preemption is the act of temporarily interrupting an executing task,

Concurrency with multi-cpu (Memory architectures supporting concurrency):

• UMA (Uniform Memory Access) - all the processors share the physical memory uniformly. The peripheral devices follow a set of rules. uses a single shared system bus typically used for up to 8 processors.
  • symmetric multiprocessor - processors have equal access to all the peripheral devices
  • asymmetric multiprocessor - one or a few processors can access the peripheral devices
• Non-uniform Memory Access (NUMA) - dedicates different memory banks to different processors - may access local memory quickly and remote memory more slowly. Benefits on servers where the data are often associated strongly with certain tasks or users.
• Cache Only Memory Architecture (COMA)

Race conditions can occur when:

• there are at least two execution contexts that run in "parallel"
• the execution contexts perform read-write accesses to shared memory

race conditions can be avoided by:

• make the critical section atomic
• disable preemption during the critical section (e.g. disable interrupts, bottom-half handlers, or thread preemption)
• serialize the access to the critical section (e.g. use spin locks or mutexes to allow only one context or thread in the critical section)

mutexes and spin locks usage intersect

• mutexes don't "waste" CPU cycles; system throughput is better than spin locks if context switch overhead is lower than medium spinning time
• mutexes can't be used in interrupt context
• mutexes have a higher latency than spin locks

Read Copy Update (RCU) - synchronization mechanism

• device files is that they are most definitely not device drivers
• they are portals to the device drivers
  • app -> dev_file -> drive -> phisic
  • app <- dev_file <- drive <- phisic

ls -al

• c…. - characted device
• b… - block device, typically a multiple of 256 bytes
• major device number and minor device number

info:

• udevadm info -a -p $(udevadm info -q path -n /dev/input/event1)

find disk by uuid

• $blkid - partitions, UUID, BLOCK_SIZE, TYPE
• ls -al dev/disk/by-uuid

recover partitions and change partition table type:

• testdisk

mount options

• findmnt

change uuid

• uuidgen
• tune2fs /dev/sdy1 -U cd6ecfb1-05e0-4dd7-89e7-8e78dad1fa0e

sector - phisical disk area Disk sector - traditionally 512 bytes - 4096-byte (4 KiB) sectors, which are known as the Advanced Format

remount directory:

• mount -o remount /var

• blocksize=$(blockdev –getbsz /dev/sdX)
• badblocks -t random -w -s -b $blocksize -c 5000 -o out.txt /dev/sdX

check bad blocks fast:

• cryptsetup open /dev/device name –type plain –cipher aes-xts-plain64
• shred -v -n 0 -z /dev/mapper/name
• cmp -b /dev/zero /dev/mapper/name
• or diff-hightlight -y <(xxd /dev/zero) <(xxd /dev/mapper/name)
• or diff -y <(hexdump -C /dev/zero) <(hexdump -C /dev/mapper/name)

MBR Partition Table(msdos)

• first 512 bytes of a storage device
• saves partition information on the first sector of disk(MBR sector)
• stored in the first sector (cylinder 0, head 0, sector 1 – or, alternately, LBA 0) of the hard drive
• Each partition entry is 16 bytes, and the total is 64 bytes.
• maximum of 4 entries
• size of a single partition in MBR disk can only amount to 2TB
• Each of the four Partition Table entries contains the following elements, in the following structure:
  • Boot indicator bit flag: 0 = no, 0x80 = bootable (or "active")
  • starting position, size and ending position
• At most one partition should be active
• https://wiki.osdev.org/MBR_(x86)

GPT (GUID Partition Table)

• up to 128 partitions on hard disk.
• uses UUIDs
• CRC32 checksums to detect errors and corruption of the header and partition table.
• Stores a backup header and partition table at the end of the disk that aids in recovery in case the primary ones are damaged.
• kernel require: CONFIG_EFI_PARTITION=y.

• BIOS MBR
• BIOS GPT - may have conflicts i motherboard.
  • BIOS boot partition - (1 to 2 MB) partition - in which boot loaders like GRUB2 can put additional data that doesn't fit in the allocated storage.
• UEFI GPT
  • EFI System Partition (ESP) - FAT variant for /boot
    • mkfs.fat -F 32 /dev/sda1
• UEFI MBR - ? not used.

