[gentoo-hardened] Which laptop compatible with hardened-workstation ?

[gentoo-hardened] Which laptop compatible with hardened-workstation ?

[Romain BERGE]

Hey list,

I am planning buying a laptop.
I would like to install a hardened (workstation) profile on it.

Which hardware features/components should I take care of ? (to be the
most compatible with hardened)
In the opposite, are there some hardware components/brand to avoid ?

Thanks

[gentoo-hardened] Re: Which laptop compatible with hardened-workstation ?

[7v5w7go9ub0o]

Romain BERGE wrote:
> Hey list,
> 
> I am planning buying a laptop. I would like to install a hardened 
> (workstation) profile on it.
> 
> Which hardware features/components should I take care of ? (to be the
>  most compatible with hardened) In the opposite, are there some 
> hardware components/brand to avoid ?
> 
> Thanks
> 
> 

Went through a similar exercise a few years ago; concluded that one:

- first chooses the laptop that meets his needs (I wanted a 2 pounder
with good screen and graphics to carry about in a back pack, with
frequent stops at hotspots)

- second googles about for linux success/failure stories about that
laptop. Gentoo has some great documentation and explanations concerning
Linux; Ubuntu has some great user lists regarding specific hardware.  My
Sony was 95% Linux good to go, with detailed Ubuntu discussions about
xorg.conf.

- third if it works on Linux, it'll likely work for hardened. (this was
true for 32bit on my laptop; 64 may be different; I'll know shortly  )

FWIW, IMHO a hardened profile, along with other precautions, makes a
lot of sense on a laptop as there is all sorts of mischief occurring at
anonymous, college and Saturday-afternoon hotspots - some of it quite
sophisticated due to "pen test" software. It's a wild west that you'll
not experience on your firewalled desktop.

HTH

Re: [gentoo-hardened] Re: Which laptop compatible with hardened-workstation ?

[Dale Pontius]

7v5w7go9ub0o wrote:
> Romain BERGE wrote:
>> Hey list,
>>
>> I am planning buying a laptop. I would like to install a hardened
>> (workstation) profile on it.
>>
>> Which hardware features/components should I take care of ? (to be the
>>  most compatible with hardened) In the opposite, are there some
>> hardware components/brand to avoid ?
>>
>> Thanks
>>
>>
> 
> Went through a similar exercise a few years ago; concluded that one:
> 
> - first chooses the laptop that meets his needs (I wanted a 2 pounder
> with good screen and graphics to carry about in a back pack, with
> frequent stops at hotspots)
> 
> - second googles about for linux success/failure stories about that
> laptop. Gentoo has some great documentation and explanations concerning
> Linux; Ubuntu has some great user lists regarding specific hardware.  My
> Sony was 95% Linux good to go, with detailed Ubuntu discussions about
> xorg.conf.
> 
> - third if it works on Linux, it'll likely work for hardened. (this was
> true for 32bit on my laptop; 64 may be different; I'll know shortly  )
> 
> FWIW, IMHO a hardened profile, along with other precautions, makes a
> lot of sense on a laptop as there is all sorts of mischief occurring at
> anonymous, college and Saturday-afternoon hotspots - some of it quite
> sophisticated due to "pen test" software. It's a wild west that you'll
> not experience on your firewalled desktop.
> 
Just a side comment on this... I have scripts that figure out where the
heck I am when networking comes up, and based on that decide what, if
any, service(s) to bring up.  When the current network is on "other", NO
services are started at all - even X is started with "-tcp nolisten" so
there are no open ports.  Scratch that - dnsmasq is listening on
loopback, but that's it.

Maybe it's not all that's necessary, but it's a good first line of defense.

Dale Pontius

[gentoo-hardened] Re: Which laptop compatible with hardened-workstation ?

[7v5w7go9ub0o]

Dale Pontius wrote:
> 7v5w7go9ub0o wrote:
>> Romain BERGE wrote:
>>> Hey list,
>>> 
>>> I am planning buying a laptop. I would like to install a hardened
>>>  (workstation) profile on it.
>>> 
>>> Which hardware features/components should I take care of ? (to be
>>>  the most compatible with hardened) In the opposite, are there 
>>> some hardware components/brand to avoid ?
>>> 
>>> Thanks
>>> 
>>> 
>> Went through a similar exercise a few years ago; concluded that 
>> one:
>> 
>> - first chooses the laptop that meets his needs (I wanted a 2 
>> pounder with good screen and graphics to carry about in a back 
>> pack, with frequent stops at hotspots)
>> 
>> - second googles about for linux success/failure stories about that
>>  laptop. Gentoo has some great documentation and explanations 
>> concerning Linux; Ubuntu has some great user lists regarding 
>> specific hardware.  My Sony was 95% Linux good to go, with detailed
>>  Ubuntu discussions about xorg.conf.
>> 
>> - third if it works on Linux, it'll likely work for hardened. (this
>>  was true for 32bit on my laptop; 64 may be different; I'll know 
>> shortly  )
>> 
>> FWIW, IMHO a hardened profile, along with other precautions, makes 
>> a lot of sense on a laptop as there is all sorts of mischief 
>> occurring at anonymous, college and Saturday-afternoon hotspots - 
>> some of it quite sophisticated due to "pen test" software. It's a 
>> wild west that you'll not experience on your firewalled desktop.
>> 
> Just a side comment on this... I have scripts that figure out where 
> the heck I am when networking comes up, and based on that decide 
> what, if any, service(s) to bring up.  When the current network is on
>  "other", NO services are started at all - even X is started with 
> "-tcp nolisten" so there are no open ports.  Scratch that - dnsmasq 
> is listening on loopback, but that's it.
> 
> Maybe it's not all that's necessary, but it's a good first line of 
> defense.
> 
> Dale Pontius

Heh.....clever idea; makes good sense to me. :-)

(Some might argue for a VPN so as to avoid DNS poisoning or an
attack against Mara directly - guess that would depend upon the nature
of one's business at the hotspot. FWIW, I run unbound (DNS) in its own
jail.  I'll shut it down and use a VPN when doing banking/other 
sensitive stuff)

(Given I use individual, hardened (grsecurity) jails for anything that
connects outside, I can't totally block X - but I do firewall it; and
also confine it through xhost to local host only.

