Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by swamprabbit

  1. Just a quick update, I have been overly busy with work that I haven't gotten far with this install.


    But since my last post, I put in a improvement bug report for a subarch for Silvermont CPUs, and drobbins has been great enough to create a subarch for the CPU used in the Yoga 2 11S!


    Which means now when I get back to it in the next week or so, it will be an optimized build for the Yoga 2 11S now!

  2. I agree, a general security page is definitely the way to start.

    To take what you proposed already I think narrowing it down with sub-categories help keeps in organized and modular.


    By sub-categories, I mean start with basic domains of security, then have individual methodologies and applications under each.


    For example selinux and apparmor are both forms of Access Controls, technical ones, not to be confused with Physical Access Controls.


    There are a lot of websites and books to look at for a reference of how this can be organized.

  3. I can offer a few beginner suggestions.


    You can reduce compiling time by not compiling larger packages and use the pre-compiled binaries for the web browser and LibreOffice.

    This link should help with the web browser offerings.  http://www.funtoo.org/Web_Browsers


    USE flags really depends on a lot of things, but since you want to use LXDE, you can "opt out" from the other major ones that bring in a lot of fluff.



    USE="-gnome -kde"

    VIDEO_CARDS="specific for your system (i.e. radeon)"




    That was where I started, later I learned from looking at what emerge said would get pulled in, and asking on IRC.

    You can pretend to do the emerge (install) and that really helps to see what will get pulled in or changed.


    I am sure others will chime in with specifics, like compiling on a different machine, etc.

  4. @drobbins


    Thank you and the team for working on all these exciting changes, I think it is great! 


    I do have questions about at which step of the install process a user should "unmerge, remove kernel and initramfs" if they want to build their own kernel?

    I assume a user should do this right after chrooting into new system for the first time because the kernel included in the stage3 is part of the world set correct?


    I am asking because of the advice given in this thread http://forums.funtoo.org/topic/477-prevent-debian-sources-from-merged/?do=findComment&comment=2632


    I use either gentoo-sources or hardened-sources and just want to make sure I understand any new changes to my process that I need to make during an new install.

  5. Fixed. Thanks.


    Thanks, I plan on messing with Chuse later this week.  :)


    As of today here is the info from DistroWatch


    Popularity (hits per day): 12 months: 161 (69), 6 months: 158 (72), 3 months: 151 (73), 4 weeks: 133 (73), 1 week: 111 (82)


    I also posted a comment on DistroWatch Weekly about getting some attention and reviews of distros that have not been reviewed (i.e. Funtoo).  ;)

    Made mention of drobbins work on Ego and Epro as noteworthy news announcment.


    Its comment #9

  6. I agree with you.  I want to do more on the wiki with what time I can give right now.  I added the Kodi package because I use it and someone has a question about trying to install XBMC because they didn't know about the name change.  I was looking at working the one Samba one, but I am not a full expert on Samba an all its internals.


    I noticed the Chuse package has a ebuild page, but doesn't show up here http://www.funtoo.org/Ebuilds


    Neither does Xfce, I'd like to document some things I found out need to really be done after installing xfce-meta if you want a fully usable desktop from DM to DE.


    I am going to document my Yoga 2 11 install and post it on a free Wordpress blog I started to talk about Funtoo.

  7. Not that if really matters or is a proper way of gauging a distro's popularity, because it really really isn't.


    Just wanted to share with anyone who cares or never took notice that Funtoo has moved up quite a few positions lately.


    As of today it has the following listed:


    Popularity (hits per day): 12 months: 163 (68), 6 months: 157 (72), 3 months: 154 (72), 4 weeks: 139 (72), 1 week: 118 (75)




    The Funtoo DistroWatch page does not list any reviews, which is a shame.  I highly doubt Jesse Smith from DistroWatch would go through the trouble of installing Funtoo and doing a review, I can't recall the last time he did a review of a distro that didn't have a "one click" installer.   :P But it would be awesome if he did and would give Funtoo some well deserved time in the spotlight because disto's which don't have actual releases never get on the front page really.