GPT It carries CRC32 checksums to detect errors in the header and partition tables and has a backup GPT at the end of the disk. This backup table can be used to recover damage of the primary GPT near the beginning of the disk.

Simple:

1. BIOS or ?
2. MBR or EFI ?
3. grub inside of MBR or ?
4. mount boot and read /boot/grub.conf
5. Linux kernel
6. mount real /
7. drivers
8. init /etc/inittab
9. udev daemon

initramfs

1. boot loader
2. Linux kernel
3. initramfs - contains / file system
4. mount real / read-only
5. mount /
6. init /etc/inittab
7. udev daemon

Why # dd if=/dev/hda of=/dev/hdc bs=2048k - is bad?

• no defragmentation
• copying of unused space
• very slow if read error

way https://forums.gentoo.org/viewtopic.php?t=28123&highlight=backup

• Bare metal recovery - dd, CloneZilla, PartImage, or FSArchiver
• recover: mount read only or make copy first!

• https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
• posix: https://www.baeldung.com/linux/posix

• When partitioning an SSD, align primary and logical partitions on one-megabyte (1048576 bytes) boundaries. If partitions, file system blocks, or RAID stripes are incorrectly aligned and overlap the boundaries of the underlying storage's pages, which are usually either 4 KB or 8 KB in size, the device controller has to modify twice as many pages than if correct alignment is used.
• I recommand to use TMPFS for
  • /tmp
  • /var/tmp
  • /var/log
• NOOP scheduler is the simplest I/O scheduler - kernel option: elevator=noop
• align partition with HDD blocks and use the same size of sectors if possible
• use noatime, compress, ssd_spread and nodiratime mount options
• btrfs: ssd,discard=async option to mount for btrfs
• ext4: discard
• cryptsetup luksOpen –allow-discards /dev/thing luks
• dracut: rd.luks.allow-discards=<luks uuid>
• echo "vm.swappiness = 1" >> /etc/sysctl.conf # reduce the tendency of the kernel to perform anticipatory writes to swap
  • default value of vm.swappiness is 60
  • represents the percentage of the free memory before activating swap
  • The lower the value, the less swapping is used and the more memory pages are kept in physical memory.

• cryptsetup luksFormat /dev/sdb1
• cryptsetup luksOpen /dev/sdd1 map_point
• mkfs.exfat /dev/mapper/map_point -n volume_name
• mount /dev/mapper/map_point /mnt/luks_mount

to close:

• vgchange -a n vg0
• cryptsetup close map_point

for SSD TRIM:

• cryptsetup luksOpen –allow-discards /dev/thing luks
• GRUB_CMDLINE_LINUX_DEFAULT="root_trim=yes"
• for dracut: GRUB_CMDLINE_LINUX_DEFAULT="rd.luks.allow-discards"

to achive plausible deniability - no proof that a block device is encrypted

• LUKS version in use 1 or 2
• the cipher name and mode
• hash algorithm used for the password salt, the master key bits, digest, salt and hash iterations, and the device UUID

–header option would be also used each time we try to unlock the device, or when we need to perform other operations which modifies it, such as adding, removing or changing a password, or when using luksDump to read its content.

• cryptsetup luksFormat /dev/sdb –header luksheader.img
• cryptsetup luksOpen /dev/sdb sdb-crypt –header=luksheader.img

Create partition

• export GPG_TTY=$(tty) # optional
• gpg –quiet –decrypt /mnt/key/rootkey.gpg | cryptsetup –batch-mode –key-file - luksFormat /dev/sdX3 –header luksheader.img –type luks2 # gpg variant
• cryptsetup luksDump /dev/sdZn –header luksheader.img # Check that the formatting worked
• gpg –quiet –decrypt /mnt/key/rootkey.gpg | cryptsetup –key-file - luksOpen /dev/sdZn –header luksheader.img –type luks2 gentoo
• ls /dev/mapper

Create meta devices that provide an abstraction layer between a file system and the physical storage that is used underneath.

