If so, then worth to have a look at hardened gentoo to have full control over the process how the system is built, what patches are applied, etc
On Mon, Aug 26, 2013 at 04:05:25PM +0000, Dan White wrote: > On 08/26/13 17:09 +0200, Eugen Leitl wrote: > > > >I've managed to lay my hands onb a couple of Lenovo X60's that are > >in pretty good shape and would like to use them as a moderately secure > >communication/development system. (I'm not trusting my desktops, > >servers or mobile devices for obvious reasons). I'm loath to modify > >the hardware at this point, so I expect to only flash coreboot > >upon it. > > > >What kind of security-minded Linux or *BSD would you guys > >recommend? Liberte looks a bit too stable (cough, sorry Максим)), > >Kali is more for security h4x0rs. Anything else what is well-maintained > >yet borderline secure from *untargeted* TLA-level scrutiny? > > > >I'm okay with text-mostly distros, or minimalistic window > >managers. It shouldn't be a kitchensink of stuff I don't need, > >but on the other hand it's shouldn't be so secure it's > >unusable, either. > > > >Pointers to any HOWTOs or SOPs highly welcome. Tanks & machine guns. > > The boring recommendation: Debian > > Pros: > * Lots of eyeballs > * Timely security updates (well, timely as far as vendors go) > * A wealth of pre-packed software, which can be twiddled down to size > * Some fancy features out of the box (like remotely booting a LUKS > encrypted root filesystem via an initramfs ssh daemon) > > Cons: > * Patching your locally installed (packaged) software must be done with > Debian build scripts, or you quickly lose the benefits of the apt system > * Stupid patches have made it past the package maintainer (the OpenSSL > 2008 patch being the one that comes immediately to mind) > > If you're willing to compile your own software or security updates, then I > think your choice of OS/distro may be mostly moot. > > I'd recommend against a specialized security (linux) distro, unless you > know what you're doing. Support for many of them seems to be pretty spotty, > according to my unscientific observation from ##linux.
signature.asc
Description: Digital signature