As far as running services - nope! Heh....  mindful of poisoning or
buffer-overflow attacks, I'll passively monitor the place with kismet
for a minute or two before announcing my presence, and then bring up
DHCPCD in a hardened jail for 3 seconds - long enough to set the network
assignments - then automatically kill it. Arpon can passively monitor
external ARP activity.)

Re: [gentoo-hardened] Re: Which laptop compatible with hardened-workstation ?

[Marcel Meyer]

[-- Attachment #1: Type: text/plain, Size: 953 bytes --]

Hi list, hello Dale,

Am Dienstag, 17. Februar 2009 schrieb Dale Pontius:
> Just a side comment on this... I have scripts that figure out where the
> heck I am when networking comes up, and based on that decide what, if
> any, service(s) to bring up.  When the current network is on "other", NO
> services are started at all - even X is started with "-tcp nolisten" so
> there are no open ports.  Scratch that - dnsmasq is listening on
> loopback, but that's it.
>
> Maybe it's not all that's necessary, but it's a good first line of
> defense.

these little helpers are surely the ones which distinguish a nicely secured 
system from a good secured one (given all other loopholes are treaten like 
that). So are there perhaps plans in collecting some of them (or even just 
settings etc.) is a hardened-settings / hardened-tools / etc. package? 
Wouldn't that be a nice addition to the overall hardened-offer from gentoo?


Marcel

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-hardened] Re: Which laptop compatible with hardened-workstation ?

[Romain BERGE]

Thanks for info.

I am wondering of video driver.

Does hardened work with binary driver ?
As all know, supplier as Intel, nVidia and AMD/ATI provides mostly
binary driver.

Should choose a laptop build with an AMD/ATI GPU using the open-source
radeonhd driver ?

Thanks

2009/2/17, Marcel Meyer <meyerm@fs.tum.de>:
> Hi list, hello Dale,
>
> Am Dienstag, 17. Februar 2009 schrieb Dale Pontius:
>> Just a side comment on this... I have scripts that figure out where the
>> heck I am when networking comes up, and based on that decide what, if
>> any, service(s) to bring up.  When the current network is on "other", NO
>> services are started at all - even X is started with "-tcp nolisten" so
>> there are no open ports.  Scratch that - dnsmasq is listening on
>> loopback, but that's it.
>>
>> Maybe it's not all that's necessary, but it's a good first line of
>> defense.
>
> these little helpers are surely the ones which distinguish a nicely secured
> system from a good secured one (given all other loopholes are treaten like
> that). So are there perhaps plans in collecting some of them (or even just
> settings etc.) is a hardened-settings / hardened-tools / etc. package?
> Wouldn't that be a nice addition to the overall hardened-offer from gentoo?
>
>
> Marcel
>

Re: [gentoo-hardened] Re: Which laptop compatible with hardened-workstation ?

[Vlad "SATtva" Miller]

Romain BERGE (19.02.2009 14:06):
> Thanks for info.
> 
> I am wondering of video driver.
> 
> Does hardened work with binary driver ?
> As all know, supplier as Intel, nVidia and AMD/ATI provides mostly
> binary driver.
> 
> Should choose a laptop build with an AMD/ATI GPU using the open-source
> radeonhd driver ?

I hadn't had luck with proprietary ATI drivers under hardened profile,
but radeonhd is quite stable now and works well even for 3d hardware
acceleration.

> Thanks
> 
> 2009/2/17, Marcel Meyer <meyerm@fs.tum.de>:
>> Hi list, hello Dale,
>>
>> Am Dienstag, 17. Februar 2009 schrieb Dale Pontius:
>>> Just a side comment on this... I have scripts that figure out where the
>>> heck I am when networking comes up, and based on that decide what, if
>>> any, service(s) to bring up.  When the current network is on "other", NO
>>> services are started at all - even X is started with "-tcp nolisten" so
>>> there are no open ports.  Scratch that - dnsmasq is listening on
>>> loopback, but that's it.
>>>
>>> Maybe it's not all that's necessary, but it's a good first line of
>>> defense.
>> these little helpers are surely the ones which distinguish a nicely secured
>> system from a good secured one (given all other loopholes are treaten like
>> that). So are there perhaps plans in collecting some of them (or even just
>> settings etc.) is a hardened-settings / hardened-tools / etc. package?
>> Wouldn't that be a nice addition to the overall hardened-offer from gentoo?
>>
>>
>> Marcel
>>
> 
> 
> 


-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com

Re: [gentoo-hardened] Which laptop compatible with hardened-workstation ?

[RijilV]

[-- Attachment #1: Type: text/plain, Size: 575 bytes --]

2009/2/16 Romain BERGE <romain.berge@gmail.com>

> Hey list,
>
> I am planning buying a laptop.
> I would like to install a hardened (workstation) profile on it.
>
> Which hardware features/components should I take care of ? (to be the
> most compatible with hardened)
> In the opposite, are there some hardware components/brand to avoid ?
>
> Thanks
>
>
I have great luck with my Thinkpad x60.  I think just follow the standard
advice in buying a notebook for use with Linux - search around for people
who have already tried it and base your decision on their success.

.r'

[-- Attachment #2: Type: text/html, Size: 886 bytes --]