• lvscan - show
• vgchange -a n vg0 - decativate volume group
• vgremove vol_grp - Delete Volume Group
• lvremove /dev/vol_grp/log_grp1 - Delete Logical Volume

1. Creating a Password-Protected Keyfile for LUKS
   • export GPG_TTY=$(tty)
   • dd if=/dev/urandom bs=8388607 count=1 | gpg –symmetric –cipher-algo AES256 –output /tmp/efiboot/luks-key.gpg
2. Formatting the New Partition with LUKS
   • gpg –decrypt /tmp/efiboot/luks-key.gpg | cryptsetup –cipher serpent-xts-plain64 –key-size 512 –hash whirlpool –key-file - luksFormat /dev/sdZn
     • echo RELOADAGENT | gpg-connect-agent # force check password, clear password from cache
     • cryptsetup luksDump /dev/sdZn # Check that the formatting worked, with:
     • cryptsetup luksHeaderBackup /dev/sdZn –header-backup-file /tmp/efiboot/luks-header.img # backup header
3. open the LUKS volume we just created and partitioning
   • gpg –decrypt /tmp/efiboot/luks-key.gpg | cryptsetup –key-file - luksOpen /dev/sdZn gentoo
     • ls /dev/mapper

https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Preparing_the_LUKS-LVM_Filesystem_and_Boot_USB_Key

• GRUB BIOS 2 MB no fs GRUB loader itself
• /boot boot 512 MB fat32 GRUB and kernel
• LUKS encrypted 100% encrypted encrypted block device
  • LVM lvm 100%
    • / root 40 GB ext4 root filesystem
    • /var var 40 GB ext4 var files
    • /home home 100% ext4 user files

parted -a optimal /dev/sdX

• unit mib
• mklabel gpt
• Create the BIOS partition:
  • mkpart primary 1 3
  • name 1 grub
  • set 1 bios_grub on
• Create boot partition. This partition will contain GRUB files, plain (unencrypted) kernel and kernel initrd:
  • mkpart primary fat32 3 515
  • name 2 boot
  • set 2 BOOT on
  • mkpart primary 515 -1
  • name 3 lvm
  • set 3 lvm on
  • mkfs.vfat -F32 /dev/sdX2
  • modprobe dm-crypt
  • cryptsetup luksFormat /dev/sdX3 # aes-xts-plain64 512 bits
  • cryptsetup luksDump /dev/sdX3
• Create LVM inside encrypted block
  • cryptsetup luksOpen /dev/sdX3 lvm
  • vgcreate vg0 /dev/mapper/lvm # Create volume group vg0:
  • lvcreate -L 60G -n root vg0 # Create logical volume for /root filesystem
  • lvcreate -L 40G -n var vg0 # Create logical volume for /var filesystem
  • lvcreate -l 100%FREE -n home vg0 # Create logical volume for /home filesystem:

File Systems

• mkfs.ext4 /dev/mapper/vg0-root
• mkfs.ext4 /dev/mapper/vg0-var
• mkfs.ext4 /dev/mapper/vg0-home

https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch_Simplified

install

• emerge –ask sys-kernel/dracut
• modules:
  • emerge sys-fs/btrfs-progs
  • emerge sys-fs/cryptsetup
  • emerge app-crypt/gnupg
  • USE="-gtk -pango -libkms" emerge –ask sys-boot/plymouth

basic

• /usr/lib/dracut/modules.d
• The most basic dracut module is 99base. In 99base the initial shell script init is defined, which gets run by the kernel after initramfs loading
• If a module passed check, install and installkernel will be called to install all of the necessary files for the module.

trouble shooting:

• (Repari filesystem):/# cat /run/initramfs/rdsosreport.txt

• https://wiki.gentoo.org/wiki/Dm-crypt
• https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
• LUKS forensic review https://blog.elcomsoft.ru/2022/08/shifrovanie-diskov-v-linux-luks2-argon2-i-apparatnoe-uskorenie/

• formats for boot: FAT*, ISO9660
  • bloated bootloaders as a result (eg: GRUB2).
  • bootloader is capable of reading its own files, configuration, and be able to load kernel/module files from disk
• boot readable with BLAKE2B checksums - provides as much security as encrypting the kernel does.
• The EFI executable gets then enrolled or otherwise verified by the Secure Boot loader through, eg., the shim project. - This prevents modifications being done to the config file (and in turn the checksums contained there) from going unnoticed.

write boot code to:

