As others have suggested, getting more familiar with the terminal and using a tiling window manager will help a lot. And yeah it’s a great idea to learn Vim or other advanced terminal editors. I use Helix+Zellij for development, Vim for system configuration, and i3 or Sway for GUI stuff. Also check out w3m for simple web searches.

If you want to get rid of the mouse entirely, you can also try using a programmable keyboard with mouse support. I don’t use a physical mouse anymore because I do most things in the terminal, and when I do need a mouse I just use my keyboard to move the cursor. For super mouse-heavy tasks like image editing it’s good to keep one around or use a Wacom tablet

👋 right on! I actually also have used containers as a key to my security layout before, but yeah you miss out on all the benefits of portage.

I was doing something crazy and actually running Gentoo inside each one! It was very difficult to stay up-to-date. But I basically had my host as barebones as possible and used LibVirt containers for everything, attempting to make a few templates that I could keep updated and base other VMs on. I was able to keep this up for about two years then I had to relax (was my main PC). But it was really secure, and it does work.

The benefit of encapsulation is that you have a lot of freedom inside each container, like install a different distro if you need to. Also as long as they are isolated you don’t need to worry as much about their individual security. But it’s still good to. I ran SELinux on the host and non-SELinux (but hardened) in the guests.

SELinux has a lot of advantages over users/groups, but I think the latter can be just as secure if you know what you’re doing. For example with SELinux you can prevent certain applications from accessing the network, or restrict access to certain ports, etc. It’s also useful for desktop environments where a lot of GUI apps run under one user- e.g. neither my main user nor any other program can access my keepassxc directory, only the keepassxc process (and root) can (even though the application is running under my main user). You can also restrict root quite a bit, especially if you compile in the option to prevent disabling SELinux at boot (I need to recompile my kernel to disable it).

But again while it is fun to learn, it is quite a pain and I’ve relaxed the setup on my new computer to use a different user for everything (including gui apps), which I think is secure enough for me. But this style relies on my ability to adhere to it, whereas with SELinux you can set it up to where you’re forced to

Like others have mentioned, SELinux could be a great addition. It can be a massive pain, but it’s really effective at locking things down (if configured properly).

However, the difficulty will depend on the distro. I use it with Gentoo, which has plenty of support/docs for it and provides policies for many packages. Although (when running strict policy types) I usually end up needing to adjust them or write my own.

Obviously Red Hat would be another good choice, but I haven’t tried it. Fedora also has good support, but I’ve only ever used the OOTB targeted policies.

That said, I’ve started relying on users/groups more often lately, since it really gets in the way of everything.

Nice, sounds pretty cool. FZF is great, I need to try out some new things with it. Never got into snippets but I’m sure that speeds things up considerably, will think about it.

Yeah separate config files is probably the best approach if you have a lot of things configured. I haven’t done that yet, but might try soon. My config has generally been pretty simple, mostly bindings and plugin settings. But I started developing in the TTY and had to shoehorn-in a conditional theme and such to get it to work properly, leaving it pretty unorganized.

| I can never leave vim. It has taken over the pathways in my brain.

Haha, yeah

My neovim config is a total mess :D. But yeah i3-msg+jq is great, I’ve written a number of solutions to this problem before using the API and external scripts, but it’s nice having things inline in the config file

For a while I would have agreed, and I used sway for years. But recently I switched back to i3 (i3-rounded) due to display issues with my AMD GPU. I started doing most of my development in the TTY, and found that switching from TTY to Wayland takes half a second and can sometimes break my GPU (until I switch between TTY and display a few times). With X11 it’s instant and without issue ¯\_(ツ)_/¯. Hoping that gets fixed down the road, or that it’s specific to my GPU.

This is always the first thing I get set up:

# focus next available workspace on this output

bindsym $mod+q exec --no-startup-id ws=$(i3-msg -t get_workspaces | jq ‘.[] | select(.focused) | .num’) && ofs=$(i3-msg -t get_outputs | jq ‘map(select(.active)) | length’) && i3-msg workspace $(($ws-$ofs))

bindsym $mod+w exec --no-startup-id ws=$(i3-msg -t get_workspaces | jq ‘.[] | select(.focused) | .num’) && ofs=$(i3-msg -t get_outputs | jq ‘map(select(.active)) | length’) && i3-msg workspace $(($ws+$ofs))

