| 1 |
yeah actually I am, I'm also interested in seeing things like |
| 2 |
samba/ldap/kerberos and selinux modules work the same way as group policy |
| 3 |
objects and administrative templates work. |
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
On Fri, Aug 1, 2008 at 5:24 AM, dante <dante@×××××××××××××××.net> wrote: |
| 8 |
|
| 9 |
> Hi everyone, |
| 10 |
> |
| 11 |
> My students and I have started a new gnome-based desktop linux distro |
| 12 |
> derived from hardened Gentoo. It may be of interest to people on this |
| 13 |
> list. |
| 14 |
> |
| 15 |
> Tin Hat is pretty much Gentoo, but it runs purely in RAM. It boots from |
| 16 |
> CD or pen drive, but is not a liveCD in that it doesn't mount a file |
| 17 |
> system from the boot device. Rather it copies its squashfs from CD to |
| 18 |
> tmpfs in RAM. Booting is slow, it requres 4 GB of RAM or more, but it |
| 19 |
> is lightening fast once up. ("emerge --sync" takes about a minute |
| 20 |
> between a Tin Hat system offering portage, and one sync-ing from |
| 21 |
> scratch. Firefox starts in about 1 second.) |
| 22 |
> |
| 23 |
> Tin Hat was started before the recent coldboot attacks. Within the |
| 24 |
> limit of such attacks, Tin Hat aims at "zero information loss" if |
| 25 |
> physical access is obtained to a system which is powered down. We add |
| 26 |
> Ruusu's loop-aes patch to the kernel so that any hard drives are mounted |
| 27 |
> using one of the best implimentations of block cipher encryptions we |
| 28 |
> know of. During power up, Tin Hat uses GRSEC/PaX hardening to hedge |
| 29 |
> against all the usual attacks. We are now thinking about our own patch |
| 30 |
> to obfuscate data in RAM to protect against coldboot --- but to be |
| 31 |
> honest, we think we can only make it harder, not impossible. |
| 32 |
> |
| 33 |
> Tin Hat is stable. We run 6 systems persistently on clean power and |
| 34 |
> have typical up times of a couple of months. |
| 35 |
> |
| 36 |
> We never intended on releasing Tin Hat, but the students love it so much |
| 37 |
> (the speed!) we thought of announcing it on freshmeat. I thought I'd |
| 38 |
> post to this list because of it is a successful implementation of |
| 39 |
> hardened Gentoo. |
| 40 |
> |
| 41 |
> Home page: http://opensource.dyc.edu/tinhat |
| 42 |
> Freshmeat: http://freshmeat.net/projects/tinhat |
| 43 |
> |
| 44 |
> Anthony G. Basile |
| 45 |
> Chair of Information Technology |
| 46 |
> D'Youville College |
| 47 |
> Buffalo NY 14201 |
| 48 |
> |
| 49 |
> (716) 829-8197 |
| 50 |
> |
| 51 |
> |
| 52 |
> |
| 53 |
> |
| 54 |
> |
Archives