• MBR at disk
• boot partition - this code can be started if the boot code in MBR is able to do chain loading

https://www.gnu.org/software/grub/manual/grub/

• https://github.com/LaszloGombos/awesome-initramfs
• secure boot https://www.funtoo.org/Secure_Boot

kernel installation

1. eselect kernel list
2. eselect kernel set 1
3. make clean
4. make oldconfig - reads the existing .config file that was used for an old kernel and prompts the user for options in the current kernel source that are not found in the file.
5. make olddefconfig (alternative) - keep old settings, new settings set to default
6. make menuconfig / make nconfig
7. make prepare && make modules_prepare # Некоторые модули не могут быть установлены или подготовлены до того, как будет собрано ядро.
8. make -j3 && make modules_install && make install # generate /boot/vmlinuz-6.1.57-gentoo /boot/System.map-6.1.57-gentoo
9. cp .config /.config_tmp
10. genkernel –kernel-config=/.config_tmp initramfs # if /usr or others located at separate partition or encrypted
11. grub-mkconfig -o /boot/grub/grub.cfg
12. grub-install /dev/sda

chroot and update mount -o loop tu.img /mnt/img /a

remove kernel rm /usr/src/linux-x.x rm /lib/modules/x.x rm /boot/vmlinuz-x.x rm /boot/System.map-x.x rm /boot/config-x.x rm /boot/initramfs-genkernel-

xen Device Drivers->Graphical support -> disable Nouveau Device Drivers->X86 Platform Specific Device Drivers -> disable WMI cp vmlinux cp usr/src/linux.config cp /usr/src/linux/Makeefile

1. emerge –ask sys-apps/pciutils sys-kernel/gentoo-sources
2. eselect kernel list
3. eselect kernel set 1
4. lspci -k > lspci_installcd
5. lsmod > lsmod_installcd
6. dmesg > dmesg_installcd
7. make menuconfig / make nconfig
   1. processor type and features
      • disable
        • support for extended non-PC x86 platforms
        • AMD optons
        • CPU microcode loading support
      • enable
        • Processor family - Core 2/newer Xeon or Generic x86_64
   2. File systems
   3. Device Drivers —> Multiple devices driver support (RAID and LVM) —> <*> Device mapper support
      • enable
        • Crypt target support
        • Snapshot target
        • Multipath target
          • I/O Path Selector based on the number of in-flight I/Os
          • I/O Path Selector based on the service time
   4. Cryptographic API
      • enable
        • XTS support
        • LZO compression algorithm
        • Zstd compression algorithm
        • User-space interface for hash algorithms
        • User-space interface for symmetric key cipher algorithms
   5. Generel
      • enable
        • Make compiler warnings as errors
   6. Device Drivers —> Graphic support
      • enable
        • Frame buffer Devices —> <*> Support for frame buffer devices
          • disable - all inside
        • Intel 8xx/9xx/G3x/G4x/HD Graphics
        • [*] Enable capturing GPU state following a hang
        • [*] Compress GPU error state
        • [*] Always enable userptr support
        • Frame buffers Defices ->
          • VESA VGA
          • Simple framebuffer support
   7. Network
      • enable
        • Device Drivers -> X86 Platform Specific Device Drivers - ThinkPad ACPI Laptop Ectras
        • Device Drivers -> Thermal drivers -> Intel Thermal drivers
        • Device Drivers -> Network -> leave only enable Ethernet and WLAN
          • 802.1Q VLAN
          • LAN
            • Qualcomm Atheros AR8172 Fast Ethernet
            • jme:JMicron JMC2XX ethernet driver
        • Broadcom 802.11b/g/n BCM43142 - CONFIG_CFG80211_WEXT=y, package broadcom-sta
          • Network support -> Wireless -> cfg80211 wireless extension compatibility
      • ifconfig # should show connections
8. make all modules as * - if it is not device specific: check with lsmod command

https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel

• General setup:
  • Randomize slab freelist
  • Page allocator randomization
• General architecture-dependent options
  • Randomize kernel stack offset on syscall entry
  • GCC plugins -> Randomize layout of sensitive kernel structures
• Enable loadable module - sign all
• Security options
  • Restrict uprivileged access tp the kernel syslog
  • Harden memory copies between kernel and userspace
    • Allow usercopy whitelist … - must be disabled slab_common.usercopy_fallback=N
  • Harden common str/mem functions agains buffer overflows
  • Kernel hardening options
• Kernel hacking -> disable
  • Kernel debugging
  • Generic Kernel Debugging Instruments -> Debugfs default access - set - No access
  • all debugging