# move window to next available workspace on this output

bindsym $mod+Shift+q exec --no-startup-id ws=$(i3-msg -t get_workspaces | jq ‘.[] | select(.focused) | .num’) && ofs=$(i3-msg -t get_outputs | jq ‘map(select(.active)) | length’) && dest=$(($ws-$ofs)) && i3-msg move workspace $dest && i3-msg workspace $dest

bindsym $mod+Shift+w exec --no-startup-id ws=$(i3-msg -t get_workspaces | jq ‘.[] | select(.focused) | .num’) && ofs=$(i3-msg -t get_outputs | jq ‘map(select(.active)) | length’) && dest=$(($ws+$ofs)) && i3-msg move workspace $dest && i3-msg workspace $dest

Works with sway if you replace i3-msg with swaymsg (and remove --no-startup-id, since it’s not needed for Wayland).

Edit: ampersand issues, trying quote instead of code block

I usually use Awk to do the heavy lifting within my Bash scripts (e.g. arg parsing, filtering, stream transformation), or I’ll embed a Node.JS script for anything more advanced. In some cases, I’ll use eval to process generated bash syntax, or I’ll pipe into sh (which can be a good way to set up multiprocessing). I’ve also wanted to try zx, but I generally just stick to inlining since it saves a dependency.

I started by writing small scripts to automate things, but really got into it after learning how fun it can be to make the computer do stuff. I also see it as a kind of creative outlet, but in general I just want to learn how to fix anything in software if I’m not satisfied with how it works.

Awesome! Here are a few things that come to mind:

Make sure you have some aliases/functions for common operations:

• audit2allow -a to view audit violations (or -d for dmesg audits)
  • also -r to add a requires statement for module construction
• restorecon -Rv to recursively apply file contexts from policy (or -FRv to also apply user context)
• rm -f /var/log/audit/audit.log.*; >/var/log/audit/audit.log to clear audit logs
  • note: sometimes lots of logfiles (audit.log.1, etc.) collect, slowing down audit2allow
• chown -R user:user PATH; chcon -R -u user_u PATH to recursively change labels to user
  • could be generalized for arbitrary Linux/SELinux users
• semanage fcontext -a -t TYPE PATH -s $SEUSER to add a custom file context to the policy
  • e.g. semanage fcontext -a -t "user_secrets_t" "/home/[^/]+/.secrets(/.*)?" -s user_u
  • I’ve had better luck with this approach than the standard method of creating a .fc file, but in any case a custom policy is needed to create custom types
• semanage fcontext -d PATH to remove a custom file context
• semanage fcontext -lC to list custom file contexts
• semodule -DB to rebuild policy with all dontaudit rules disabled
  • often, something will not work, but audit2allow doesn’t show anything
• semodule -B to rebuild policy (with dontaudit rules)
• semodule -i MODULE.pp to install a module
• semodule -r MODULE to remove a module

Also a few scripts for policy creation and management are essential. There are two basic approaches to policy creation: modules and policy modules.

Modules: can be used to modify AVC rules and are pretty simple

# a violation has occurred that you want to allow or dontaudit
echo "module my_allow 1.0;" > my_allow.te
audit2allow -ar >> my_allow.te

# verify that my_allow.te has what you expect
cat my_allow.te

# build and install the module (replace mcs with whatever policy you are using)
make -f /usr/share/selinux/mcs/include/Makefile my_allow.pp
semodule -i my_allow.pp

# clear audit logs
rm -f /var/log/audit/audit.log.*; >/var/log/audit/audit.log

Policy modules: can do anything, but are complicated, and the tools for creating them are mostly based on Red Hat.

Creating a new type:

# generate foo.fc, foo.if, and foo.te
sepolicy generate --newtype -t foo_var_lib_t -n foo

# note: see sepolicy-generate(8); sepolicy generate only supports the following
#       type suffixes, but its output files can be adapted to your use case
# _tmp_t
# _unit_file_t
# _var_cache_t
# _var_lib_t
# _var_log_t
# _var_run_t
# _var_spool_t
# _port_t

# modify the .fc file with the desired file contexts, for example (with s0 for mcs)
# /path/to/context/target	--	gen_context(system_u:object_r:type_t,s0)
#
# note: the "--" matches regular files, -d for directories, -c for character
#       devices, -l for symbolic links, -b for block devices, or can be omitted
#       to match anything. also, as mentioned before, I often have better luck
#       with `semanage fcontext`, especially for user directories
vi foo.fc