    I wonder if Funtoo can break the top 100 before the end of the year either way?  Because that would be awesome!

  8. sitquietly, thank you for sharing all of that.


    I know what you mean about Arch/Manjaro though, the Manjaro OpenRC interests me because sometimes a simple binary based install is good in certain situations.

    I usually did my Debian installs from the net install and yes as soon as you get far enough, it gets pretty bloated and cumbersome in the end sometimes.


    I did look at Calculate Linux prior to deciding Funtoo offered me everything I really want for the most part.  My problem with Calculate was probably because I installed

    using the desktop option, rather than start with the core install.  I did this to see what would get installed and how usable it would be right out the box.  It was nice and all

    but my main gripe is that it seems to be designed to be connected with a Calcuate Linux server, there are a lot of extras and what not which seem either overkill or

    redundant.  The package installation through the gui seemed far more complext than just doing it via the CLI and config files.  I wasn't a huge fan of a lot of the gui tools

    right away.  Everything did work out of the box though and I think they are on the right track as far as a Gentoo based distro for ease of use and possibly helping to make

    its adoption more spread, but in the end it seemed much easier to built from scratch than rip apart the Calculate Linux install.  I do plan on going back and actually giving

    it a long term demo though.


    For the longest time I have used Debian on my servers, starting from the base.  My desktops, laptops, and HTPCs have mostly either used a full Debian or Linux Mint Xfce install

    and I would rip it apart, but like you pointed out you can only do so much.


    I for sure need to get familiar with the more advanced capabilities that are available like you mentioned in the last part of your post.  I'm getting there slowly but surely with what

    time I can spare.  I've learned a lot so far working with Funtoo, I realized that I should have started with a source based distro a long time ago like people I know.  The foundation

    of knowledge and experience is built better that way.

  9. Yes, there's some concern about wear on the SSD from builds but all my reading suggests the SSD should easily outlive the useful life of this laptop.


    Just to be clear, when I say it takes "a while" I mean many hours.  I didn't really keep track of how long the original builds took but an update of 60 packages just took about 10 hours.   This is no big deal for the way I use this laptop. 


    Thanks!  I have also read that SSD lifespan is far better than what it was when they first came out.  I had issues with a first gen OCZ on a FreeBSD box a long time ago, I think it died from logging too much, which also was probably my own fault.  Just sorta been cautious ever since. :P


    I would probably update it every other week, maybe once a month, and try and update/upgrade in stages.  I like to keep my systems very usage specific and have noticed that my updates/upgrades have been fairly minimal since using Funtoo to begin with.  Its mostly just been because I am getting the hang fully of using USE flags.

    Libreoffice will probably be the biggest package installed on the laptop.


    Why not explore distcc?  You've got other Funtoo systems laying around, it's possible to set up the laptop to not even do any of the compiling, just linking, and if you're really concerned about the SSD and don't care how long it takes, you could set up all of the linking to occur over a NFS mount (not recommended...but possible!).


    Thank you for bringing that up.  I am still very new to Funtoo/Gentoo, I read a bit about it, and now that you are bringing it up... I'll have to look at that again.

  10. Thank you for a personal example.



    It takes a while to build everything but I mainly use it as an ultra-portable for travel so there's no reason to update it all that often.


    That is exactly what I will be using it for, so yes I wouldn't be updating it that often either.

    I bought an 250GB Samsung 840 evo for it, which I know I won't fill up, so I will be able to keep spare sectors to reduce write amplification.


    I assume you do not use any of the 2GB of RAM for /tmp /var/tmp and you have a swap partition on your SSD?


    I guess adjusting the swapiness, using noatime, using binary packages for things like Firefox, and other minor things to reduce random writes would be a good start and see how it performs.

  11. Hello everyone,


    I know the forums don't get a lot of traffic, but I figured I'd ask anyway because I probably could get some good feedback.


    Quite awhile ago, I bought a Yoga 2 11, new for $100 less than retail.  I got it for non-work stuff when I travel because my work laptop is very very restricted.

    When I got it my goal was for something small and simple to use on the plane and what not. I was going to put Debian on an SSD, but never got around to it,

    and really haven't taken it with me on work trips in awhile. I think it is a great little system, other than having Windows on it.




