Hack 85 INSERT Security Here

INSERT, or the INside SEcurity Rescue Tool, is a small Knoppix-based distribution with a focus on security. It can fit on a bootable business-card CD, but still includes many useful tools for virus scanning, network analysis, computer forensics, and disaster recovery.

INSERT is a specialized live CD and its outstanding feature is size. INSERT is about 50 MB, which makes it ideal for downloading and placing it on a credit-card-sized CD-ROM to be carried on the go.

INSERT is targeted at the Linux professional and system administrators. It carries all (well, most) of the tools the user needs to recover a damaged system from a crash, transfer files, perform network analysis, and assist in computer forensics tasks. See the following table:

Requirement	Purpose
Window manager	FluxBox
File manager	Emelfm, Midnight Commander
Web browser	Links-hacked
FTP client	AxyFTP, ftp
Virus scanner	clamav with avscan frontend
Network analysis	Nmap, tcpdump, smb-nat
Disk management	Parted, gpart, dd-rescue, testdisk, lilo, grub, cfdisk
Backup	Dvd+rw-tools, cdrecord, partimage, BashBurn, burncenter
Filesystem support	EXT2, EXT3, MINIX, ReiserFS, JFS, XFS, NTFS, FAT, FAT32, NFS, SMBFS, NCPFS, UDF, UFS, HFS, HFS+, software RAID, and LVM.
Basic tools	wget, ssh, tar, etc.

If you're still not convinced that using a Linux desktop, like INSERT, is the way to go, just read what John Andrews, author of Damn Small Linux (DSL), writes:

Why? Because having a working Linux desktop distro on a 50 MB bootable business card CD is just too cool not to do.

There are currently English and German versions of INSERT. These differ only in the language of the help texts, HTML startup pages, and the default keyboard layout; otherwise, they are identical.

8.7.1 History

In the summer of 2003, I discovered the existence of DSL (which, if you recall, is a Linux desktop distribution on a 50-MB CD), and the idea of INSERT was born. Whereas DSL is targeted at the experienced Linux desktop user, INSERT is a Linux distribution that can be used for all kinds of rescue tasks, is small enough to easily carry, and is downloadable even by people who have access only to low-bandwidth connections.

Additionally, INSERT is used as an eye-catching marketing tool for the company that employs me (which partially funded the development of INSERT). The information material of Inside Security IT Consulting GmbH gracefully resides on the disc for this very reason.

8.7.2 Technical

Technically, INSERT is based heavily on Knoppix with just a few special modifications. One noticeable difference is that unlike most other Knoppix derivatives, INSERT uses its own namespace, which means that nearly all occurrences of KNOPPIX have been replaced with INSERT. This was achieved by replacing the strings in all those scripts written by Klaus—indeed, not a very challenging task.

In developing INSERT, one problem arose: the CD didn't unmount at halt time. Knoppix uses a customized version of init. Therefore, INSERT has to contain the correct path /INSERT instead of /KNOPPIX for the loop mount, and it has to be statically linked so that it does not depend on the C-library, which resides under /INSERT.

8.7.3 Size

Most of the development effort in INSERT was spent in shrinking the size to under 50 MB, which becomes approximately 120 MB uncompressed. The first task was to remove all unnecessary packages. Due to the many dependencies, this was a time-consuming task. The next task was to remove files from the remaining packages, including most of the documentation from /usr/share/doc, duplicate binaries (e.g., mke2fs and mkfs.e2fs), and widely unused binaries (e.g., xclock).

Quite a few days and nights were spent removing these packages and files while still maintaining a working system. The Inside Security PDF on the CD was shrunk to nearly half its former size by using the excellent Multivalent PDF tools by Tom Phelps (http://multivalent.sourceforge.net). To avoid placing duplicates in the main filesystem, the static ash and the kernel modules were copied from the miniroot during boot time to save space. Then the compressed filesystem was created using the --best option to gain an extra 2 MB of space.

8.7.4 Main Additions

For Version 1.2, released at the beginning of February 2004 during a DFN-CERT (Deutsches Forschungsnetz Computer Emergency Response Team) workshop, a major feature was introduced: captive-ntfs, which gives full read/write support for NTFS partitions using the native Windows NTFS drivers [Hack #73] .

At the same time, the latest version of the open source virus scanner clamav, including the signature database, and the Internet update tool freshclam were added. The combination of these two new features added the ability to scan and repair NTFS partitions from INSERT. Later, avscan, a GUI frontend for clamav, was added.

Six months earlier than Knoppix, INSERT booted from isolinux rather than from syslinux. With isolinux, a floppy boot image is no longer necessary and, therefore, more space is now available. There were mainly two reasons why this was done: INSERT needed space for providing memtest86 (a RAM-checking utility) at boot time, and loop-mounted floppy images were frustrating to work in version 3.4 KNOPPIX also uses this technique, so Klaus was able to nearly double the size of the miniroot, which now includes more SCSI, USB, and FireWire drivers. INSERT v1.2.13 now descends from KNOPPIX 3.4, so it also provides these improvements.

User feedback and open source software development continues to improve INSERT. The next major release (due sometime this year) will probably be based on Linux kernel 2.6.

8.7.5 See Also

• [Hack #47]

• [Hack #48]

—Matthias Mikule