FOR THE FULL STEPS)
dd if=/dev/zero of=header.img bs=4m count=1 conv=notrunc
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat type luks2 /dev/sdX2 --align-payload 8192 --header header.img
-lsblk is your friend
cryptsetup open --header header.img /dev/sdX2 lvm
#AFTER PACSTRAP, DO THIS
mv header.img /mnt/boot
#NO DETACHED LUKS HEADER
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat type luks2 /dev/sdX2
-lsblk is your friend
cryptsetup open --type luks /dev/sdX2 lvm
GENERAL DISK FU:
--------------------------
CREATE AND MOUNT FILESYSTEMS:
--------------------------
#CREATE AND MOUNT THE ROOT/SWAP VOLUME:
pvcreate /dev/mapper/lvm
-The above command maps lvm to /dev/sdx2
vgcreate vol0 /dev/mapper/lvm
lvcreate --name root -l 100%FREE vol0
#lvcreate --name swap -L 8gb vol0
#(lol swap lol forensics)
mkfs.ext4 /dev/mapper/vol0-root
#mkswap /dev/mapper/vol0-swap
#swapon /dev/vol0/swap
#(lol swap lol forensics)
mount /dev/vol0/root /mnt
#To mount the root volume that was just created.
#CREATE AND MOUNT THE BOOT VOLUME:
#THIS MAY BE DIFFERENT DEPENDING ON DETACHED LUKS HEADER
mkfs.vfat /dev/sdX1
mkdir -p /mnt/boot
mount /dev/sdX1 /mnt/boot
CONNECT YOUR ETHERNET:
--------------------------
ip link
#Check Ethernet names and the status of your ethernet ports (up or down).
dhcpcd YourEthernetNameGoesHere
#Get an IP address.
ifconfig
#Check your IP address.
INSTALL BASE PACKAGES:
https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Encrypted_syst...
--------------------------
https://i.ibb.co/DY6csmR/Beastmode1.jpg
https://i.ibb.co/y0RV4jg/Beastmode2.jpg
https://i.ibb.co/sqg6k6J/Beastmode3.jpg
https://i.ibb.co/MgynpLR/Beastmode4.jpg
https://i.ibb.co/4FM67L8/Beastmode5.jpg
#https://man.archlinux.org/man/pacstrap.8
#Note: linux-firmware is non-free firmware. You should be set if you are using Intel Network cards or Broadcom Network cards that use a native Linux driver.
#https://wiki.archlinux.org/title/Makepkg#Usage
#Note: base-devel was removed from the initial install guide. You're probably going to need it.
pacstrap -i /mnt base base-devel linux linux-firmware
#IF USING A DETACHED LUKS HEADER, DO THIS (REFER TO THE WIKI FOR THE FULL STEPS):
mv header.img /mnt/boot
#Then generate and check fstab
genfstab -U -p /mnt >> /mnt/etc/fstab
nano /mnt/etc/fstab
#Watch the pretty code fly across the screen.