    But recently I have moved to Funtoo on all of my desktops, HTPCs, and laptop.  The only systems I haven't moved over is two servers and the Yoga 2.

    I don't feel comfortable moving to Funtoo on my servers yet, only because of my lack of experience with it, and due to time.  But the Yoga 2.....


    While I know that Funtoo would run great on the Yoga 2 11, a few things concern me with doing that, and I'm not sure if Funtoo is the best option for it.


    - the Yoga 2 11 only has 4GBs of RAM, which is soldered on, so I can't upgrade it.

    - using only an SSD for a source based distro with only 4GB of RAM to use for tmpfs - /tmp /var/tmp, /usr/portage.

    - has an SD card slot which could be used, although not sure it is worth the effort.


    Because of this, I think it maybe more reasonable to install a binary-based distro.

    Choosing one would be easy if I didn't have one major requirement... NO systemd, which really limits the options to a degree.



    Overall for a distro to put on it I'm loosely looking for:


    - no systemd

    - binary based

    - lean (no bloat unless I want it)

    - everyday use: prefer ease of use over time consuming usage

    - current packages (doesn't have to be bleeding edge though)

    - solid distro which won't go away in a year

    - used for basic office stuff, web browsing, media playing, a game and virtual machine here and there


    I have been looking at trying out Manjaro because they have a community openRC Xfce version, which gets a lot of attention.


    I am also still looking at giving the following some more time trying out:

    Zenwalk, Salix, Slax, PC-BSD, Vector, Alpine


    But would like some opinions on other options if anyone has any.



  12. Hello kxmx,


    I may be able to help, or at least start to trouble shoot the problem.


    Can you give us some more information about the problem you are having with getting your SD card reader to work?


    - Is your system a laptop or desktop with an SD card reader?

    - What is the model of your system and the SD card reader model?

    - Do you have Funtoo installed or are you trying to install Funtoo on an SD card?

    - Did you build and configure your own kernel?

    - What desktop environment are you using (KDE, Gnome, Xfce)?



    With a SD card in the reader you can run the command:

    # sudo fdisk -l

    You can also try:

    # sudo ls -la /dev/sd*

    These can show if your system can already see the SD card.


    There are a few things you can do to make sure everything is working as expected if needed.

    1) Verify that Funtoo knows about your SD card slot and what to do with it.
    2) Verify that Funtoo knows you inserted an SD card.
    3) Verify that Funtoo understands the filesystem on the SD card you inserted.


    You can use one or all of the following commands in a terminal window to help with this:

    # sudo lspci -v -nn 
    # sudo lshw 
    # sudo lsusb

    Those commands will help to determine if your system can detect the card reader itself and can help determine if there is a module or driver problem. The last one is only for if you have a USB SD card reader.



    * You don't need to use "sudo" of course if you are root already.

  13. jwjones, my apologies, I just realized  that I went rolling on with the ideas 666threesixes666 and spectromas brought up, without providing some info to your question.

    I am still new to Funtoo/Gentoo specific things, but I think I can add more to what threesixes said in the first post, I'll try and be broad and focused at this same time, because I also don't know paranoid and security focused you are.  Or maybe it will answer something for someone else. ;)


    I'm getting ready to install Funtoo to my new (to me) Core2 Duo desktop. Is there any advantage for an average desktop user such as myself to using the 'hardened' mix-in? I tend to run a bit on the paranoid side in terms of security, but perhaps this is only really useful in server settings? Just wondering if anyone uses/recommends this for the desktop.

    In general there are advantages to a user running an "hardened" desktop, but there are also disadvantages such as consuming time to configure it so that everything "just works".  Security mechanisms can often get in the way of a user's needs or forces them modify how they use their system in order to accommodate the protections that are put in place.


    The key for "average desktop user" that likes to keep a security focused mindset is to find balance when implementing security in relation to the cost of the data or user's time and the risks that are out there.

