| 1 |
On Friday 17 September 2010 00:35:20 you wrote: |
| 2 |
> I've been running my servers for years on hardened Gentoo, but I always |
| 3 |
> figured it would be too problematic for my deskside and laptop machines. |
| 4 |
> |
| 5 |
> Is this true? Have things gotten better, and is it perfectly reasonable |
| 6 |
> to run hardened Gentoo for general purpose use? |
| 7 |
> |
| 8 |
> Two problem factors... My family likes YouTube and the like, and for my |
| 9 |
> job I have to run proprietary binary-only software. (Silicon CAD tools) |
| 10 |
> |
| 11 |
> Thanks, |
| 12 |
> Dale Pontius |
| 13 |
|
| 14 |
Hi, |
| 15 |
|
| 16 |
IMHO, short answer: if you don't need to run binary video drivers and Flash, |
| 17 |
hardened desktop will be just fine... |
| 18 |
|
| 19 |
Longer answer: I'd say it's a matter of risk management :) ..and available |
| 20 |
resources (time mainly). |
| 21 |
|
| 22 |
Flash is an issue (security-wise but also getting it to work with hardened |
| 23 |
:D), but then again - you could always use different browser with flash and |
| 24 |
without hardened stuff (for example Opera will run it fine on grsec kernel |
| 25 |
with mprotect disabled and you can't harden it anyway) and lock it down using |
| 26 |
RBAC? Or simply use VM for that? Again, depends how far you want/have to go to |
| 27 |
mitigate the risk... |
| 28 |
|
| 29 |
Back to your original question - personally I believe in hardened desktop ;] |
| 30 |
I'm running three of these (one laptop) and more or less everything works |
| 31 |
(running KDE4) but yes, you need to compromise few things |
| 32 |
sometimes...Flash/Gnash is a nightmare...getting X11 to works sometimes too, |
| 33 |
all depending on your card, nvidia binary stopped working ages ago (not sure |
| 34 |
if it works now), nouveau breaks every now and then regardless of hardened ;) |
| 35 |
so you're left out with fairly stable nv drivers but no 3D accel...from my |
| 36 |
experience ATI seems to be more hardened friendly (OS driver, binary probably |
| 37 |
not). I'm soon to try the Intel chipset - hopefully it will be better! (or |
| 38 |
fixable at least ;)). |
| 39 |
|
| 40 |
Not sure if this helps, but there you go - my two cents ;) |
| 41 |
|
| 42 |
BTW - maybe it would be worth documenting somewhere issues with hardened- |
| 43 |
gentoo desktops? I'll have plenty to share! ;) |
| 44 |
|
| 45 |
Regards, |
| 46 |
Radek |
Archives