# build and install the policy module
make -f /usr/share/selinux/mcs/include/Makefile foo.pp
semodule -i foo.pp

# use restorecon to adjust the file contexts of any paths you have 

# by default, all operations involving this type will be denied
# (and are sometimes not audited)
semodule -DB # --disable_dontaudit
# ... use the type, collect violations ...
audit2allow -ar >> foo.te
# if dontaudit is disabled, you'll likely have a lot things to remove from here
vi foo.te

# ... repeat until rules regarding type are fully defined

Creating a new application type:

# sepolicy-generate is made for Red Hat,
# but you can use --application to get started

# creates a bunch of files that define bar_t and bar_exec_t
sepolicy generate --application -n bar [-u USER] CMD

# remove the line making the app permissive (up to you, but
# I prefer using audit violations to define the permissions)
perl -i -00 -pe 's/^permissive bar_t;\n\n//g' bar.te

# ensure that the file bar_exec_t file context points to the right bin:
vi bar.fc

# build and install the policy module
make -f /usr/share/selinux/mcs/include/Makefile bar.pp
semodule -i bar.pp

# ... use the application, update AVC rules, repeat ...

If your target application is interpreted, you’ll need to write a custom C program that launches the interpreter in a specific context, then write your policy around that application. For example, you should execv something like this: /usr/bin/runcon -u user_u -t my_script_t /bin/bash PROG.

Totally, props on taking it on as your first distro! Haha, yeah a week of pain sounds about right. My last Gentoo setup took an entire month (off and on), but I was doing something crazy (Qubes-like, every application in its own Gentoo VM, strict SELinux on host and guests)… ended up ditching that because I got comfortable enough with SELinux to write stronger policies for everything important, which is good enough for me.

I had the benefit of using other distros before trying Gentoo, so my first attempt at it wasn’t so bad (but still took two full days). It’s definitely taught me way more than any other distro, including Arch (although Arch was a very good stepping stone). I don’t think I could go back to anything else at this point

Yep! Gotta love the flexibility of it

Ah gotcha, just asking because I’ve never used it before. Good to know that Gentoo supports hardening it

Oh good to know! Thanks for the tips. What do you like about musl over glibc?

I would look into Gentoo’s Hardened + SELinux profile if you want good security in a standard system, but as others have mentioned QubesOS is probably the most secure option OOTB (but it is very limiting). SELinux is pretty difficult to use but it’s really effective, and there is good information about it on the Gentoo wiki. Not sure what exactly goes into their hardened profile but I know it implements at least some of the suggestions listed on that site (like hardened compilation flags). Also it’s probably more vulnerable to 0-day attacks than Qubes, since it uses up-to-date software. But it’s really flexible, and learning SELinux is useful

I can’t speak for YubiKeys themselves, but I’ve been using an OnlyKey for years (which can emulate one). Works great for KeePassXC, but only because it can type the DB password (challenge-response unlock still requires the password). I haven’t used the YubiKey emulator very much, except with a few services that are much easier to use if you have one.

I think it’s great to have the option of securing things with a hardware key, and I think it’s a good investment in general. But as others have said, it’s probably not be the best choice for KeePassXC (but there are benefits). I would recommend an OnlyKey, but it seems the prices have gone way up and they’re sold out.

No problem! And yeah, it’s good to see people talking about it over here. I think it’s the best tool for online privacy OOTB (depending on your threat model), and it gets better the more people use it.

The difference is that your ISP doesn’t know where your packets are headed, and the destination doesn’t know where your packets came from. The ISP sees you connect to the entrance node and the destination sees you connect from the exit node, and it’s very difficult for anyone to trace the connection back to you (unless they own both the entrance and exit and use traffic coorelation or some other exploit/fingerprint). Regardless, both parties are generally able to tell that you are using TOR if they reference lists of known entrance/exit nodes. Also the anti-fingerprinting measures taken by TB are a bit more strict than other privacy-focused browsers

It’s great for anything low bandwidth that isn’t tied to your identity, and helps for peace of mind, despite its issues. You do run into captcha or DDOS protection issues occasionally, but the new tor circuit for this site button sometimes works. Also it uses letterboxing to prevent resolution-based fingerprinting, which isn’t very pretty, but leaving it at its default size (or locking the size using the WM) works well and is good for privacy.

Yep that was after make clean :). Running a 12-core Ryzen 9 that’s a few years old and 64GB RAM; using 24 threads does speed it up quite a lot.

Edit: to be sure, I completely removed the source directory and re-emerged gentoo-sources and got similar results