    Much of this is preference, but like you mentioned in your post, servers often held to higher preferences because of the cost of the data/resource and the server administrator's time.  But some people like to run their desktops with the same level of protection.  In the business world more often than not all of this is evaluated through a Business Impact Assessment and security mechanisms are developed and implemented based on this.


    For example, 666threesixes666 explained some of the security mechanisms and configurations that they find reasonable for their situations and usage.

    For your "average desktop user" or desktop system that is used for surfing the web, playing games, creating non-sensitive documents; things like 666threesixes666 explained are usually enough.  Things like were mentioned: a long complex password, a good host firewall, not running un-needed services that create risk (ssh, avahi, samba, ftp, telnet, etc), using separate partitions for data separation.  These are considered typical security configurations because most security people think of these first and they work well at protecting the "average desktop users" without getting in the way really.


    A "average desktop user" can take things a step further without running the hardened mix-in or compiling a hardened kernel by using security related applications like sshguard, fail2ban, denyhosts, rkhunter, aide, tripwire, dnscrypt, apparmor, sudo, etc, etc.

    These types of things are I consider "piling on security", this falls under "hardening" in general.  But I like to call it "piling on security" because you are just adding security mechanisms "on top" of the base system and it helps people understand.


    A user can take it a step further by doing some extra configuration changes as well; these are usually focused strictly on the base system.  Such as: configuring password complexity, aging, and lockout options, modifying hosts.deny and host.allow for use with tcpwrappers, adding egress filtering to the firewall, modifying /etc/sysctl.conf, using Bastille and or Lynis for extra hardening options, and using openscap and or cvechecker to continuously monitor system vulnerabilities based on installed software.  There are so many others that are for specific applications a user may use, too many to add right now.


    The last option or step is to take it to the extreme or partially there.  This is using hardened mix-in and or a hardened kernel.


    The Funtoo Flavors and Mix-ins page states the Hardened Mix-in "enables hardened support."

    Now because I am still new to all the ways of Funtoo/Gentoo, I am going to assume this relates to what Gentoo has in their wiki. "By choosing the hardened profile, certain package management settings (masks, USE flags, etc) become default for your system. This applies to many packages, including the toolchain. The toolchain is used for building/compiling your programs, and includes: the GNU Compiler Collection (GCC), binutils (linker, etc.), and the GNU C library (glibc). By re-emerging the toolchain, these new default settings will apply to the toolchain, which will allow all future package compiling to be done in a hardened way.  I believe this is what the hardened mix-in offers because when I used it it did not include grsecurity options in the kernel .config (see below).


    By using the hardened-sources versus gentoo-sources or anything other, includes the Hardened Gentoo Toolchain into the kernel.  The Hardened Gentoo Toolchain includes: PaX, PIE/SSP, grsecurity kernel patches, Mandatory Access Controls (gersecurity, SELinux, RSBAC, Tomoyo), Linux Integrity Measurement Architecture in conjunction with Extended Verification Module subsystem.



    I am currently "tinkering" with a build using both the hardened mix-in, gentoo's hardened-sources with Funtoo, and a bunch of what I talked about above and it seems to be working fine so far.  Do I need it for everyday use, absolutely not.  :ph34r:



    So the advantages for you personally using the hardened mix-in is really up to you, your system, and its use.  Technically there is an advantage, but the disadvantage is that it could cause issues leading to configuring and troubleshooting time increases.  More than likely you will be a safe and secure "average desktop user" with far less. ;)


    Like 666threesixes666 stated at the end of their first post "security is a strange beast, there are many angles you can take with security.".

    It can be as complex as the user/data/owner/etc need it to be, which is why I left out things like physical, BIOS, and network protections, etc, etc.

    Plus I was getting close to writing a book anyway.  :P

  14. Threesixes and spectromas, I'd be more than happy to assist with something like this as well. :)


    Security Blueprints sounds good but what about Security Configuration Guides?


    It could be good to lay it out in a Defense in Depth matter:

    Physical Security

    BIOS Configurations

    Kernel Configurations

    Network Configurations

    Application Configurations

    Etc, etc.


    If you really want to kick off some brainstorming and what not please feel free to PM and I can provide some info on my background in relation to this sort of thing.

  • Create New...