SIGTERM's Guides: Arch Linux Install Cheat Sheet

No replies
notballin
notballin's picture
Offline
Neophyte
Joined: 2011/06/18

Star The actual guide (because while the Arch Linux Wiki is "S+ Tier," it's very difficult for someone with no command-line experience to install the OS and obtain a GUI):
-Note: This setup does not use a "remote header." Refer to the Wiki for details of how to set up a remote boot partition with a remote header (combine with a Nitrokey Flash Drive that has flashable firmware for maximum efficiency, doublewrap with a USB Rubber Ducky that types a 512 character password for maximum FBI rage).
-Note: Firefox is backdoored on Arch Linux. Firejailing it is a suitable precaution, but I recommend replacing Firefox with the TOR BROWSER and using a copy of it as a PLAINTEXT BROWSER REPLACEMENT.

https://github.com/netblue30/firejail/blob/master/etc/firefox.profile (was altered into alphabetical profiles... curious move, Pentagon.)
https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/firefo...

https://www.ghacks.net/2018/11/26/can-you-use-the-tor-browser-without-tor-connection/
https://www.reddit.com/r/TOR/comments/jtpfg8/how_do_i_disable_tor_network_i_just_want_to_use/

extensions.torlauncher.start_tor = FALSE
network.dns.disabled = FALSE
network.proxy.socks_remote_dns = FALSE
network.proxy.type 0

On Linux:

env TOR_SKIP_LAUNCH=1 TOR_TRANSPROXY=1 ./path/to/your/install/of/start-tor-browser.desktop

On Windows:
#Double Click the browser


FREQUENTLY USED COMMANDS
----------
----------

sudo screen /dev/ttyUSB0 115200
#for console

lsusb
blkid
lsblk
who
#frequently used "show commands"

PACMAN FU:
----------
----------

pacman-key --refresh-keys
#Having Key Trouble?

pacman -Sy
#SYNC PACKAGE DATABASE

pacman -Syy
#SYNC PACKAGE DATABASE BY FORCE

pacman -S PACKAGENAME
#INSTALL PACKAGE

pacman -Sw PACKAGENAME
pacman -S PACKAGENAME
#INSTALL PACKAGE OFFLINE

pacman -Su
#UPGRADE PACKAGES

pacman -Suw
pacman -Su
#UPGRADE PACKAGES OFFLINE

pacman -Rs PACKAGENAME
#UNINSTALL A PACKAGE AND ITS DEPENDENCIES (THAT AREN’T REQUIRED BY OTHER PACKAGES)

pacman -Rsc PACKAGENAME
#UNINSTALL A PACKAGE AND ITS DEPENDENCIES (AND ALL PACKAGES THAT DEPEND ON TARGET)
<bash>

BINARY RENAMING/PATCHING PROCEDURE:
----------
----------

<bash>
#Relevant binaries that I have seen spawned by Nation State Actors on my system:
sudo mv /usr/share/defaults/at-spi2/accessibility.conf.old /usr/share/defaults/at-spi2/accessibility.conf
sudo mv /usr/bin/dbus-launch.old /usr/bin/dbus-launch
sudo mv /usr/bin/dbus-send.old /usr/bin/dbus-send
sudo mv /usr/lib/qt/libexec/QtWebEngineProcess.old /usr/lib/qt/libexec/QtWebEngineProcess
sudo mv /usr/bin/chromium.old /usr/bin/chromium
sudo mv /usr/bin/gmenudbusmenuproxy.old /usr/bin/gmenudbusmenuproxy
sudo mv /usr/lib/gvfsd-trash.old /usr/lib/gvfsd.trash

#Manually download the keyring if you get “Invalid or Corrupted package (PGP signature)” when you perform
“pacman -Syuw”:
#sudo pacman -Sy archlinux-keyring
sudo pacman -Syuw
sudo killall dhcpcd
sudo ip link set INTERFACE down
sudo killall MyKillscript
#/boot is an attack surface and isn’t required once the PC is booted.
sudo mount /dev/sda1 /boot
sudo pacman -Su

sudo mv /usr/share/defaults/at-spi2/accessibility.conf /usr/share/defaults/at-spi2/accessibility.conf.old
sudo mv /usr/bin/dbus-launch /usr/bin/dbus-launch.old
sudo mv /usr/bin/dbus-send /usr/bin/dbus-send.old
sudo mv /usr/lib/qt/libexec/QtWebEngineProcess /usr/lib/qt/libexec/QtWebEngineProcess.old
sudo mv /usr/bin/chromium /usr/bin/chromium.old
sudo mv /usr/bin/gmenudbusmenuproxy /usr/bin/gmenudbusmenuproxy.old
sudo mv /usr/lib/gvfsd-trash /usr/lib/gvfsd.trash.old

