666threesixes666

i think the best way to address this is security sub pages....  as in a general security page, then security/threesixestake security/drobbinstake security/olegstake security/physical security/hardening security/selinux security/apparmor security/applicationsecurity security/networksecurity etc etc etc so that it would be able to be very branched out and specific in the same breath.  we could have the extremely broad topic then boil everything down to a tightly knit highly secure system quickly.  skim through all the garbage and just have essentials.  like i need to work on speeding up /dev/random quite a bit more and the entropy daemons that can feed it with more data....  i need to figure out hashing files and salting them, need to figure out gpg...  need to figure out encfs, or luks auto decrypting at boot.  physical security is also a huge topic, how physically secure is your server/laptop etc.  can i break your laptop lock with a hammer?  can i use my lock picking expertise to break your lock open in 2 seconds?  do you have video watching the servers?  are the servers rack mounted?  are the servers vulnerable to nuclear attack, and mirrored off site multiple times?

Threesixes and spectromas, I'd be more than happy to assist with something like this as well. :)
 
Security Blueprints sounds good but what about Security Configuration Guides?
 
It could be good to lay it out in a Defense in Depth matter:
Physical Security
BIOS Configurations
Kernel Configurations
Network Configurations
Application Configurations
Etc, etc.
 
If you really want to kick off some brainstorming and what not please feel free to PM and I can provide some info on my background in relation to this sort of thing.

Not that if really matters or is a proper way of gauging a distro's popularity, because it really really isn't.
 
Just wanted to share with anyone who cares or never took notice that Funtoo has moved up quite a few positions lately.
 
As of today it has the following listed:
 
Popularity (hits per day): 12 months: 163 (68), 6 months: 157 (72), 3 months: 154 (72), 4 weeks: 139 (72), 1 week: 118 (75)
 
http://distrowatch.com/table.php?distribution=funtoo
 
The Funtoo DistroWatch page does not list any reviews, which is a shame.  I highly doubt Jesse Smith from DistroWatch would go through the trouble of installing Funtoo and doing a review, I can't recall the last time he did a review of a distro that didn't have a "one click" installer.   :P But it would be awesome if he did and would give Funtoo some well deserved time in the spotlight because disto's which don't have actual releases never get on the front page really.
 
I wonder if Funtoo can break the top 100 before the end of the year either way?  Because that would be awesome!

gentoo's taking a hit from our presence also.
 
Popularity (hits per day): 12 months: 39 (330), 6 months: 40 (313), 3 months: 44 (310), 4 weeks: 46 (304), 1 week: 44 (301)
 
the moral of the story is post to the wiki accurate eclectic information, and high quality content...  not a bunch of stub articles.  
 
arch is a roller with no installer...  it's top 10
 
Popularity (hits per day): 12 months: 8 (997), 6 months: 9 (914), 3 months: 10 (897), 4 weeks: 9 (842), 1 week: 13 (824)
 
again they have tons of presence, tons of high quality articles...  were aiming for top 10, but this takes massive amounts of effort...  i try to post articles that will answer recurring questions from google searches, or if they're too lazy, and ask anyways i can quickly end the conversation with a link.  if a wiki page is missing the content people want to know, ill add it once i've tested it.  if i haven't tested, ill usually note that or word it less than secure & firm.
 
the website has approximately 1,500 hits a day.  i've been working a bit on linuxforums.com helping people and letting them know im from the funtoo community.  i keep getting locked out of https://www.linux.com/communityso if you want to start talking to people about issues that would be great.

I agree with you.  I want to do more on the wiki with what time I can give right now.  I added the Kodi package because I use it and someone has a question about trying to install XBMC because they didn't know about the name change.  I was looking at working the one Samba one, but I am not a full expert on Samba an all its internals.
 
I noticed the Chuse package has a ebuild page, but doesn't show up here http://www.funtoo.org/Ebuilds
 
Neither does Xfce, I'd like to document some things I found out need to really be done after installing xfce-meta if you want a fully usable desktop from DM to DE.
 
I am going to document my Yoga 2 11 install and post it on a free Wordpress blog I started to talk about Funtoo.

i dont know, i use ntpd...  
 
cat /etc/conf.d/hwclock
clock_hctosys="YES"
clock_systohc="YES"
 
mkultra@spaceball-1 ~ $ sudo /etc/init.d/hwclock status
* status: started
 
that makes the system read cmos time at start, and write cmos time at halt....  the kernel has some RTC stuff to do it also....  dig through the issue and start documenting solutions plz, im busy trying to figure out entropy stuff for ssl security.
 
