| 1 |
On 07/04/17 23:16, Walter Dnes wrote: |
| 2 |
> On Tue, Jul 04, 2017 at 01:37:38PM -0400, james wrote |
| 3 |
> |
| 4 |
>> W. Dnes is the king of minimalist here, so when he gives advise |
| 5 |
>> realize it has decades of experimentation to get to where he is on |
| 6 |
>> minimization. |
| 7 |
> |
| 8 |
> Not exactly "decades". I first started linux in late 1999 or early |
| 9 |
> 2000. The minimalist approach was a side-effect of me being cheap. |
| 10 |
> Even though I have a newer machine as my "hot backup" waiting in the |
| 11 |
> wings, I want to run my older machine into the ground first. 10 years |
| 12 |
> ago I was running a 450 mhz pentium3 with 256 megabytes of ram. Today |
| 13 |
> I'm running a 2008 Dell with Core2 Duo and 3 gigs of ram today. I have |
| 14 |
> a newer i6 with 8 gigs of ram as the hot backup. Running an older |
| 15 |
> limited machine forces you to optimize. The Gentoo USE flags give me |
| 16 |
> the control to do the utmost minimization. |
| 17 |
> |
| 18 |
> I run the plain default/linux profile, and ICEWM as my WM and no |
| 19 |
> "desktop environment" (as per my sig). The less attack surface, the |
| 20 |
> better. Do not run the Flash plugin or the Java plugin. If you |
| 21 |
> absolutely have to do so, use it inside a VM (e.g. QEMU). I have an |
| 22 |
> aggressive handcrafted iptables firewall. In addition, my little LAN |
| 23 |
> sits behind a NAT-ing router, and I disable UPNP. That covers my |
| 24 |
> approach to security. |
| 25 |
> |
| 26 |
> I run mostly stable, except where an app I want/need is only unstable. |
| 27 |
> Gentoo currently defaults to gcc-5.4.0. I've enabled 6.3.0. I have to |
| 28 |
> enable ICEWM 1.3.12-r1. The regular stable version built under gcc |
| 29 |
> 6.3.0 segfaults 1 or 2 seconds after starting. |
| 30 |
> |
| 31 |
> I used to run with USE="-* blah blah blah". I no longer do that, but |
| 32 |
> I aggressively disable USE flags, until something breaks, then I back |
| 33 |
> off. My current USE line (it's actually one long line)... |
| 34 |
> |
| 35 |
> USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg |
| 36 |
> threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium |
| 37 |
> -gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6 |
| 38 |
> -libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev |
| 39 |
> -udisks -unicode -xinerama" |
| 40 |
> |
| 41 |
> Some of the above is over-ridden in package.use. |
| 42 |
> |
| 43 |
|
| 44 |
Well, now that's a good summary (starting point) for a minimized gentoo |
| 45 |
system. The gentoo-devs have been discussing changes to the profiles, |
| 46 |
but I'm not certain where that has ended up. I just use the 'default' |
| 47 |
and go from there, or the simplest 'hardened' profile that is cpu |
| 48 |
relevant. I'm not sure of the most straight forward way to compare |
| 49 |
flag setting (the difference) between any two profiles for a new |
| 50 |
installer to examine; perhaps somebody else has a straight forward |
| 51 |
method to compare current profiles, within a given architecture? |
| 52 |
|
| 53 |
Surely at look at the contents of @system set is a good starting point |
| 54 |
for a new gentooer to see what he gets no matter which profile he |
| 55 |
selects? Then there is the 'experimental' profiles that the devs keep |
| 56 |
moving around; who knows what's up with those mavericks.... |
| 57 |
|
| 58 |
|
| 59 |
Hopefully the AliceF [1] GSoC work will result in some structure to to |
| 60 |
follow for a minimized and hardened kernel going forward. Even in the |
| 61 |
gentoo-sources kernel there is much that can be stripped out, reducing |
| 62 |
bloat at the least and probably reducing attack venues too. During this |
| 63 |
process, I keep several bootable kernels available so reverting is easy. |
| 64 |
Perhaps there is a gentoo wiki page that at least outlines the manual |
| 65 |
processes (a structured approach) as users go down the pathway of |
| 66 |
stripping out what their workstation does not need in a kernel? |
| 67 |
|
| 68 |
Perhaps someone has a slick, home-spun, tool that readily identifies |
| 69 |
what can be additionally stripped from the current kernel offerings on |
| 70 |
the pathway to minimized_nirvana ? |
| 71 |
|
| 72 |
|
| 73 |
Then there's NFTables; not sure anything useful is published on |
| 74 |
NFTables, nor how effective it is for a workstation firewall... [3] |
| 75 |
|
| 76 |
Thanks Watler for sharing. Increasing the population of (OpenRC et. al.) |
| 77 |
minimalists is always welcome as our numbers are growing every day; |
| 78 |
not that one is bound to OpenRC to be a gentoo_minimalist. |
| 79 |
|
| 80 |
|
| 81 |
|
| 82 |
hth, |
| 83 |
James |
| 84 |
|
| 85 |
[1] https://blogs.gentoo.org/alicef/ |
| 86 |
https://archives.gentoo.org/gentoo-soc/threads/2017-06/ |
| 87 |
|
| 88 |
[3] https://wiki.gentoo.org/wiki/Nftables |
Archives