• https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
• https://pmateti.github.io/Courses/4420/Lectures/Hardening/SecureKernel/
• Kernel Hacking
  • [*] Kernel debugging
  • Debug Oops, Lockups and Hangs
    • [*] Panic on Oops CONFIG_PANIC_ON_OOPS=y
      • (-1) panic timeout CONFIG_PANIC_TIMEOUT=-1
  • Memory debugging
    • Warn or W+X mappings at boot CONFIG_DEBUG_WX
    • Detect stack corrution on CONFIG_SCHED_STACK_END_CHECK=y
    • KFENCE: low- CONFIG_KFENCE=y
  • Debug kernel data structures - all
    • Debug linked list CONFIG_DEBUG_LIST=y
    • CONFIG_DEBUG_SG=y
    • CONFIG_BUG_ON_DATA_CORRUPTION=y
    • CONFIG_DEBUG_NOTIFIERS=y
• Device drivers
  • IOMMU Hardware Support
    • IOMMU default domain type - strict
• General setup
  • [ ] Core Scheduling for SMT - better to DISABLE!
• Filesystems
  • Pseudo filesystems
    • [ ] /proc/kcore support - DISABLE!!
• Processor type and features
  • [ ] kexec system call - DISABLE!!
• Executable file formats
  • [ ] Kernel suppoert for MISC binaries - DISABLE!!
• General architecture-dependent options
  • Gcc plugins
    • Generate some entropy during boot and runtime
• Memory managgement options (for x86_64)
  • (65536) Low address space to protect - CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

• / - search
• Up/Down array - next/preview search

make NCONFIG_MODE=single_menu nconfig - shows all sub-menus in one large tree.

• / - search
• / TAB TAB - help
• regex supported

CONFIG_EXTRA_FIRMWARE_DIR="lib/firmware" CONFIG_EXTRA_FIRMWARE="file name in /lib/firmware separated by space"

1. Device Drivers
2. Generic Driver Options
3. Firmware Loader

emerge sys-fs/sysfsutils
systool -am thinkpad_acpi # get options
systool -v -m thinkpad_acpi # get current values

https://wiki.archlinux.org/title/Kernel_module

https://kernel.org/

https://www.in-ulm.de/~mascheck/X11/xmodmap.html

• xmodmap -pke - get current keys config
• xmodmap ~/.Xmodmap - load from file
• keysym - a,z,Mode_switch, Shift
• keycode - 0xfd,0x5f
• modifier key types: Shift, Lock, Control, Mod1, Mod2, Mod3, Mod4, Mod5

Each keysym column in the table corresponds to a particular combination of modifier keys ( Only the first four elements are platform-independent):

1. Key
2. Shift+Key
3. Mode_switch+Key
4. Mode_switch+Shift+Key
5. ISO_Level3_Shift+Key or <"Num_Lock"-key> or Ctrl
6. ISO_Level3_Shift+Shift+Key
7. <"Num_Lock"-"Mode_switch"-key>

ISO_Level3_Shift may be set with:

• setxkbmap -option 'lv3:ralt_alt'

/usr/share/X11/xkb/symbols/ru = locale

• setxkbmap -query - get current model and options
• setxkbmap -option - reset
• man 7 xkeyboard-config - get options
• xev -event keyboard - to get keycodes and to check how your keymap works

sections:

• xkb_keycodes
• xkb_types

xkbcomp -xkb $DISPLAY xkbmap

test -f ~/.Xkeymap && xkbcomp ~/.Xkeymap $DISPLAY

levels:

• Level 1 is unshifted
• level 2 is the result of a ⇧ Shift modifier, a shift latch, a ⇫ Shift Lock, a Num Lock, or a ⇬ Caps Lock;
• and level 3 is the result of a "level three modifier" of some kind.

setxkbmap -model pc101 -layout 'us,ru' -variant ',' -option 'grp:shift_caps_switch'

• history http://xahlee.info/kbd/keyboard_hardware_and_key_choices.html

• \*nix [LF] whereas on a windows operating system you have [CRLF]