#Check xorg settings to disable abstract sockets (which can be exploited remotely):
sudo nano /usr/bin/sddm/sddm.conf.d/defaults.conf
sudo nano /usr/lib/sddm/sddm.conf.d/default.conf

#add this to the ServerArguments section of the file:
[X11]
ServerArguments=-nolisten tcp -nolisten local

shutdown -r now

EMERGENCY RESCUE PROCEDURES:
----------
----------

cryptsetup open --type luks /dev/sda2 lvm
mount /dev/vol0/root /mnt
mount /dev/sda1 /mnt/boot
arch-chroot /mnt /bin/bash

#To Close:
exit (the chroot)
umount /mnt/boot
umount /mnt
vgchange -a n vol0
cryptsetup luksClose lvm

Star Now let's get busy:

FORMAT THE DRIVES:
--------------------------

-List Drives:
lsblk

-Partition the Drives:
gdisk /dev/sdX
#(careful here, you may want to use a different drive for detached luks header)

One partition (1), first sector 2048 (default), next sector “513MB” (the extra MB is for buffer). Hex code EF00 (EFI SYSTEM)

Another partition (1), first sector (default), next sector should be the remainder of the drive. Hex code 8E00 (Linux LVM)

-List the created partitions:
gdisk -l /dev/sdX

CREATE AND OPEN LUKS CONTAINER FOR INITIAL INSTALL (where X is the drive number):
https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Encrypted_syst...
--------------------------

#DETACHED LUKS HEADER (REFER TO THE WIKI FOR THE FULL STEPS)
dd if=/dev/zero of=header.img bs=4m count=1 conv=notrunc
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat type luks2 /dev/sdX2 --align-payload 8192 --header header.img
-lsblk is your friend

cryptsetup open --header header.img /dev/sdX2 lvm

#AFTER PACSTRAP, DO THIS
mv header.img /mnt/boot

#NO DETACHED LUKS HEADER
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat type luks2 /dev/sdX2
-lsblk is your friend
cryptsetup open --type luks /dev/sdX2 lvm

GENERAL DISK FU:
--------------------------

CREATE AND MOUNT FILESYSTEMS:
--------------------------

#CREATE AND MOUNT THE ROOT/SWAP VOLUME:

pvcreate /dev/mapper/lvm
-The above command maps lvm to /dev/sdx2

vgcreate vol0 /dev/mapper/lvm

lvcreate --name root -l 100%FREE vol0

#lvcreate --name swap -L 8gb vol0
#(lol swap lol forensics)

mkfs.ext4 /dev/mapper/vol0-root

#mkswap /dev/mapper/vol0-swap
#swapon /dev/vol0/swap
#(lol swap lol forensics)

mount /dev/vol0/root /mnt
#To mount the root volume that was just created.

#CREATE AND MOUNT THE BOOT VOLUME:
#THIS MAY BE DIFFERENT DEPENDING ON DETACHED LUKS HEADER
mkfs.vfat /dev/sdX1
mkdir -p /mnt/boot
mount /dev/sdX1 /mnt/boot

CONNECT YOUR ETHERNET:
--------------------------

ip link
#Check Ethernet names and the status of your ethernet ports (up or down).

dhcpcd YourEthernetNameGoesHere
#Get an IP address.

ifconfig
#Check your IP address.

INSTALL BASE PACKAGES:
https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Encrypted_syst...
--------------------------

https://i.ibb.co/DY6csmR/Beastmode1.jpg
https://i.ibb.co/y0RV4jg/Beastmode2.jpg
https://i.ibb.co/sqg6k6J/Beastmode3.jpg
https://i.ibb.co/MgynpLR/Beastmode4.jpg
https://i.ibb.co/4FM67L8/Beastmode5.jpg

#https://man.archlinux.org/man/pacstrap.8
#Note: linux-firmware is non-free firmware. You should be set if you are using Intel Network cards or Broadcom Network cards that use a native Linux driver.

