Skip to content

Athena Fedora

Introduction

During this period, and according to the preferences of the community, a feasibility study has been performed on using Fedora as base system for a pentesting distribution.

Our study identified very interesting advantages of designing a pentesting distro based on Fedora. For this reason, we decided to migrate Athena OS from Arch Linux to Fedora.

Advantages of Athena Fedora over Arch

Security-Enhanced Linux

Athena Fedora will implement SELinux (Security-Enhanced Linux) including security policies provided directly by Fedora and Red Hat Team, preinstalled and preconfigured for you. SELinux enforces a Mandatory Access Control (MAC) through Linux Security Modules in the Linux kernel, in addition to the already provided Discretionary Access Control (DAC). They are enforced in a separated manner providing a boost on the security of your system.

Secure Boot Support

UEFI Secure Boot is supported and ensures that only trusted software is allowed to start when your computer boots up. No malware or rootkits could try to take control before your OS even starts.

Hardened Compiler Flags

RPM packages that will be shipped in Athena are built with hardened compiler flags to mitigate memory corruption attacks.

CI/CD Automation

Athena OS infrastructure is integrated with Fedora infrastructure (COPR) in order to maintain, build and update packages with no manual intervention. It strongly reduces the effort of Athena maintainers that can focus on different aspects of the system.

RPM packaging

We are studying an efficient way to create and build packages for pentesting tools by RPM packages. It allows these pentesting tools to be used not only on Fedora-based systems but on several different distros (i.e., AlmaLinux, CentOS, RHEL, OpenSUSE).

Stable vs Rolling releases

On Arch-base the project suffered the weak point of a rolling release model, that could provide unstable packages that can brick the system. The purpose of the project is to focus on security and stability over all. Stable releases could fit this target.

Performance

The kernel includes a lot of important modules that in Arch must be manually included by adding a time delay during the installation.

During these last days, simple performance tests have been performed on QEMU/KVM and:

  • The boot takes 4 seconds
  • The installation takes 6 minutes by a standard Internet connection; in Athena Arch it needed 15 minutes

Roadmap

A long-term target will be to make Athena OS the first OSTree pentesting distribution. It will boost much more security and stability of the system.

The purpose of this huge project is not only to set up a friendly environment for pentesters or red-teamers, but also to provide a highly-secure system, mostly for those users operating in high-risky environments.

Getting Started

Athena OS is migrating to Fedora-base in order to improve stability and security of the system.

A beta is available to be tested and published at https://hub.athenaos.org/athena-images/rolling/athenaos-live-x86_64.iso

Currently, Athena Fedora does not ship pentesting tools but it just leverages on ones provided by Fedora repository itself.

In the future, we will submit much more pentesting tools in the repository.

How To Use

User experience on Athena Fedora will be much similar to the Arch-based one with just one difference: the management of the packages.

Athena Fedora manages packages by using dnf instead than pacman. Here there are useful commands to start with:

Package Installation

Install a package:

Terminal window
sudo dnf install <package-name>

Install a package without providing confirmation:

Terminal window
sudo dnf install -y <package-name>

Reinstall a package:

Terminal window
sudo dnf reinstall <package-name>

Reinstall a package without providing confirmation:

Terminal window
sudo dnf reinstall -y <package-name>

Package Removal

Remove a package:

Terminal window
sudo dnf remove <package-name>

Remove a package without providing confirmation:

Terminal window
sudo dnf remove -y <package-name>

System Upgrade

Upgrade the system:

Terminal window
sudo dnf upgrade

Package Version Downgrade

There are several methods to downgrade a package. By using:

Terminal window
sudo dnf downgrade <package-name>

the package will be downgrade on the early version, if it exists on the repository.

You can also downgrade a package to a specific version by getting the list of available versions:

Terminal window
dnf --showduplicates list <package-name>

and then installing your favourite version:

Terminal window
sudo dnf install <package-name>-<version>

After downgrading, you might want to hold the package:

Terminal window
sudo dnf versionlock add <package-name>

To unlock:

Terminal window
sudo dnf versionlock delete <package-name>

Package Information

To check information about a remote package:

Terminal window
dnf info <package-name>

To check information about a local package:

Terminal window
dnf info --installed <package-name>

or

Terminal window
rpm -qi <package-name>

Package Dependencies

To list all the dependencies required by a package:

Terminal window
dnf repoquery --requires <package-name>

or, for local packages only:

Terminal window
rpm -qR <package-name>

To list all the packages a specific package is a dependency:

Terminal window
dnf repoquery --whatrequires <package-name>

or, for installed packages only:

Terminal window
dnf repoquery --installed --whatrequires <package-name>

Package File Details

To list all files installed by a package:

Terminal window
dnf repoquery --list <package-name>

or

Terminal window
rpm -ql <package-name>

To list a specific file to which package belongs:

Terminal window
rpm -qf /path/to/file

To check for all packages provided by your set repositories by command line:

Terminal window
dnf repoquery --repo=fedora
dnf repoquery --repo=athenaos
dnf repoquery --repo=microsoft-fedora

To check for a specific package by command line:

Terminal window
dnf repoquery --repo=fedora libsecret

or you can use regex if you are not sure of the complete name:

Terminal window
dnf repoquery --repo=fedora "libse*"

The value of --repo= parameter for each repository (official, third-party, COPR) set on your system can be found inside the first line of each file in /etc/yum.repos.d.

Add RPM Fusion repository: https://docs.fedoraproject.org/en-US/quick-docs/rpmfusion-setup/

To check online if a package is provided by Official Fedora Repositories: https://packages.fedoraproject.org/ Or, to check if a package exists in also Fedora Third-Party repositories (i.e., RPM Fusion): https://pkgs.org/