CHROOT INTO THE NEWLY INSTALLED SYSTEM AND START FUCKING WITH IT:
--------------------------
modprobe efivarfs
arch-chroot /mnt /bin/bash
#UNCOMMENT THE ENTRY IN THE BELOW FILES TO SET YOUR COUNTRY'S KEYBOARD:
nano /etc/locale.gen
#en_US.UTF-8 UTF-8
nano /etc/locale.conf
# LANG=en_US.UTF-8
#SET YOUR HOSTNAME:
echo “Ruin” > /etc/hostname
USER ACCOUNT SHENANIGANS:
--------------------------
#Secure root with a password:
passwd
#Add a regular user; require root password for sudo usage:
useradd -m -g users -G wheel,storage,power -s /bin/bash war
passwd war
#Search for and uncomment (allow all members of group wheel to execute any command):
#Add Defaults rootpw
## Uncomment to allow members of group wheel to execute any command
nano /etc/sudoers
%wheel ALL=(ALL) ALL
Defaults rootpw
SET UP THE PACKAGE MANAGER:
--------------------------
nano /etc/pacman.conf
#Change SigLevel
SigLevel = Required DatabaseOptional TrustedOnly
#Uncomment the below two lines:
#[multilib]
#Include = /etc/pacman.d/mirrorlist
SET UP PACKAGE MIRRORS:
https://wiki.archlinux.org/title/Mirrors
https://archlinux.org/mirrors/status/
--------------------------
mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.old
nano /etc/pacman.d/mirrorlist
#SWEDEN TIER 1 MIRROR
Server = https://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch
#SLOVENIA TIER 1 MIRROR
Server = https://archimonde.ts.si/archlinux/$repo/os/$arch
#CANADA TIER 1 MIRROR
Server = https://mirror.csclub.uwaterloo.ca/archlinux/$repo/os/$arch
#UNITED STATES TIER 1 MIRROR
Server = http://mirror.es.its.nyu.edu/archlinux/$repo/os/$arch
#GERMANY TIER 1 MIRROR
Server = https://mirror.f4st.host/archlinux/$repo/os/$arch
INSTALL BOOTCTL:
--------------------------
FIND THE UUID of /dev/SDX2, INSERT IT INTO /boot/loader/entries/arch.conf:
--------------------------
blkid /dev/sdX2
blkid /dev/sdX2 | awk ‘{print $2}’ | sed ‘s/”//g’ > /boot/loader/entries/arch.conf
#blkid -s PARTUUID /dev/sdX2 > /boot/loader/entries/arch.conf
nano /boot/loader/entries/arch.conf
cat /boot/loader/entries/arch.conf
#MAKE SURE YOU’RE GOOD TO GO AND THAT THE UUID IS INSERTED:
blkid /dev/sdX2
cat /etc/fstab
cat /boot/loader/entries/arch.conf
ADD THIS TO THE ABOVE FILE:
--------------------------
nano /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=YOUPUTTHISHEREINTHEABOVESTEPnoquotes:lvm:allow-discards root=/dev/mapper/vol0-root quiet rw
UPDATE .efi BOOT FILES:
--------------------------
INITRAMFS:
https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Encrypted_syst...
--------------------------
#IF NOT USING A DETACHED HEADER
#Add keymap, encrypt, and lvm2 HOOKS:
nano /etc/mkinitcpio.conf
MODULES=(ext4)
HOOKS=(base udev autodetect modconf block encrypt keymap lvm2 filesystems keyboard fsck)
#now mkinit
mkinitcpio -p linux
#IF USING A DETACHED HEADER (REFER TO THE WIKI FOR THE FULL STEPS):
#Add the UUID of your encrypted device to /etc/crypttab.initramfs
blkid /dev/sdX2
blkid /dev/sdX2 | awk ‘{print $2}’ sed ‘s/”//g’ > /etc/crypttab.initramfs
#Format the crypttab
nano /etc/crypttab.initramfs
lvm UUID=YOUPUTTHISHEREINTHEABOVESTEPnoquotes none header=/boot/header.img
#Add proper files and HOOKS:
nano /etc/mkinitcpio.conf
MODULES=(ext4)
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt sd-lvm2 filesystems fsck
#now mkinit
mkinitcpio -p linux
OPTIONAL: EDIT /etc/fstab to not automount /boot
--------------------------
#add noauto (so /boot auto-dismounts)
# This example is for /dev/sda1
nano /etc/fstab
#The entry should look like:
UUID=XXXX-XXXX /boot vfat rw,realtime
#The change should look like:
UUID=XXXX-XXXX /boot vfat noauto,rw,realtime
GRACEFULLY REBOOT:
--------------------------
exit
umount /mnt/boot
umount /mnt
reboot
You've now successfully installed Arch Linux (assuming no typo's). The hard part is over:
INSTALL INTEL-UCODE:
--------------------------
#Install the Intel U-Code patch to mitigate against Spectre/Meltdown.
pacman -S intel-ucode
#Modify your bootloader to use the Intel U-Code.
nano /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=YOUPUTTHISHEREINTHEABOVESTEPnoquotes:lvm:allow-discards root=/dev/mapper/vol0-root quiet rw
UPDATE.efi BOOT FILES:
--------------------------
ETHERNET NICKNAMES:
https://wiki.archlinux.org/title/Network_configuration#Change_interface_...
