This page will detail how to properly configure a Linux guest for recording with REVEN.
IMPORTANT: We strongly recommend you start with one of the VMs available on tetrane's website. These are already properly configured and tested.
- Guest system requirements
- Enabling the OSSI feature
- Maximizing the symbol coverage
- Optimizing the guest for analysis
- Final touches
REVEN requires Linux guests to be running a compatible kernel: Linux 64-bit, versions 4.1 to 4.18.0 included.
- Tested distributions:
- Fedora 27 (kernel version 4.13)
- OpenSUSE 15.1 (kernel version 4.12.14)
- Debian 9 (kernel version 4.9)
- Ubuntu 16.04 (kernel version 4.13)
- CentOS 8 (kernel version 4.18.0)
- Other untested distributions in the compatibility range:
- OpenSUSE 15.0 (kernel version 4.12)
- Ubuntu 17.10 (kernel version 4.13)
- NixOS up to 18.09 (kernel version 4.14)
NOTE: each distribution and version can have its own peculiarity, and require further configuration not descibed in this guide. Moreover, there could be specific set of patches that hinders the OSSI retrieval. Again, we recommend starting with a VM available on tetrane's website. Finally, you can contact the support if you cannot get OSSI when using a distribution from the list above.
In order to ensure the OS-Specific Information (OSSI) work on recorded scenario, you must:
- Disable KASLR and PTI protections,
- Install the kernel headers in the guest.
You need to add the
nokaslr options to your kernel command line. On most systems, the following procedure should work almost as-is:
- Edit the file
- Find the variable
- Add the
nokaslroptions, making the line look like this:
GRUB_CMDLINE_LINUX_DEFAULT="[...] nopti nokaslr"
- Regenerate your grub configuration:
grub2-mkconfig -o /etc/grub2.cfgfor CentOS
- Other distributions should work in a similar way.
- Verify that you have the options present in
For Debian-like distributions, this should be done with a command similar to this one:
sudo apt install linux-headers-$(uname -r)
For RedHat-based distributions, the command is more like the following:
sudo dnf install kernel-devel kernel-headers
You should install as many debug symbols on the guest as possible.
By default, symbols are searched within the binaries executed in a scenario. These production binaries usually contain very few symbols.
Most distributions provide a mechanism to download debug symbol packages, which the debuggers can then use to display more context to the user. REVEN can leverage those as well completely transparently, as long as you "prepare" the snapshot after installing them (see More about preparing snapshots).
It will be different for each distribution, but here are a few pointers to get you started:
Linux system usually display far less background activity than a default Windows 10 installation, so there is no mandatory step in that regard.
Nevertheless, there are steps you can take to make the VM lighter still:
- If you don't need a GUI:
- Disable Xorg server when not needed,
- Disable the console framebuffer if not needed. For example, on Debian systems, in file
/etc/default/grub, add the line:
- Install a light Desktop Manager, such as Xfce,
- Disable any unwanted background service.
Finally, here are more general recommendations to make the experience better.
- Since REVEN supports a narrow set of kernel versions, you should inhibit kernel updates:
- On Fedora: add
- On Ubuntu: run something akin to
echo linux-image-xxx hold | dpkg --set-selections
- On Fedora: add
- Don't forget to install your favorite tools: