Jump to content

adessemond

Members
  • Content Count

    19
  • Joined

  • Last visited

  • Days Won

    2

Reputation Activity

  1. Trolling
    adessemond reacted to Sandro in GCC update   
    There are more than one level of masking software.
    If You use the curren version (that use "amd64" and "~amd64"  you must simply unmask with
    # echo "=sys-devel/gcc-4.9.2" >> /etc/portage/package.unmask If You use the "stable branch" you 'll must unmask also in the file for low level masking keywords: 
    # echo "=sys-devel/gcc-4.9.2 ~amd64" >> /etc/portage/package.accept_keywords Then  start
    # emerge -DNu1 world gcc ________________________ There are other ways , e.g. 
    # emerge "=sys-devel/gcc-4.9.2" --autounmask-write Then use etc-update or dispatch-conf
    ________________________________________
     
    The last operation is to vrify what version of GCC will use the system:  
    gcc-config -l  
    Automatically must be updated to the new version...... otherwise,
     
    gcc-config -f X (where X is the number relative at the gcc version that you want to use).
     
    The ultimate command is to make an
    # . /etc/profile So You will use the new version of the compiler :P
     
    When you'll make an
    # emerge -c (-c = --deepclean) After an
    emerge -DNu world --with-bdeps=y The previous version will be removed from your system.
     
    Hello :)
  2. Trolling
    adessemond reacted to swamprabbit in Any advantage using 'hardened' for the desktop user?   
    jwjones, my apologies, I just realized  that I went rolling on with the ideas 666threesixes666 and spectromas brought up, without providing some info to your question.
    I am still new to Funtoo/Gentoo specific things, but I think I can add more to what threesixes said in the first post, I'll try and be broad and focused at this same time, because I also don't know paranoid and security focused you are.  Or maybe it will answer something for someone else. ;)
     

    In general there are advantages to a user running an "hardened" desktop, but there are also disadvantages such as consuming time to configure it so that everything "just works".  Security mechanisms can often get in the way of a user's needs or forces them modify how they use their system in order to accommodate the protections that are put in place.
     
    The key for "average desktop user" that likes to keep a security focused mindset is to find balance when implementing security in relation to the cost of the data or user's time and the risks that are out there.
    Much of this is preference, but like you mentioned in your post, servers often held to higher preferences because of the cost of the data/resource and the server administrator's time.  But some people like to run their desktops with the same level of protection.  In the business world more often than not all of this is evaluated through a Business Impact Assessment and security mechanisms are developed and implemented based on this.
     
    For example, 666threesixes666 explained some of the security mechanisms and configurations that they find reasonable for their situations and usage.
    For your "average desktop user" or desktop system that is used for surfing the web, playing games, creating non-sensitive documents; things like 666threesixes666 explained are usually enough.  Things like were mentioned: a long complex password, a good host firewall, not running un-needed services that create risk (ssh, avahi, samba, ftp, telnet, etc), using separate partitions for data separation.  These are considered typical security configurations because most security people think of these first and they work well at protecting the "average desktop users" without getting in the way really.
     
    A "average desktop user" can take things a step further without running the hardened mix-in or compiling a hardened kernel by using security related applications like sshguard, fail2ban, denyhosts, rkhunter, aide, tripwire, dnscrypt, apparmor, sudo, etc, etc.
    These types of things are I consider "piling on security", this falls under "hardening" in general.  But I like to call it "piling on security" because you are just adding security mechanisms "on top" of the base system and it helps people understand.
     
    A user can take it a step further by doing some extra configuration changes as well; these are usually focused strictly on the base system.  Such as: configuring password complexity, aging, and lockout options, modifying hosts.deny and host.allow for use with tcpwrappers, adding egress filtering to the firewall, modifying /etc/sysctl.conf, using Bastille and or Lynis for extra hardening options, and using openscap and or cvechecker to continuously monitor system vulnerabilities based on installed software.  There are so many others that are for specific applications a user may use, too many to add right now.
     
    The last option or step is to take it to the extreme or partially there.  This is using hardened mix-in and or a hardened kernel.
     
    The Funtoo Flavors and Mix-ins page states the Hardened Mix-in "enables hardened support."
    Now because I am still new to all the ways of Funtoo/Gentoo, I am going to assume this relates to what Gentoo has in their wiki. "By choosing the hardened profile, certain package management settings (masks, USE flags, etc) become default for your system. This applies to many packages, including the toolchain. The toolchain is used for building/compiling your programs, and includes: the GNU Compiler Collection (GCC), binutils (linker, etc.), and the GNU C library (glibc). By re-emerging the toolchain, these new default settings will apply to the toolchain, which will allow all future package compiling to be done in a hardened way.  I believe this is what the hardened mix-in offers because when I used it it did not include grsecurity options in the kernel .config (see below).
     
    By using the hardened-sources versus gentoo-sources or anything other, includes the Hardened Gentoo Toolchain into the kernel.  The Hardened Gentoo Toolchain includes: PaX, PIE/SSP, grsecurity kernel patches, Mandatory Access Controls (gersecurity, SELinux, RSBAC, Tomoyo), Linux Integrity Measurement Architecture in conjunction with Extended Verification Module subsystem.
     