--------------------------
#Change the name of your interfaces from "enp0s3" to HUMAN READABLE names:
sudo nano /etc/udev/rules.d/10-network.rules
SUBSYSTEM==”net”, ACTION==”add”, ATTR{address}==”88:88:88:88:87:88”, NAME=”LAN”
#Reload udev to apply the static IP changes (or reboot).
sudo udevadm control --reload-rules && udevadm trigger
INSTALL PACKAGE CHECKING PACKAGES:
--------------------------
INSTALL NETWORK LOOKUP PACKAGES:
https://wiki.archlinux.org/index.php/Network_Debugging
--------------------------
sudo pacman -S bind-tools
#Includes dig, host, and nslookup
INSTALL DISK FORMATTING PACKAGES:
--------------------------
sudo pacman -S dosfstools gparted gptfdisk gdisk cdrdao dvd+rw-tools k3b
INSTALL MAC SPOOFING PACKAGES (BECAUSE YOU MOST LIKELY HAVE 88:88:88:88:87:88 AS YOUR MAC AFTER DEBLOBBING WITH THE INTEL MANAGEMENT ENGINE):
--------------------------
sudo pacman -S macchanger
#Random MAC:
macchanger -r LAN
#or
#Hard-Coded MAC:
macchanger -m aa:bb:cc:dd:ee:ff LAN
#Try creating a startup script.
HOW TO DISABLE IPV6:
--------------------------
sudo nano /etc/dhcpcd.conf
#add this to the file above
noipv6rs
noipv6
INSTALL A CONSOLE PROGRAM:
--------------------------
SET UP DATE AND TIME:
--------------------------
#Check System Clock and Time Zone
timedatectl
#Set Time Zone
timedatectl set-timezone America/New_York
timedatectl list-timezones
#Set System Clock
timedatectl set-time “yyyy-MM-dd hh:mm:ss:”
#Show Hardware Clock
hwclock --show
#Set Hardware Clock from System Clock
hwclock --systohc
XORG NECESSITIES (I USE XORG AND KDE AND DISABLE ABSTRACT SOCKETS, SUE ME FGT):
--------------------------
sudo pacman -S xorg-server xorg-apps xorg-xinit xorg-twm xorg-xclock xterm
#Test
startx
exit
INSTALL SDDM LOGIN MANAGER:
https://wiki.archlinux.org/index.php/SDDM
https://wiki.archlinux.org/index.php/Display_manager#Loading_the_display...
--------------------------
sudo pacman -S sddm
sudo systemctl enable sddm.service
INSTALL THE KDE PLASMA DESKTOP:
https://wiki.archlinux.org/index.php/KDE
--------------------------
sudo pacman -S plasma-meta kde-applications
INSTALL TMUX:
https://bbs.archlinux.org/viewtopic.php?id=204091
--------------------------
sudo pacman -S tmux htop
nano ~/.tmux.conf #NOT AS ROOT
#Add the below to the blank file to remap "screen navigation" to ctrl+a (because it's easier) and enable mouse scrollback:
#NOTE: HAND PECK, DON’T COPY PASTE
#-----
#REBIND KEYS TO ctrl+a
ubind C-b
set -g prefix C-a
bind C-a send-prefix
set-option -g -q mouse on
#ENABLE PAGE UP SCROLLBACK/PAGE DOWN EXIT
bind-key -T root PPage if-shell -F “#{alternate_on}” “send-keys PPage” “copy-mode -e; send-keys PPage”
#bind-key -t vi-copy PPage page-up
#bind-key -t vi-copy NPage page-down
#HOW TO COPY PASTE WITH THE MOUSE:
#Select the text you want, then push Alt + w with the text still selected.