• get keys: xmodmap -pke
• map to right alt: xmodmap -e "keycode 108 = Tab ISO_Left_Tab Tab ISO_Left_Tab"
• reselt setxkbmap -option

https://wiki.archlinux.org/title/GTK

xfconf-query -c xsettings -p /Gtk/KeyThemeName -s Emacs

• https://man.openbsd.org/xkeyboard-config.7#Position_of_Compose_key

• https://github.com/tbocek/dvorak
• https://github.com/zw963/linux_key_rebinding
• https://github.com/kui/rbindkeys
• xfumble, keyfake and rbindkeys
• https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/diyism-myboard/myboard.py

pip3 install pynput –user

1. pynput.keyboard.__init__
2. pynput.keyboard._xorg (listener)
   • extension of:
     • pynput._util.xorg (ListenerMixin)
     • keyboard._base (Listener)
       • pynput._util.__init__ (AbstractListener (threading.Thread))
3. Xlib

._util.__init__.AbstractListener

• .__enter__:
  • start()
  • wait()
• run():
  • _run()
  • _thread = threading.current_thread()

xorg.Listener.__init_

• join()

Usages:

1. • __init__
   • __enter__
     1. start()
        • run()
          • _run()
     2. wait
   • .join() -
2. non-blocking
   • __init__
   • start()
     • run()
       • _run()

1. mkdir -p usr/local/share/kbd/keymaps
2. dumpkeys -f > /usr/local/share/kbd/keymaps/personal.map

showkey –scancodes dumpkeys -l https://wiki.archlinux.org/title/Linux_console/Keyboard_configuration

default kernel keymap: /usr/src/linux/drivers/char/defkeymap.map

man keymaps

1. sudo cp /usr/share/X11/xkb/symbols/pc /usr/share/X11/xkb/symbols/pc.bak
2. rm -rf /var/lib/xkb/*

https://ictsolved.github.io/remap-key-in-linux/

• xfce4-settings-accessibility # GUI
• xfconf-query -c accessibility -p /MouseKeys -s true # switch on
• xfconf-query -c accessibility -p /MouseKeys -s false # switch off

conf:

• delay: 50
• repeat interval: 18
• acceleration time: 230
• max speed: 1910
• acc profile: 0

monitor

• x11-apps/xrandr
• xrandr –output DVI-I-1 –brightness 0.4

backlight for notebook

• sys/class/backlight????/brightness

• xrandr - get outputs
• xrandr –output LVDS1 –gamma 1.0:1.0:1.0 # red,green,blue

strace -f -e trace=network -s 10000 PROCESS ARGUMENTS

To monitor an existing process with a known PID:

strace -p $PID -f -e trace=network -s 10000

• -f is for "follow new processes"
• -e defines a filter
• -s sets the limit of strings to more then 32
• -p takes the process id to attach to

port=`lsof -i | grep $process | cut -d' ' -f18 | cut -d: -f2 | cut -d'-' -f1`
tcpdump -w ${port}.pcap port $port &

IPC daemon

• system bus
• session bus - session separate even for same user.

bus name: org.freedesktop.NetworkManager

unique connection name - When a process sets up a connection to a bus, the bus assigns to the connection a special bus name called

• :1.1553 (the characters after the colon have no particular meaning.

standard interfaces:

• org.freedesktop.DBus.Peer: provides a way to test if a D-Bus connection is aliv
• org.freedesktop.DBus.Introspectable: provides an introspection mechanism by which a client process can, at run-time, get a description (in XML format) of the interfaces, methods and signals that the object implements.
• org.freedesktop.DBus.Properties: allows a D-Bus object to expose the underlying native object properties or attributes, or simulate them if it does not exist
• org.freedesktop.DBus.ObjectManager: when a D-Bus service arranges its objects hierarchically, this interface provides a way to query an object about all sub-objects under its path, as well as their interfaces and properties, using a single method call

chmod 0700 ~/.gnupg/

GNU Privacy Guard (GnuPG system, GnuPG or GPG)

compliant with

• RFC 4880
• the IETF standards-track specification of OpenPGP.

interoperable with GnuPG

uid - USER-ID - string after: uid [ultimate]

kaypares

• primary keypair and then zero or more additional subordinate keypairs
• they are bundled and can often be considered simply as one keypair.

