| 1 |
7v5w7go9ub0o wrote: |
| 2 |
> Romain BERGE wrote: |
| 3 |
>> Hey list, |
| 4 |
>> |
| 5 |
>> I am planning buying a laptop. I would like to install a hardened |
| 6 |
>> (workstation) profile on it. |
| 7 |
>> |
| 8 |
>> Which hardware features/components should I take care of ? (to be the |
| 9 |
>> most compatible with hardened) In the opposite, are there some |
| 10 |
>> hardware components/brand to avoid ? |
| 11 |
>> |
| 12 |
>> Thanks |
| 13 |
>> |
| 14 |
>> |
| 15 |
> |
| 16 |
> Went through a similar exercise a few years ago; concluded that one: |
| 17 |
> |
| 18 |
> - first chooses the laptop that meets his needs (I wanted a 2 pounder |
| 19 |
> with good screen and graphics to carry about in a back pack, with |
| 20 |
> frequent stops at hotspots) |
| 21 |
> |
| 22 |
> - second googles about for linux success/failure stories about that |
| 23 |
> laptop. Gentoo has some great documentation and explanations concerning |
| 24 |
> Linux; Ubuntu has some great user lists regarding specific hardware. My |
| 25 |
> Sony was 95% Linux good to go, with detailed Ubuntu discussions about |
| 26 |
> xorg.conf. |
| 27 |
> |
| 28 |
> - third if it works on Linux, it'll likely work for hardened. (this was |
| 29 |
> true for 32bit on my laptop; 64 may be different; I'll know shortly ) |
| 30 |
> |
| 31 |
> FWIW, IMHO a hardened profile, along with other precautions, makes a |
| 32 |
> lot of sense on a laptop as there is all sorts of mischief occurring at |
| 33 |
> anonymous, college and Saturday-afternoon hotspots - some of it quite |
| 34 |
> sophisticated due to "pen test" software. It's a wild west that you'll |
| 35 |
> not experience on your firewalled desktop. |
| 36 |
> |
| 37 |
Just a side comment on this... I have scripts that figure out where the |
| 38 |
heck I am when networking comes up, and based on that decide what, if |
| 39 |
any, service(s) to bring up. When the current network is on "other", NO |
| 40 |
services are started at all - even X is started with "-tcp nolisten" so |
| 41 |
there are no open ports. Scratch that - dnsmasq is listening on |
| 42 |
loopback, but that's it. |
| 43 |
|
| 44 |
Maybe it's not all that's necessary, but it's a good first line of defense. |
| 45 |
|
| 46 |
Dale Pontius |
Archives