#https://wiki.archlinux.org/title/Makepkg#Usage
#Note: base-devel was removed from the initial install guide. You're probably going to need it.

pacstrap -i /mnt base base-devel linux linux-firmware

#IF USING A DETACHED LUKS HEADER, DO THIS (REFER TO THE WIKI FOR THE FULL STEPS):
mv header.img /mnt/boot

#Then generate and check fstab
genfstab -U -p /mnt >> /mnt/etc/fstab
nano /mnt/etc/fstab

#Watch the pretty code fly across the screen.

CHROOT INTO THE NEWLY INSTALLED SYSTEM AND START FUCKING WITH IT:
--------------------------

modprobe efivarfs
arch-chroot /mnt /bin/bash

#UNCOMMENT THE ENTRY IN THE BELOW FILES TO SET YOUR COUNTRY'S KEYBOARD:

nano /etc/locale.gen
#en_US.UTF-8 UTF-8

nano /etc/locale.conf
# LANG=en_US.UTF-8

locale-gen

#SET YOUR HOSTNAME:

echo “Ruin” > /etc/hostname

USER ACCOUNT SHENANIGANS:
--------------------------

#Secure root with a password:
passwd

#Add a regular user; require root password for sudo usage:
useradd -m -g users -G wheel,storage,power -s /bin/bash war
passwd war

#Search for and uncomment (allow all members of group wheel to execute any command):
#Add Defaults rootpw
## Uncomment to allow members of group wheel to execute any command

nano /etc/sudoers

%wheel ALL=(ALL) ALL
Defaults rootpw

SET UP THE PACKAGE MANAGER:
--------------------------

nano /etc/pacman.conf
#Change SigLevel

SigLevel = Required DatabaseOptional TrustedOnly
#Uncomment the below two lines:

#[multilib]
#Include = /etc/pacman.d/mirrorlist

SET UP PACKAGE MIRRORS:
https://wiki.archlinux.org/title/Mirrors
https://archlinux.org/mirrors/status/
--------------------------

mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.old
nano /etc/pacman.d/mirrorlist

#SWEDEN TIER 1 MIRROR
Server = https://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch
#SLOVENIA TIER 1 MIRROR
Server = https://archimonde.ts.si/archlinux/$repo/os/$arch
#CANADA TIER 1 MIRROR
Server = https://mirror.csclub.uwaterloo.ca/archlinux/$repo/os/$arch
#UNITED STATES TIER 1 MIRROR
Server = http://mirror.es.its.nyu.edu/archlinux/$repo/os/$arch
#GERMANY TIER 1 MIRROR
Server = https://mirror.f4st.host/archlinux/$repo/os/$arch

INSTALL BOOTCTL:
--------------------------

bootctl install

FIND THE UUID of /dev/SDX2, INSERT IT INTO /boot/loader/entries/arch.conf:
--------------------------

blkid /dev/sdX2
blkid /dev/sdX2 | awk{print $2}| sed ‘s///g’ > /boot/loader/entries/arch.conf
#blkid -s PARTUUID /dev/sdX2 > /boot/loader/entries/arch.conf
nano /boot/loader/entries/arch.conf
cat /boot/loader/entries/arch.conf

#MAKE SURE YOU’RE GOOD TO GO AND THAT THE UUID IS INSERTED:
blkid /dev/sdX2
cat /etc/fstab
cat /boot/loader/entries/arch.conf

ADD THIS TO THE ABOVE FILE:
--------------------------

nano /boot/loader/entries/arch.conf

title    Arch Linux
linux    /vmlinuz-linux
initrd    /initramfs-linux.img
options    cryptdevice=UUID=YOUPUTTHISHEREINTHEABOVESTEPnoquotes:lvm:allow-discards root=/dev/mapper/vol0-root quiet rw

UPDATE .efi BOOT FILES:
--------------------------

bootctl update

INITRAMFS:
https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Encrypted_syst...
--------------------------

#IF NOT USING A DETACHED HEADER
#Add keymap, encrypt, and lvm2 HOOKS:

nano /etc/mkinitcpio.conf

MODULES=(ext4)
HOOKS=(base udev autodetect modconf block encrypt keymap lvm2 filesystems keyboard fsck)

#now mkinit
mkinitcpio -p linux

#IF USING A DETACHED HEADER (REFER TO THE WIKI FOR THE FULL STEPS):
#Add the UUID of your encrypted device to /etc/crypttab.initramfs
blkid /dev/sdX2
blkid /dev/sdX2 | awk{print $2}sed ‘s///g’ > /etc/crypttab.initramfs

#Format the crypttab

nano /etc/crypttab.initramfs

lvm    UUID=YOUPUTTHISHEREINTHEABOVESTEPnoquotes    none    header=/boot/header.img

