hardened *nix for Lenovo X60

John Down johndown at i2pmail.org
Mon Aug 26 13:44:39 PDT 2013


If so, then worth to have a look at hardened gentoo to have full
control over the process how the system is built, what patches are
applied, etc

On Mon, Aug 26, 2013 at 04:05:25PM +0000, Dan White wrote:
> On 08/26/13 17:09 +0200, Eugen Leitl wrote:
> >
> >I've managed to lay my hands onb a couple of Lenovo X60's that are
> >in pretty good shape and would like to use them as a moderately secure
> >communication/development system. (I'm not trusting my desktops,
> >servers or mobile devices for obvious reasons). I'm loath to modify
> >the hardware at this point, so I expect to only flash coreboot
> >upon it.
> >
> >What kind of security-minded Linux or *BSD would you guys
> >recommend? Liberte looks a bit too stable (cough, sorry Максим)),
> >Kali is more for security h4x0rs. Anything else what is well-maintained
> >yet borderline secure from *untargeted* TLA-level scrutiny?
> >
> >I'm okay with text-mostly distros, or minimalistic window
> >managers. It shouldn't be a kitchensink of stuff I don't need,
> >but on the other hand it's shouldn't be so secure it's
> >unusable, either.
> >
> >Pointers to any HOWTOs or SOPs highly welcome. Tanks & machine guns.
> 
> The boring recommendation: Debian
> 
> Pros:
> * Lots of eyeballs
> * Timely security updates (well, timely as far as vendors go)
> * A wealth of pre-packed software, which can be twiddled down to size
> * Some fancy features out of the box (like remotely booting a LUKS
>    encrypted root filesystem via an initramfs ssh daemon)
> 
> Cons:
> * Patching your locally installed (packaged) software must be done with
>    Debian build scripts, or you quickly lose the benefits of the apt system
> * Stupid patches have made it past the package maintainer (the OpenSSL
>    2008 patch being the one that comes immediately to mind)
> 
> If you're willing to compile your own software or security updates, then I
> think your choice of OS/distro may be mostly moot.
> 
> I'd recommend against a specialized security (linux) distro, unless you
> know what you're doing. Support for many of them seems to be pretty spotty,
> according to my unscientific observation from ##linux.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: Digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20130826/1ef75c88/attachment-0002.sig>


More information about the cypherpunks mailing list