"In-kernel method[edit]
On a sufficiently modern kernel (3.9 or newer), Linux can be configured to handle setting the system time automatically:
KERNEL
Device Drivers  --->
  [*] Real Time Clock  --->
    [*]   Set system time from RTC on startup and resume
    [*]   Set the RTC time based on NTP synchronization
The hwclock init script should not be ran when using the kernel's real time clock. Opting for this method will speed up the system's boot and shutdown processes slightly." -https://wiki.gentoo.org/wiki/Ntp
 
i did document sufficiently ntpd, the kernel entry is not mine though.
 
did that work for you?  if not you're probably going to have to change your clocks adjustment thing /usr/share/zoneinfo/America/Detroit
 
/etc/localtime -> /usr/share/zoneinfo/EST5EDT
 
uhhh for you its PST8PDT i think....

do you have ntpd or crony installed?  if so are they writing to the cmos at halt?

A few "essentials" I always install early in the build process:
app-misc/tmux
app-editors/zile
app-admin/syslog-ng
app-admin/logrotate
sys-process/vixie-cron

Hey all,
 
Metro now has the ability to perform QA tests and to file JIRA bugs :)
 
Tell me what you'd like me to have tested for you. I'll explain what we are testing so far:
 
Before anything is updated in your Portage tree, we make sure that all the stuff in a stage3 merges cleanly for both funtoo-current and funtoo-stable.
 
QA bot's first job is to make sure that gnome always merges cleanly in funtoo-current. The test involves peforming a full merge of gnome and reporting any failed packages.
 
The first sets of tests we'll be doing involve build testing like this -- which ensures that the required ebuild(s) build cleanly, all deps are resolved, and and emerged packages that depend on said ebuilds find all the stuff they are expected to find.
 
As we improve our QA efforts, I will support the ability to perform arbitrary QA tests that are not just about build testing and dep resolution. But that's where I want to start.
 
One good source of ideas of packages that are important to you are in /var/lib/portage/world. Let me know what you want to see tested.
 
Regards,
 
Daniel

they are part of base system now. ego is a personality of Funtoo systems. Yes, this is complete replacement for eselect tool. Currently it have only epro module. This one is a replacement of profile management: show, list, setting, removing. It is much faster and nicer than original tool. More docs and news expected.

April 23rd 2015
 
Section Installation du stage3 now has a link to subarches page. French subarches page will follow soon. Contents now identical to original English wiki.

you're installing the dependencies to the live distro temporarily.  debian doesn't have jfs in it's live media so that requires apt-getting jfs to deal with the file system & mount the file system that was previously not supported.  id use synaptic to insert the deps since i dont know apt-get's command line tools very well.

Guys, you are not really supposed to change the arch. That is set when the stage3 is built. Quit doing that, and eselect may work fine for you :)

"Important
Right now, the -1 option is required to not add our @kernel set to world-sets. This allows you to emerge it independently from @world. If you forget to use this option, edit /var/lib/portage/world-sets and remove the @kernel line. This will prevent kernel updates from being included in @world updates."
- http://www.funtoo.org/Funtoo_Linux_Installation
 
 
anyways /var/lib/portage/world needs any sys-kernel lines removed to not fetch kernels at world updates ;-)

before doing any of this: nameservers="192.210.200.10" to nameservers="8.8.8.8"
 
basically drop in a known working name server 1st, double check the gateway is correct.  the information you gave omits the subnet mask.  the work network could have a wonky subnet mask.
 
post the output of ifconfig, and ifconfig -a, and dmesg.
 
i use network manager, there is a command line ncurses interface for it...  id emerge network manager (and follow along funtoos package page about it) from chroot, and use nmtui in console to configure the ip addresses.

 
you could turn that old machine into your offices new dhcp server that assigns specific addresses to specific computers, and provides generic pool ip addresses to roaming machines with dnsmasq.

up and running thanks folks

you mask the build that's running and newer then emerge the package....
 
ex:
echo ">=x11-drivers/nvidia-drivers-349.12" >> /etc/portage/package.mask
emerge nvidia-drivers
 
 
you would get nvidia-drivers-346.47  ;-)

sshguard yes...  the others not so much because they are general infra deployment techniques.  i imagine hardened is for shared webserver systems that have tons of users, as far as i know its just more granular permission settings.  i guess it should go to a securing a funtoo install wiki page that would outline several packages/tutorials.
 