     
    I am currently "tinkering" with a build using both the hardened mix-in, gentoo's hardened-sources with Funtoo, and a bunch of what I talked about above and it seems to be working fine so far.  Do I need it for everyday use, absolutely not.  :ph34r:
     
     
    So the advantages for you personally using the hardened mix-in is really up to you, your system, and its use.  Technically there is an advantage, but the disadvantage is that it could cause issues leading to configuring and troubleshooting time increases.  More than likely you will be a safe and secure "average desktop user" with far less. ;)
     
    Like 666threesixes666 stated at the end of their first post "security is a strange beast, there are many angles you can take with security.".
    It can be as complex as the user/data/owner/etc need it to be, which is why I left out things like physical, BIOS, and network protections, etc, etc.
    Plus I was getting close to writing a book anyway.  :P
  3. Trolling
    adessemond reacted to Sandro in Need Help updating system   
    1) Update make.conf:
    # emerge app-portage/cpuinfo2cpuflags Run:
    # cpuinfo2cpuflags Then update your CPU_FLAGS_X86 (cause I think that there are also mmxext (native in Athlon but renamed in Intel's cpu, such as sse3 are named PNI ("Prescott new Instructions))
     
    Then You're core2 is precedent of "Penryn" family that supports also sse4.1
     
    If you want try also 
    grep sse4 /proc/cpuinfo to be sure that there aren't also sse4.1 streaming simd extensions.
     
    For Other questions, mmm I use the "Stable branch" of portage.
     
    Ciao :)
  4. Trolling
    adessemond reacted to spectromas in Firefox-bin will not exit properly   
    I've been looking at this again and I think I've found the source of the problem. I came across a bug report which suggested disabling gstreamer in about:config, so I did that and sure enough I had no more problems. The only issue is that I want gstreamer support.
     
    This is the report, the last post is exactly what happens to me as well:
    https://bugzilla.mozilla.org/show_bug.cgi?id=935458
     
    I've narrowed it down to gstreamer and the gst-plugins, in particular media-plugins/gst-plugins-ffmpeg. I was using this, along with a couple of others, as an alternative to flash for sites like soundcloud. As a course of trying to get the exact problem causing package I have added an removed practically all the gst plugins, both 0.x and 1.x. I found that while sites like soundcloud do work with media-plugins/gst-plugins-ffmpeg installed, gmail's chat has a problem with it and causes the whole browser to not terminate after being closed.
     
    I found this http://gstreamer.freedesktop.org/src/gst-ffmpeg/gst-ffmpeg-1.x-README.txt
     
     
     
    So would it be that firefox it probably build against a version that uses libav? Would this be considered a bug as far as funtoo's adoption of ffmpeg?
     
    This is pretty annoying, it means I either have to compile firefox myself or use the bin version with flash, which I would prefer not to do.
     
     
     
     
    edit: finally solved it. The bin version of firefox uses the 0.10.x versions of the gst-plugins. With good, bad and ugly 0.10.x versions installed gst-plugins-ffmpeg doesn't cause gmail to hang and gst-plugins-mad allows sites like soundcloud and bandcamp to work. I'm sure I did try this along the way but something must have been missing.
  5. Trolling
    adessemond got a reaction from digifuzzy in Should I use CPU USE Flags in make.conf?   
    In the case you  don't set  the use flags related to processor's instructions sets, the softwares you will compile will simply not take any advantage of built-in CPU hardware support for some of their operations.  However not all packages but multimedia stuff (typical case) make use of enhanced processor instructions. If you want to check what package use what flag equery h will tell:
    # equery h mmx * Searching for USE flag mmx ... [IP-] [ ] media-libs/smpeg-0.4.4-r10:0 [IP-] [ ] media-sound/lame-3.99.5-r1:0 [IP-] [ ] media-video/mjpegtools-2.1.0-r2:1 To answer your question: you SHOULD enable support for CPU's enhanced instructions, unless you have a good reason to leave it disabled (i.e. known bug, strange crash....)
     
    However to bring a bit of nuance: a use flag is simply a handle given to you by an ebuild developer to enable/disable some features at compilation time, not having a use flag in a ebuild is not a warranty that the software will not include some CPU special instructions in its binary code.
  6. Trolling
    adessemond got a reaction from spectromas in Should I use CPU USE Flags in make.conf?   
    In the case you  don't set  the use flags related to processor's instructions sets, the softwares you will compile will simply not take any advantage of built-in CPU hardware support for some of their operations.  However not all packages but multimedia stuff (typical case) make use of enhanced processor instructions. If you want to check what package use what flag equery h will tell:
    # equery h mmx * Searching for USE flag mmx ... [IP-] [ ] media-libs/smpeg-0.4.4-r10:0 [IP-] [ ] media-sound/lame-3.99.5-r1:0 [IP-] [ ] media-video/mjpegtools-2.1.0-r2:1 To answer your question: you SHOULD enable support for CPU's enhanced instructions, unless you have a good reason to leave it disabled (i.e. known bug, strange crash....)
     
    However to bring a bit of nuance: a use flag is simply a handle given to you by an ebuild developer to enable/disable some features at compilation time, not having a use flag in a ebuild is not a warranty that the software will not include some CPU special instructions in its binary code.
  7. Trolling
    adessemond reacted to aramisqc in Funtoo Installation in French   
    Le guide d'installation de Funtoo Linux est maintenant disponible en Fran?ais.
     
    http://www.funtoo.org/Install/fr/Guide_Installation_Funtoo_Linux
     
    French version of Funtoo Installation now available.
     
    Please don't hesitate to highlight any errors, mistakes and the likes. Thank's.
  8. Trolling
    adessemond got a reaction from drobbins in there are no ebuilds to satisfy ">=virtual/pam-0-r1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?]   
    Situation improved alot I  now just encounter issues related to my more or less clunky setup, thank you very much guys!
×
×
  • Create New...