hardened *nix for Lenovo X60

Dan White dwhite at olp.net
Mon Aug 26 08:42:21 PDT 2013


On 08/26/13 17:09 +0200, Eugen Leitl wrote:
>
>I've managed to lay my hands onb a couple of Lenovo X60's that are
>in pretty good shape and would like to use them as a moderately secure
>communication/development system. (I'm not trusting my desktops,
>servers or mobile devices for obvious reasons). I'm loath to modify
>the hardware at this point, so I expect to only flash coreboot
>upon it.
>
>What kind of security-minded Linux or *BSD would you guys
>recommend? Liberte looks a bit too stable (cough, sorry Максим)),
>Kali is more for security h4x0rs. Anything else what is well-maintained
>yet borderline secure from *untargeted* TLA-level scrutiny?
>
>I'm okay with text-mostly distros, or minimalistic window
>managers. It shouldn't be a kitchensink of stuff I don't need,
>but on the other hand it's shouldn't be so secure it's
>unusable, either.
>
>Pointers to any HOWTOs or SOPs highly welcome. Tanks & machine guns.

The boring recommendation: Debian

Pros:
* Lots of eyeballs
* Timely security updates (well, timely as far as vendors go)
* A wealth of pre-packed software, which can be twiddled down to size
* Some fancy features out of the box (like remotely booting a LUKS
   encrypted root filesystem via an initramfs ssh daemon)

Cons:
* Patching your locally installed (packaged) software must be done with
   Debian build scripts, or you quickly lose the benefits of the apt system
* Stupid patches have made it past the package maintainer (the OpenSSL
   2008 patch being the one that comes immediately to mind)

If you're willing to compile your own software or security updates, then I
think your choice of OS/distro may be mostly moot.

I'd recommend against a specialized security (linux) distro, unless you
know what you're doing. Support for many of them seems to be pretty spotty,
according to my unscientific observation from ##linux.



More information about the cypherpunks mailing list