hardened *nix for Lenovo X60

[Tomasz Rola]

On Mon, 26 Aug 2013, Dan White wrote:

> On 08/26/13 17:09 +0200, Eugen Leitl wrote:
> >
> >I've managed to lay my hands onb a couple of Lenovo X60's that are
> >in pretty good shape and would like to use them as a moderately secure
> >communication/development system. (I'm not trusting my desktops,
> >servers or mobile devices for obvious reasons). I'm loath to modify
> >the hardware at this point, so I expect to only flash coreboot
> >upon it.

I think "moderate" is the right choice of a word. Not sure how moderate 
you want to go in your moderating, how about removing wifi (it's on PCIe 
card, AFAIK), or, say, crushing BT with heavy pincers? No, I cannot 
recomend anything like this, I didn't allow pincers into my laptop...

> >What kind of security-minded Linux or *BSD would you guys
> >recommend? Liberte looks a bit too stable (cough, sorry ??????)),
> >Kali is more for security h4x0rs. Anything else what is well-maintained
> >yet borderline secure from *untargeted* TLA-level scrutiny?

I have recently tried a few Debian-related distros on my X61 (which seems 
to be smaller brother of X60, i.e. lots of shared hw AFAIK). Ubuntu and 
Mint boot and work o-o-t-box. Those were just for testing :-/, Debian 
works too, with X and sound (not sure if I used sound under Debian). 
FreeBSD - for some reason I am always between after-install and 
comfortable-using it, at least on laptops and desktops, which is where I 
tried it so far. Booted it few times into console, X doesn't work on X61, 
for me.

> >I'm okay with text-mostly distros, or minimalistic window
> >managers. It shouldn't be a kitchensink of stuff I don't need,
> >but on the other hand it's shouldn't be so secure it's
> >unusable, either.
> >
> >Pointers to any HOWTOs or SOPs highly welcome. Tanks & machine guns.
> 
> The boring recommendation: Debian

Seconded, for the pros you gave. I'd consider recompiling kernel. 

Debian does not have the most recently updated hot-fancy-pansy software, 
other than security updates - but even in this case, I'd say priority is 
to backport patch into version included in one's current Debian 
distribution. So soft is acceptably new when I dist-upgrade but as months 
go by, it gets a bit old. OTOH, during my circa 15 years of using it, I 
rarely felt bad about not having the latest version of something 
installed. With some exceptions, like browsers, java and mplayer, but see 
below. Most of the other soft I use is stable enough to not undergo 
revolutionary changes. And besides, I don't really want to be surprised by 
a bug which took a free ride on top of some revolutionary change.

One huge pro, so far, is that Debian does not push its choice of window 
manager down my throat. I use fvwm and I want it to stay so (after 
extensive periods of gnome and kde, so I guess they lack something). For a 
laptop, I would either use a console with screen or maybe some mouseless 
WM - there is plenty to choose from (try to befriend aptitude and apt-* 
tools). The default in newer distro is some lightweight decently looking 
kde-replacement, forgot its name, should be good for noncomputing 
parents/spouses/siblings (children would use Android/iOS anyway).

Another good pro is ability to download full source code (about 7-8 dvds, 
security updates put onto separate disc) and compile it while in places 
without easy net access. At least I assume it would work. This pro is of 
course shared by some other OSes, too. In case of Debian, however, I guess 
it's safe to assume that all sources fit nicely with each other, compile 
without complaining, so once you got full copy it is all that you will 
need. This theory I am yet to test - I know this all compiles on devel's 
cluster but I think I should test before I claim anything more.

[...]
> Cons:
> * Patching your locally installed (packaged) software must be done with
>   Debian build scripts, or you quickly lose the benefits of the apt system
> * Stupid patches have made it past the package maintainer (the OpenSSL
>   2008 patch being the one that comes immediately to mind)

As of patching packages, I don't do it because I never had such need. 
Albeit I tinkered a bit with them when I decided to backport some new 
packages into my oldie distro. Tools for this are rather easy to use, but 
from time to time one has to modify some file so the new stuff compiles 
with older lib etc. Sometimes, such backporting turns into recursive 
backporting which is why emacs is one of the compiler's helper tools :-).

When I want newer version of something, I use stow for stuff going into 
/usr/local and for some other stuff (browsers, compilers etc) I tell them 
to install into /opt/{specific_dir}. Thus the core of my sys remains 
stable and pure, like the devs meant it to be. Stuff from /usr/local is on 
standard PATH and LD_LIBRARY_PATH, so it is more integrated into usual sys 
works. Stuff from /opt I use by adding apropriate dirs into ENV variables. 
Thus I can easily switch between various versions - or revert to stable 
defaults when I have to.

And last but not least, there are third party repositories (chrome, opera, 
backports, marillat and some more) which offer latest versions and work 
with one's current distro. Those are easy to add - just a line or two in 
/etc/apt/sources.list, aptitude update and you rulez ;-) .

A some kind of cons is this: after many many many years and many 
dist-upgrades, so much cruft is collected in /etc (mostly, my mods to 
config files, backups of mods and origs, some custom scripts residing in 
/etc for no better place and the like) that one seriously considers 
installing from a scratch. Other than this, I consider my current os to be 
twelve years old and counting :-). Perhaps it's time to put /etc into some 
kind of version control regime. Longevity has its own share of strange 
problems and strange solutions - not that I am against longevity.

> If you're willing to compile your own software or security updates, then I
> think your choice of OS/distro may be mostly moot.

Sooner or later you will want to compile, so don't worry. I'd have still 
used Debian, with Slackware or Gentoo being strong secondary choices. But 
I don't have significant experience with those, so I can't recommend.

> I'd recommend against a specialized security (linux) distro, unless you
> know what you're doing. Support for many of them seems to be pretty spotty,
> according to my unscientific observation from ##linux.

Yep. Debian, at least, is quite well documented. dwww is my tried old 
friend. It's possible to install books and manuals from additional 
packages, those integrate nicely into dwww and can later be accessed 
with a browser. dwww includes manpages and infopages into this common 
browsable interface, too, very very cute.

But if you desire a lot to go exotic way, you may have a look at this:

http://wiki.qubes-os.org/trac/wiki

http://theinvisiblethings.blogspot.com/

I didn't try it. But it looks interesting. Maybe it's worth a try.

Regards,
Tomasz Rola

--
** A C programmer asked whether computer had Buddha's nature.      **
** As the answer, master did "rm -rif" on the programmer's home    **
** directory. And then the C programmer became enlightened...      **
**                                                                 **
** Tomasz Rola          mailto:tomasz_rola at bigfoot.com             **