#Add proper files and HOOKS:
nano /etc/mkinitcpio.conf

MODULES=(ext4)
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt sd-lvm2 filesystems fsck

#now mkinit
mkinitcpio -p linux

OPTIONAL: EDIT /etc/fstab to not automount /boot
--------------------------

#add noauto (so /boot auto-dismounts)
# This example is for /dev/sda1

nano /etc/fstab

#The entry should look like:
UUID=XXXX-XXXX    /boot    vfat    rw,realtime

#The change should look like:
UUID=XXXX-XXXX    /boot    vfat    noauto,rw,realtime

GRACEFULLY REBOOT:
--------------------------

exit
umount /mnt/boot
umount /mnt
reboot

Star You've now successfully installed Arch Linux (assuming no typo's). The hard part is over:

INSTALL INTEL-UCODE:
--------------------------

#Install the Intel U-Code patch to mitigate against Spectre/Meltdown.
pacman -S intel-ucode

#Modify your bootloader to use the Intel U-Code.
nano /boot/loader/entries/arch.conf

title    Arch Linux
linux    /vmlinuz-linux
initrd    /intel-ucode.img
initrd    /initramfs-linux.img
options    cryptdevice=UUID=YOUPUTTHISHEREINTHEABOVESTEPnoquotes:lvm:allow-discards root=/dev/mapper/vol0-root quiet rw

UPDATE.efi BOOT FILES:
--------------------------

bootctl update

ETHERNET NICKNAMES:
https://wiki.archlinux.org/title/Network_configuration#Change_interface_...
--------------------------

#Change the name of your interfaces from "enp0s3" to HUMAN READABLE names:
sudo nano /etc/udev/rules.d/10-network.rules

SUBSYSTEM==”net”, ACTION==”add”, ATTR{address}==”88:88:88:88:87:88”, NAME=”LAN”

#Reload udev to apply the static IP changes (or reboot).

sudo udevadm control --reload-rules && udevadm trigger

INSTALL PACKAGE CHECKING PACKAGES:
--------------------------

sudo pacman -S pacutils

INSTALL NETWORK LOOKUP PACKAGES:
https://wiki.archlinux.org/index.php/Network_Debugging
--------------------------

sudo pacman -S bind-tools
#Includes dig, host, and nslookup

INSTALL DISK FORMATTING PACKAGES:
--------------------------

sudo pacman -S dosfstools gparted gptfdisk gdisk cdrdao dvd+rw-tools k3b

INSTALL MAC SPOOFING PACKAGES (BECAUSE YOU MOST LIKELY HAVE 88:88:88:88:87:88 AS YOUR MAC AFTER DEBLOBBING WITH THE INTEL MANAGEMENT ENGINE):
--------------------------

sudo pacman -S macchanger

#Random MAC:
macchanger -r LAN

#or

#Hard-Coded MAC:
macchanger -m aa:bb:cc:dd:ee:ff LAN

#Try creating a startup script.

HOW TO DISABLE IPV6:
--------------------------

sudo nano /etc/dhcpcd.conf

#add this to the file above
noipv6rs
noipv6

INSTALL A CONSOLE PROGRAM:
--------------------------

sudo pacman -S screen

SET UP DATE AND TIME:
--------------------------

#Check System Clock and Time Zone
timedatectl

#Set Time Zone
timedatectl set-timezone America/New_York
timedatectl list-timezones

#Set System Clock
timedatectl set-time “yyyy-MM-dd hh:mm:ss:”

#Show Hardware Clock
hwclock --show

#Set Hardware Clock from System Clock
hwclock --systohc

XORG NECESSITIES (I USE XORG AND KDE AND DISABLE ABSTRACT SOCKETS, SUE ME FGT):
--------------------------

sudo pacman -S xorg-server xorg-apps xorg-xinit xorg-twm xorg-xclock xterm

#Test
startx
exit

INSTALL SDDM LOGIN MANAGER:
https://wiki.archlinux.org/index.php/SDDM
https://wiki.archlinux.org/index.php/Display_manager#Loading_the_display...
--------------------------

sudo pacman -S sddm
sudo systemctl enable sddm.service

INSTALL THE KDE PLASMA DESKTOP:
https://wiki.archlinux.org/index.php/KDE
--------------------------

sudo pacman -S plasma-meta kde-applications

INSTALL TMUX:
https://bbs.archlinux.org/viewtopic.php?id=204091
--------------------------

sudo pacman -S tmux htop

nano ~/.tmux.conf    #NOT AS ROOT

#Add the below to the blank file to remap "screen navigation" to ctrl+a (because it's easier) and enable mouse scrollback:
#NOTE: HAND PECK, DON’T COPY PASTE

