Athena Fedora
Introduction
During this period, and according to the preferences of the community, a feasibility study has been performed on using Fedora as base system for a pentesting distribution.
Our study identified very interesting advantages of designing a pentesting distro based on Fedora. For this reason, we decided to migrate Athena OS from Arch Linux to Fedora.
Advantages of Athena Fedora over Arch
Security-Enhanced Linux
Athena Fedora will implement SELinux (Security-Enhanced Linux) including security policies provided directly by Fedora and Red Hat Team, preinstalled and preconfigured for you. SELinux enforces a Mandatory Access Control (MAC) through Linux Security Modules in the Linux kernel, in addition to the already provided Discretionary Access Control (DAC). They are enforced in a separated manner providing a boost on the security of your system.
Secure Boot Support
UEFI Secure Boot is supported and ensures that only trusted software is allowed to start when your computer boots up. No malware or rootkits could try to take control before your OS even starts.
Hardened Compiler Flags
RPM packages that will be shipped in Athena are built with hardened compiler flags to mitigate memory corruption attacks.
CI/CD Automation
Athena OS infrastructure is integrated with Fedora infrastructure (COPR) in order to maintain, build and update packages with no manual intervention. It strongly reduces the effort of Athena maintainers that can focus on different aspects of the system.
RPM packaging
We are studying an efficient way to create and build packages for pentesting tools by RPM packages. It allows these pentesting tools to be used not only on Fedora-based systems but on several different distros (i.e., AlmaLinux, CentOS, RHEL, OpenSUSE).
Stable vs Rolling releases
On Arch-base the project suffered the weak point of a rolling release model, that could provide unstable packages that can brick the system. The purpose of the project is to focus on security and stability over all. Stable releases could fit this target.
Performance
The kernel includes a lot of important modules that in Arch must be manually included by adding a time delay during the installation.
During these last days, simple performance tests have been performed on QEMU/KVM and:
- The boot takes 4 seconds
- The installation takes 6 minutes by a standard Internet connection; in Athena Arch it needed 15 minutes
Roadmap
A long-term target will be to make Athena OS the first OSTree pentesting distribution. It will boost much more security and stability of the system.
The purpose of this huge project is not only to set up a friendly environment for pentesters or red-teamers, but also to provide a highly-secure system, mostly for those users operating in high-risky environments.
Getting Started
Athena OS is migrating to Fedora-base in order to improve stability and security of the system.
A beta is available to be tested and published at https://hub.athenaos.org/athena-images/rolling/athenaos-live-x86_64.iso
Currently, Athena Fedora does not ship pentesting tools but it just leverages on ones provided by Fedora repository itself.
A list of them can be found in the Fedora Security Lab repository.
In the future, we will submit much more pentesting tools in the repository.
How To Use
User experience on Athena Fedora will be much similar to the Arch-based one with just one difference: the management of the packages.
Athena Fedora manages packages by using dnf instead than pacman. Here there are useful commands to start with:
Package Installation
Install a package:
sudo dnf install <package-name>Install a package without providing confirmation:
sudo dnf install -y <package-name>Reinstall a package:
sudo dnf reinstall <package-name>Reinstall a package without providing confirmation:
sudo dnf reinstall -y <package-name>Package Removal
Remove a package:
sudo dnf remove <package-name>Remove a package without providing confirmation:
sudo dnf remove -y <package-name>System Upgrade
Upgrade the system:
sudo dnf upgradePackage Version Downgrade
There are several methods to downgrade a package. By using:
sudo dnf downgrade <package-name>the package will be downgrade on the early version, if it exists on the repository.
You can also downgrade a package to a specific version by getting the list of available versions:
dnf --showduplicates list <package-name>and then installing your favourite version:
sudo dnf install <package-name>-<version>After downgrading, you might want to hold the package:
sudo dnf versionlock add <package-name>To unlock:
sudo dnf versionlock delete <package-name>Package Information
To check information about a remote package:
dnf info <package-name>To check information about a local package:
dnf info --installed <package-name>or
rpm -qi <package-name>Package Dependencies
To list all the dependencies required by a package:
dnf repoquery --requires <package-name>or, for local packages only:
rpm -qR <package-name>To list all the packages a specific package is a dependency:
dnf repoquery --whatrequires <package-name>or, for installed packages only:
dnf repoquery --installed --whatrequires <package-name>Package File Details
To list all files installed by a package:
dnf repoquery --list <package-name>or
rpm -ql <package-name>To list a specific file to which package belongs:
rpm -qf /path/to/filePackage Search
To check for all packages provided by your set repositories by command line:
dnf repoquery --repo=fedoradnf repoquery --repo=athenaosdnf repoquery --repo=microsoft-fedoraTo check for a specific package by command line:
dnf repoquery --repo=fedora libsecretor you can use regex if you are not sure of the complete name:
dnf repoquery --repo=fedora "libse*"The value of --repo= parameter for each repository (official, third-party, COPR) set on your system can be found inside the first line of each file in /etc/yum.repos.d.
Add RPM Fusion repository: https://docs.fedoraproject.org/en-US/quick-docs/rpmfusion-setup/
To check online if a package is provided by Official Fedora Repositories: https://packages.fedoraproject.org/ Or, to check if a package exists in also Fedora Third-Party repositories (i.e., RPM Fusion): https://pkgs.org/