LPS "lightweight portable security" is the DOD linux distro, not cia.  what should the page be named, security tips below hardened...  security blueprints?  i like security blueprints for the title of a page of security tips / links to security articles / tutorials.

Hi All,
 
If you have installed a new Funtoo Linux system in the last week, you may have noticed something interesting -- /etc/make.conf is EMPTY and eselect profile show shows something new -- a subarch profile:
 
test / # eselect profile show   Currently set profiles:     arch: gentoo:funtoo/1.0/linux-gnu/arch/x86-64bit    build: gentoo:funtoo/1.0/linux-gnu/build/current   flavor: gentoo:funtoo/1.0/linux-gnu/flavor/core  subarch: gentoo:funtoo/1.0/linux-gnu/arch/x86-64bit/subarch/corei7   What's going on? This is part, or maybe culmination of an ongoing effort to simplify /etc/make.conf. While it is still possible to set CFLAGS in /etc/make.conf, by default, these settings are now defined in a subarch profile. By default, new stage3's will have a subarch profile set, but existing Funtoo systems don't need to have one set. If you'd like to set a subarch profile, you can do so by ensuring you have the latest eselect installed and using the "eselect profile set-subarch" command.   What are the benefits of subarch profiles? Of course, the first big benefit is to keep /etc/make.conf clean. Subarch profiles, along with flavors and mix-ins, are designed to help keep /etc/make.conf tidy and only contain the tweaks you personally need for your system. It also assists with Metro, our stage building tool. Metro no longer has to store all the CFLAGS settings for each subarch -- these are now integrated into the Portage tree, in one place. And also, this allows us to fix and improve subarches over time, and you automatically benefit from any improvements with an emerge --sync.   Hope you enjoy the new system,
Daniel

app-misc/tracker-1.2.3::gentoo USE="exif ffmpeg flac gif gstreamer........
 
 
at-most-one-of ( gstreamer ffmpeg )
 
 
and so as you can see either gstreamer or ffmpeg stays, 1 or the other.....
 
to disable gstreamer:
echo "app-misc/tracker -gstreamer" >> /etc/portage/package.use
 
to disable ffmpeg:
echo "app-misc/tracker -ffmpeg" >> /etc/portage/package.use

Thanks, I will give that a shot tomorrow. As a temporary solution, I was able to get up by:
# ifconfig eth0 192.210.200.164 netmask 255.255.255.0 up # route add default gw 192.210.200.10

You are correct, the old Athlon 2000 XP does not support usb boot, but the new core2 duo machine does, so I will most likely go that route when I get to that.

hi welcome to the forums.  i also am a former slackware user.  i did a bit of distro hopping and eventually landed here.  that kind of machine i would build over ssh, and take your time.  boot live media, setup ssh, and ssh into the live media.  have a more powerful gui work station or what ever sshed in, then get screen going on the live media so you can detach the terminals, and leave the system to work in the background.
 
i think of installing funtoo as like parting together a linux system.  you use another live distro temporarily either directly or by ssh, mount the drive and chroot to it's mount point then you can directly repair any problems or fix anything from the chroot.  if the system doesn't boot correctly re load chroot, and work on it.
 
on the new funtoo computer im building the os on to, i partition, and format the hard drive, i install the stage3, a kernel, and a boot loader.  once i get that running stable, booting properly with networking, and everything going well, tada i reboot into a working funtoo machine.  i emerge everything else i want, and set everything else up like gui, and sound from the funtoo machine, rather than chroot.  once that is up you can turn ssh on and work on the funtoo system from anywhere headless.  you'll probably want to run that older machine as a server.
 
i use xubuntu 14.04 live for chrooting on my machine when i install/reinstall/repair it, i dont bother with ssh or other machines anymore.  your core 2 machine could handle gui live media so you could chroot from debian live media easily.  the core2 machine could probably handle usb live media too.  from the live media you can look at the wiki and forums about building what ever, or troubleshoot packages you're having problems with and have access to the funtoo system under the live media via chroot.
 
i like xubuntu because its set to go for many situations including wifi, where i found debian is a little lean to be using as a repair Swiss army knife.  i like the alternate media because its less hoops to jump through and you're already comfortable with it.  it would probably be a good idea for you to gist the mounting/chrooting commands you use to load up funtoo on github, and give it good tags so you could google exactly for the commands from live media.

just update the grub on sda.  --depclean isn't required to install?  if you emerge anything with out the -1 or --oneshot it will generate a world file.

Thanks for the advice, I appreciate it! I'm actually building it from the SystemRescueCD, which happens to be my favorite live CD.