Virtualization

Alternate Unique system identifier across VM

Check Machine ID

Check current machine ID

cat /etc/machine-id
cat /var/lib/dbus/machine-id

Check if they're linked (they should be)

ls -la /var/lib/dbus/machine-id

Generate new machine ID

Do this for each VM/system

sudo rm /etc/machine-id
sudo rm /var/lib/dbus/machine-id
sudo systemd-machine-id-setup
sudo ln -s /etc/machine-id /var/lib/dbus/machine-id

Ensure each VM has unique machine-id before cloning
Consider regenerating after cloning VMs

Create Clean VM Template

Before cloning VMs, ensure clean state:

sudo rm /etc/machine-id /var/lib/dbus/machine-id
sudo rm -rf ~/.mozilla/firefox/*/sessionstore*
sudo rm -rf ~/.cache/mozilla/firefox/*/
history -c && history -w

firejail

Install and configure Firejail for application isolation

sudo pacman -S firejail

Set up firejail for common applications

sudo firecfg

Run Firefox in isolated environment

firejail --private --dns=1.1.1.1 --netfilter firefox

Qemu

Installation

sudo pacman -S qemu libvirt dnsmasq virt-manager bridge-utils ebtables
sudo systemctl enable --now libvirtd

Check/Backup the XML

sudo virsh net-dumpxml c2-lab

Manual XML Virtual Network Configuration

Locked-down Version

<network>
  <name>c2-lab</name>
  <bridge name="virbr2" stp="off" delay="0"/>  <!-- Disable STP (not needed) -->
  <forward mode="none"/>                       <!-- NO NAT, NO ROUTING -->
  <interface type="network">
  <mac address="52:54:00:XX:XX:XX"/>  <!-- Set a static MAC -->
  <source network="c2-lab"/>
  <model type="virtio"/>
</interface>
  <ip address="192.168.100.1" netmask="255.255.255.0">
  <ip family="ipv6" address="fe80::1" prefix="64"/>
    <!-- No DHCP (assign IPs manually) -->
  </ip>
</network>

Disable ICMP

sudo iptables -I FORWARD -i virbr2 -p icmp -j DROP

Start the Virtual-Network

sudo virsh net-define c2-lab.xml
sudo virsh net-start c2-lab

Start on boot

sudo virsh net-autostart c2-lab

Check Network Info

sudo virsh net-info c2-lab

Check for leaks

sudo iptables -L -v -n | grep virbr2

Use containerization to avoid Browser fingerprinting and correlation risks

Check Browser Configuration

Check Firefox profiles

ls ~/.mozilla/firefox/
cat ~/.mozilla/firefox/profiles.ini

Check if containers addon is installed

firefox -P

Secure Browser Configuration

Install Firefox Multi-Account Containers
This should be done manually through Firefox Add-ons

Create hardened Firefox profile

firefox -CreateProfile "hardened"

Configure hardened settings (create user.js in profile directory)

PROFILE_DIR=$(find ~/.mozilla/firefox -name "*.hardened" -type d)
tee "$PROFILE_DIR/user.js" << 'EOF'
// Privacy settings
user_pref("privacy.resistFingerprinting", true);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.socialtracking.enabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.http.referer.XOriginPolicy", 2);
user_pref("network.http.referer.trimmingPolicy", 2);

// Disable WebRTC
user_pref("media.peerconnection.enabled", false);
user_pref("media.navigator.enabled", false);

// DNS over HTTPS
user_pref("network.trr.mode", 2);
user_pref("network.trr.uri", "https://cloudflare-dns.com/dns-query");

// Disable telemetry
user_pref("toolkit.telemetry.enabled", false);
user_pref("datareporting.policy.dataSubmissionEnabled", false);
EOF

System time revealing timezone/location

Check System Time and Timezone

Check current timezone and time

timedatectl status
date

Check NTP synchronization

timedatectl show-timesync --all

Configure Proper Time Synchronization

Use multiple NTP servers and add random delay

sudo tee /etc/systemd/timesyncd.conf << EOF
[Time]
NTP=pool.ntp.org time.nist.gov time.cloudflare.com
PollIntervalMinSec=32
PollIntervalMaxSec=2048
ConnectionRetrySec=30
EOF

Create service to add random time skew

sudo tee /etc/systemd/system/time-skew.service << 'EOF'
[Unit]
Description=Add random time skew
Before=systemd-timesyncd.service

[Service]
Type=oneshot
ExecStart=/bin/bash -c 'sleep $((RANDOM % 30))'
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF

Enable the time skew service

sudo systemctl enable time-skew.service
sudo systemctl restart systemd-timesyncd

DNS leaks via systemd-resolved

Check DNS Configuration and Leaks

Check systemd-resolved status

systemctl status systemd-resolved
resolvectl status

Check DNS servers being used

cat /etc/resolv.conf
resolvectl dns

Test for DNS leaks

dig @1.1.1.1 whoami.cloudflare TXT +short
nslookup myip.opendns.com resolver1.opendns.com

Secure DNS Configuration

Option 1: Use DNS over HTTPS with systemd-resolved

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/dns-over-tls.conf << EOF
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes
DNSSEC=yes
FallbackDNS=
EOF

# Restart services
sudo systemctl restart systemd-resolved

Option 2: Use Unbound for better control

sudo pacman -S unbound
sudo tee /etc/unbound/unbound.conf << 'EOF'
server:
    interface: 127.0.0.1
    port: 53
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    access-control: 127.0.0.0/8 allow
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: yes
    prefetch: yes

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
EOF

sudo systemctl enable --now unbound
sudo systemctl disable --now systemd-resolved

Update resolv.conf

echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

PreviousOPSEC NextFile Telemetry

Last updated 48 minutes ago