# Gentoo-hardened for laptop?

## ial

Is the 'hardened' system profile the best choice for a laptop? I have read laptops were very prone to any compromise attempts because of their mobility related uncertainty what an unknown Wi-Fi hot spot would offer...

Is it also anything to do to strengthen protection in case of kernel encrypted partitions?

----------

## nixnut

'Best' depends on the context. Best for what?

The 'hardened' profile does not focus on easy of use for the casual user. A lot of multimedia software is programmed for performance instead of correctness and will do very nasty things. A system with a hardened toolchain and kernel will stop such applications from running. So you may find that a lot of nice shiny things you want to use don't work anymore.

Also, you can make a non-hardened system quite secure with some easy sensible measures. And using linux you will have little trouble with all sorts of malware that target windows systems. And that brings us to open/unknown wifi hotspots. When using these you are in danger of being deceived and spied on. You can be tricked into believing you're connection to some site you would like to visit, but the traffic can be intercepted and sent elsewhere to a site that fakes the one you actually wanted to visit. Such sites often result in windows systems being infected with malware. Or they try to trick users into handing over their passwords.

----------

## ial

 *nixnut wrote:*   

> 'Best' depends on the context. Best for what?
> 
> The 'hardened' profile does not focus on easy of use for the casual user. A lot of multimedia software is programmed for performance instead of correctness and will do very nasty things. A system with a hardened toolchain and kernel will stop such applications from running. So you may find that a lot of nice shiny things you want to use don't work anymore.

 

The only insurmountable  obstacle has been Skype so far on my hardened workstation... The others work well, mplayer refused to compile with gcc-...pie so I switched temporarily with gcc-config into the 'vanilla' mode... Seeng how simple it is I did the same with some other apps that don't seem security critical at all contrary to their performance. For instance some graphics rendering viewers and so on...

 *Quote:*   

> Also, you can make a non-hardened system quite secure with some easy sensible measures. And using linux you will have little trouble with all sorts of malware that target windows systems. And that brings us to open/unknown wifi hotspots. When using these you are in danger of being deceived and spied on. You can be tricked into believing you're connection to some site you would like to visit, but the traffic can be intercepted and sent elsewhere to a site that fakes the one you actually wanted to visit. Such sites often result in windows systems being infected with malware. Or they try to trick users into handing over their passwords.

 

To be honest I believe the security threats really exist but I have trouble to trully imagine them. The problem with windows is a problem probably just for completely unaware users... I have used MS windows for many years too and I must tell you I have never encounterred any single virus that did anything wrong beyond my control! I used to install (temporarily, just to try out) some antivirus programs from time to time and really very wanted to see them going through a dramatic battle  :Wink:  and with difficulty eliminating these nasty enemies  :Wink:  But it always was so boring... After lengthy tedious scanning of all big drives on my system, with all antivir's program features heightened to the limits, there were never anything but routine mundane final messages as a result of these antiviral scans.

Maybe this is because I never use the internet being logged as Administrator or Power User but always 'unprivileged' user. And I do so by means of trusted clients like Opera, Fireofx, ThunderBird etc. Besides, my MS windows system is always kept freshly updated and I keep close attention to have all NTFS filesystem rights being as much tightened and concise as possible. Thus an unprivileged user is completely contained within his hermetical space (together with his occassionally catched malware and so on).

So please propose any other threat scenario I should be afraid of - either using MS windows or 'unhardened' linux...   :Wink: 

----------

## djinnZ

There are some problems with the hardened profile, sure crappy, intrusive, insecure, half-spyware programs as skype will never work (you need the gcc 4.x than is not usable with hardening) but the highest problem is with the propietary drivers nvidia/ati.

Consider than the debugging is absolutely unreasonable and the ricering will ever cause a disaster (-O2 -fomit-frame-pointer -fforce-addr -Wl,-O1 -Wl,--as-needed and -march are the only options in fact). Some programs as OOo or mplayer will never compile with protection (but the dangerous flags are filtered by default), mono not work (but I have never started seriously to fix) and can never work with binfmt, will experience more often crashes with mozilla and the other browser (with the damned flash especially) and the system is sure slower than with the default profile.

There are many problems but nothing impossible to solve.

In fact i use the hardened profile in order to have the same library and software assets of the server on the laptop (i work with the other system, due to law obbligation to use the software released by some crappy producers, with absolutely unsecure settings) for test the configurations and the updates. Having the hardened in a stand alone laptop... if you will leave it alone, for the entire day, active, connected to untrusted (full of script kiddies) networks (as me sometimes) can be reasonable (grsec+pax not selinux or rsbac) switch to the hardened profile (but limited, some options as disabling the modules are not usable). Essentially the pie/smash protection/pax/rbac are a measure against code vulnerability or rootkit, in order to make harder its work.

If you only look at the security in a small environment the "normal" linux is sufficient, if you are asking about your home use think at the vpn and a good firewall/proxy protection.

----------

## Hu

Windows has vulnerabilities that limited user rights cannot curb, but that is outside the scope of this topic.

In my opinion, the single biggest threat to the security of a laptop is that it will be physically stolen.  Opinions vary as to whether a typical thief would have both the motivation and the ability to harvest data off a laptop running a non-Windows OS.  If you keep any data on it that you would object to being publicly known, you should consider using disk encryption to protect the partition(s) on which you will keep the private data.  There are plenty of guides around for how to configure a Linux laptop to do full disk encryption.  If you are willing to have the root partition unencrypted, the baselayout support for DM-Crypt should be able to handle encrypting your private partitions.

----------