LOCK DOWN THE "PROFILE DIRECTORY" IN THE HOME FOLDER FOR ROOT ONLY ACCESS (GENERAL FILE PERMISSION SHENANIGANS):
--------------------------
sudo chown -R root:root /home/war/SIG
sudo chmod -R 775 /home/war/SIG
FIREJAIL SANDBOXING:
--------------------------
DISABLE X11 ABSTRACT SOCKETS:
--------------------------
/bash>
sudo nano /usr/bin/sddm/sddm.conf.d/defaults.conf
sudo nano /usr/lib/sddm/sddm.conf.d/default.conf
#add this to the ServerArguments section of the file:
[X11]
ServerArguments=-nolisten tcp -nolisten local
INSTALL THIS PROGRAM TO CREATE MOUSE RANDOMIZATION SCRIPTS:
--------------------------
sudo pacman -S xautomation
You should have a GUI now. Let's play "Piss off the FBI Agent" now:
STOP JOURNALD FROM WRITING TO DISK
https://unix.stackexchange.com/questions/139513/how-to-clear-journalctl
-systemd-journald needs to continue to run, but it’s possible to tell it to not write logs to disk
--------------------------
#Change storage settings
sudo nano /etc/systemd/journald.conf
Storage=none
#Restart the service
sudo systemctl restart systemd-journald
sudo systemctl status systemd-journald
#Remove old journald logs (leave the folder there, delete what’s inside it)
sudo rm-rf /var/log/journal/*
#Check journald disk usage
journalctl --disk-usage
EASILY DISABLE BASH HISTORY FOR EACH USER:
http://mewbies.com/how_to_disable_bash_history_or_limit_tutorial.html
--------------------------
#Add the below to your bash profile (root and normal user):
nano ~/.bash_profile
#--
export HISTFILESIZE=
export HISTSIZE=
unset HISTFILE
#--
#Remove the history file (root and normal user)
rm ~/.bash_history -rf
#Clear terminal history
history -cw
#Reboot and test
DISABLE KDE WALLET (GUI)
--------------------------
kwalletmanager
settings > configure wallet > uncheck the box “Enable the KDE wallet subsystem
-Delete the folders in the wallet and close the wallet first.
KDE VIEW PROPERTIES (DOLPHIN):
--------------------------
-In dolphin: Control > Adjust View Properties > uncheck “show preview”
-Do this from the home directory
#Disable write permissions to KDE View Properties Folder
chmod -w /home/war/.local/share/dolphin/view_properties/local
DISABLE THE KDE CLIPBOARD:
--------------------------
-Add clipboard widget
-Set widget to store 1 entry only
-Uncheck “Save clipboard contents on exit”
-Uncheck “prevent empty clipboard”
DISABLE KDE RECENTLY OPENED DOCUMENTS:
--------------------------
#Disable Recent Documents
chmod -w ~/.local/share/RecentDocuments
#Clean up recently-used.xbel
rm -f ~/.local/share/recently-used.xbel
touch ~/.local/share/recently-used.xbel
chmod -w ~/.local/share/recently-used.xbel
DISABLE KDE COOKIES (GUI):
--------------------------
System Settings > Network > Settings > Cookies > uncheck “Enable Cookies”
CLEAR KDE RECENTLY OPENED DOCUMENTS/APPLICATIONS (GUI):
--------------------------
-Use the GUI, right click, “forget all”
START WITH NEW SESSION UPON EACH BOOT (GUI):
--------------------------
Startup and Shutdown > Desktop Session