What is and What is NOT

This guide aims to build a "a slim, secure, Debian base system."

1. You would get a slim and secure Debian GNU/Linux stretch base system.
   • LUKS system encryption except /boot.
   • AppArmor enabled; though you almost need to create your own profiles.
   • NOT for old hardware; Intel Core 4th gen. and later are recommended.
   • Assume SSDs/NVMe single storage.
2. LVM and ext4 allows you flexible and extendable storage operations.
   • We starts with "many small mount points with various mount options".
   • With preserved LVM PE Free space, extending mount points are easy.
3. It implements read-only root filesystem for security.
   • Typically, the system would have read-only "/", "/boot", "/boot/efi", "/usr", and "/usr/share".
   • To obtain functionalities, we would add some exceptions on the FHS rules.
4. It could be used as a Debian base system for,
   • a local, low load servers such like proxies and test deployment servers.
   • a GUI (GNOME) workstation (with Japanese input system by Google Mozc).
   • NOT FOR REMOTE SERVERS AND LAPTOPS.
   • Assume a lot of DRAM; say, at least 4 GiB.
5. Once setup, it would be almost normal Debian system.
   • Of course you need some more commands on admin stuff such as remounts.
   • APT can be used normally (and fast) since we add hook scripts.
6. It would not use sudo and su basically.
   • If you want them, be cautious, please.
7. NOT FOR GNU/LINUX BEGINNERS.
   • Please at least install Debian in an ordinal method once.
   • Then, text mode, without automatic partitioning, using LVM.
   • However, this guide shows you step-by-step instructions.
8. Debian Stretch, not Buster.
   • Even after the Buster release as "stable", stretch security updates would be available.
   • tier1.jp are still testing Buster, considering upgrading after 10.2 release.
   • Debian buster has LUKS2, AppArmor, and GNOME/Wayland upgrades and all of them are crucial with our configuration.

For detail, please read "the stages" below.

Tested by

Using Debian 9.9 netinst ISO image (clean installations) then upgraded into 9.11:

• Intel H110, Skylake, SATA SSD, GPT partition table with EFI boot.
• Intel B250, Kaby Lake, NVMe, GPT partition table with EFI boot.

Major changes

2nd edition is different from the 1st,

• Read-only filesystem: /, /boot, /usr, etc.
• To achieve working AppArmor and /media, we break FHS a bit.
• Many optional security sections are now required.

Let's start

Debian Stretch is matured.

Once you setup, there would be minor admin stuffs.

Feature/Flavor	Comment
Target CPU Architecture	amd64 (especially Intel Skylake and Kaby Lake)
Filesystem	Ext4 on LVM over LUKS. Assume NVMe/SSD.
Localization	English and Japanese (GNOME desktop only)

For Debian with AMD Ryzen CPU,

1. It is possible to use AMD Ryzen with Debian supported dGPU cards.

   • Pick a bit old one if you do not want non-free section packages.

2. AMD Ryzen 2200G/2400G iGPU acceleration features are not supported by Stretch.

   2.1. Manual installation of the Buster Linux Kernel 4.19 (not recommended).

   2.2. Build your own 4.19 or later (not recommended).

In short, we do not recommend AMD Ryzen "APUs" for Debian Stretch (simply because we did not tested them enough).

Method

It will be an abnormal installation.

1. We use netinst ISO image without network (until stage 4).
2. We break some FHS rules to build read-only filesystem.
3. We will tweak security baseline.
4. Then we connect the box to the Internet.
5. Install and enable AppArmor.

To make it simple, we use "Stage N" names for those procedures.

Stage	What to do
1	Install Debian Stretch.
2	Filesystem (RO LVM-over-LUKS).
3	Harden.
4	Network, the fist apt update.
5	Enable AppArmor.

After stage 5, there would be many "optional" settings such as,

Stage	What to do
6	Install and setup logcheck.
7	Small GNOME installation and settings.
8	Japanese Input support by IBus-Mozc and fonts.
9	Misc.

In other words, this 2nd edition requires to do all of the first 5 stages.

Shall we?