1 |
Dale Pontius wrote: |
2 |
> 7v5w7go9ub0o wrote: |
3 |
>> Romain BERGE wrote: |
4 |
>>> Hey list, |
5 |
>>> |
6 |
>>> I am planning buying a laptop. I would like to install a hardened |
7 |
>>> (workstation) profile on it. |
8 |
>>> |
9 |
>>> Which hardware features/components should I take care of ? (to be |
10 |
>>> the most compatible with hardened) In the opposite, are there |
11 |
>>> some hardware components/brand to avoid ? |
12 |
>>> |
13 |
>>> Thanks |
14 |
>>> |
15 |
>>> |
16 |
>> Went through a similar exercise a few years ago; concluded that |
17 |
>> one: |
18 |
>> |
19 |
>> - first chooses the laptop that meets his needs (I wanted a 2 |
20 |
>> pounder with good screen and graphics to carry about in a back |
21 |
>> pack, with frequent stops at hotspots) |
22 |
>> |
23 |
>> - second googles about for linux success/failure stories about that |
24 |
>> laptop. Gentoo has some great documentation and explanations |
25 |
>> concerning Linux; Ubuntu has some great user lists regarding |
26 |
>> specific hardware. My Sony was 95% Linux good to go, with detailed |
27 |
>> Ubuntu discussions about xorg.conf. |
28 |
>> |
29 |
>> - third if it works on Linux, it'll likely work for hardened. (this |
30 |
>> was true for 32bit on my laptop; 64 may be different; I'll know |
31 |
>> shortly ) |
32 |
>> |
33 |
>> FWIW, IMHO a hardened profile, along with other precautions, makes |
34 |
>> a lot of sense on a laptop as there is all sorts of mischief |
35 |
>> occurring at anonymous, college and Saturday-afternoon hotspots - |
36 |
>> some of it quite sophisticated due to "pen test" software. It's a |
37 |
>> wild west that you'll not experience on your firewalled desktop. |
38 |
>> |
39 |
> Just a side comment on this... I have scripts that figure out where |
40 |
> the heck I am when networking comes up, and based on that decide |
41 |
> what, if any, service(s) to bring up. When the current network is on |
42 |
> "other", NO services are started at all - even X is started with |
43 |
> "-tcp nolisten" so there are no open ports. Scratch that - dnsmasq |
44 |
> is listening on loopback, but that's it. |
45 |
> |
46 |
> Maybe it's not all that's necessary, but it's a good first line of |
47 |
> defense. |
48 |
> |
49 |
> Dale Pontius |
50 |
|
51 |
Heh.....clever idea; makes good sense to me. :-) |
52 |
|
53 |
(Some might argue for a VPN so as to avoid DNS poisoning or an |
54 |
attack against Mara directly - guess that would depend upon the nature |
55 |
of one's business at the hotspot. FWIW, I run unbound (DNS) in its own |
56 |
jail. I'll shut it down and use a VPN when doing banking/other |
57 |
sensitive stuff) |
58 |
|
59 |
(Given I use individual, hardened (grsecurity) jails for anything that |
60 |
connects outside, I can't totally block X - but I do firewall it; and |
61 |
also confine it through xhost to local host only. |
62 |
|
63 |
As far as running services - nope! Heh.... mindful of poisoning or |
64 |
buffer-overflow attacks, I'll passively monitor the place with kismet |
65 |
for a minute or two before announcing my presence, and then bring up |
66 |
DHCPCD in a hardened jail for 3 seconds - long enough to set the network |
67 |
assignments - then automatically kill it. Arpon can passively monitor |
68 |
external ARP activity.) |