#-----
#REBIND KEYS TO ctrl+a
ubind C-b
set -g prefix C-a
bind C-a send-prefix
set-option -g -q mouse on
#ENABLE PAGE UP SCROLLBACK/PAGE DOWN EXIT
bind-key -T root PPage if-shell -F#{alternate_on}” “send-keys PPage” “copy-mode -e; send-keys PPage”
#bind-key -t vi-copy PPage page-up
#bind-key -t vi-copy NPage page-down

#HOW TO COPY PASTE WITH THE MOUSE:
#Select the text you want, then push Alt + w with the text still selected.

LOCK DOWN THE "PROFILE DIRECTORY" IN THE HOME FOLDER FOR ROOT ONLY ACCESS (GENERAL FILE PERMISSION SHENANIGANS):
--------------------------

sudo chown -R root:root /home/war/SIG
sudo chmod -R 775 /home/war/SIG

FIREJAIL SANDBOXING:
--------------------------

sudo pacman -S firejail

DISABLE X11 ABSTRACT SOCKETS:
--------------------------

/bash>
sudo nano /usr/bin/sddm/sddm.conf.d/defaults.conf
sudo nano /usr/lib/sddm/sddm.conf.d/default.conf

#add this to the ServerArguments section of the file:
[X11]
ServerArguments=-nolisten tcp -nolisten local

INSTALL THIS PROGRAM TO CREATE MOUSE RANDOMIZATION SCRIPTS:
--------------------------

sudo pacman -S xautomation

Star You should have a GUI now. Let's play "Piss off the FBI Agent" now:

STOP JOURNALD FROM WRITING TO DISK
https://unix.stackexchange.com/questions/139513/how-to-clear-journalctl
-systemd-journald needs to continue to run, but it’s possible to tell it to not write logs to disk
--------------------------

#Change storage settings
sudo nano /etc/systemd/journald.conf
   
Storage=none

#Restart the service
sudo systemctl restart systemd-journald
sudo systemctl status systemd-journald

#Remove old journald logs (leave the folder there, delete what’s inside it)
sudo rm-rf /var/log/journal/*

#Check journald disk usage
journalctl --disk-usage

EASILY DISABLE BASH HISTORY FOR EACH USER:
http://mewbies.com/how_to_disable_bash_history_or_limit_tutorial.html
--------------------------

#Add the below to your bash profile (root and normal user):
nano ~/.bash_profile

#--
export HISTFILESIZE=
export HISTSIZE=
unset HISTFILE
#--

#Remove the history file (root and normal user)
rm ~/.bash_history -rf

#Clear terminal history
history -cw

#Reboot and test

DISABLE KDE WALLET (GUI)
--------------------------

kwalletmanager

settings > configure wallet > uncheck the box “Enable the KDE wallet subsystem
-Delete the folders in the wallet and close the wallet first.

KDE VIEW PROPERTIES (DOLPHIN):
--------------------------

-In dolphin: Control > Adjust View Properties > uncheck “show preview”
-Do this from the home directory

#Disable write permissions to KDE View Properties Folder
chmod -w /home/war/.local/share/dolphin/view_properties/local

DISABLE THE KDE CLIPBOARD:
--------------------------

-Add clipboard widget
-Set widget to store 1 entry only
-Uncheck “Save clipboard contents on exit”
-Uncheck “prevent empty clipboard”

DISABLE KDE RECENTLY OPENED DOCUMENTS:
--------------------------

#Disable Recent Documents
chmod -w ~/.local/share/RecentDocuments

#Clean up recently-used.xbel
rm -f ~/.local/share/recently-used.xbel
touch ~/.local/share/recently-used.xbel
chmod -w ~/.local/share/recently-used.xbel

DISABLE KDE COOKIES (GUI):
--------------------------

System Settings > Network > Settings > Cookies > uncheck “Enable Cookies”

CLEAR KDE RECENTLY OPENED DOCUMENTS/APPLICATIONS (GUI):
--------------------------

-Use the GUI, right click, “forget all”

START WITH NEW SESSION UPON EACH BOOT (GUI):
--------------------------

Startup and Shutdown > Desktop Session

Theatricality & deception. Powerful agents to the uninitiated; but we are initiated aren't we, Bruce...