revocation certificate - published to notify others that the public key should no longer be used

• created right after keypare creation
• revoked public key can still be used to verify signatures made by you in the past

key ring - is a set of keys, public or private. (public keyring - public keys of others stored)

fingerprint or frp - SHA-1 hash of key and additional data

• key-id or hash-key - portion of the SHA-1 fingerprint at the end of fingerprint. –keyid-format=long/short
• examples:
  • fingerprint: 0D69 E11F 12BD BA07 7B37 26AB 4E1F 799A A4FF 2279
  • long id: 4E1F 799A A4FF 2279
  • short id: A4FF 2279

two key pairs: (1, 3) and (2, 4):

1. pub – public primary key (master-key) - used for for signing
2. sub – public sub-key - signed by the primary key and thus confirmed to belong to its user-IDs - used for encryption/decryption.
3. sec – secret primary key
4. ssb – secret sub-key

• supported algorithms: gpg –version
• gpg –list-keys: List all keys from the public keyrings, or just the keys given on the command line.
• gpg –list-secret-keys: List all keys from the secret keyrings or just the ones given on the command line
• gpg –list-public-keys
• gpg –list-sigs: Same as –list-keys, but the signatures are listed too.
• –list-keys –with-colons
• –keyid-format {none|short|0xshort|long|0xlong}

full key: gpg –armor –export email@kernel.org | less

pub dsa1024/17072058 2004-07-20 [SC] [expires: 2022-01-01]

• public primary key
• SC primary and E subordinate keyparis ? algoritm and key size
• key-id SHORT - last part of fingerprint.
• created date
• usage flags:
  • SC - signing and certification.
  • E - used for encryption.
  • 0x01 “C” Key Certification
  • 0x02 “S” Sign Data
  • 0x04 “E” Encrypt Communications
  • 0x08 “E” Encrypt Storage
  • 0x10 Split key
  • 0x20 “A” Authentication
  • 0x80 Held by more than one person
• expires

sections:

• pub - public, followed by fingerprint
• sec - secret, followed by fingerprint
• uid -
• ssb - Secret subkey
• sub - public subkey - (used for encryption)

When generating an OpenPGP key with GnuPG, per default a primary key (pair), also called master-key, and a sub-key (pair) are created.

https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/

The original idea was that people with keys would get together in person-to-person meet-ups called key signing parties to sign each other's keys and build a web of trust.

• https://keys.openpgp.org/about/usage
• https://www.howtogeek.com/427982/how-to-encrypt-and-decrypt-files-with-gpg-on-linux/

default - Web of trust - responsibility for validating public keys is delegated to people you trust

• Trust on First Use (TOFU)

trust levels

• unknown - Nothing is known about the owner's judgment in key signing. Keys on your public keyring that you do not own initially have this trust level.
• none - The owner is known to improperly sign other keys.
• marginal - The owner understands the implications of key signing and properly validates keys before signing them.
• full - The owner has an excellent understanding of key signing, and his signature on a key would be as good as your own.
• ultimately

cache passphrase entered and allow applications to use GPG concurrently

Добрый день.

Пришли мне зафированный файл FILE.txt:

1. wget https://keys.openpgp.org/vks/v1/by-fingerprint/074C37CF05B861D4C4CC3AC20C5A9B0DA76B2719
2. gpg –import 074C37CF05B861D4C4CC3AC20C5A9B0DA76B2719
3. gpg –encrypt –armor –recipient chepelev_vs@bel-rusnarbank.ru FILE.txt

Зашифрованный файл: FILE.txt.asc

1. берет мой публичный ключ
2. добавляет его в GnuPG
3. шифрует им файл

gpg –decrypt coded.asc > plain.txt

https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html

window manager

on-screen windows and window decorations.

desktop environment

window manager + apps.

twm -> FVWM -> xfce

Settings -> Settings Editor -> xfce4-keyboard-shortcuts

keys:

• C-M-d

C-S-u hex code

compose keys ? /usr/share/X11/locale/en_US.UTF-8/Compose

• Preferences → Keyboard → Layouts tab → Layout Options → Compose key position.
• setxkbmap -option 'compose:menu'

• can not create several aplications for Firefox - it keeps updating its own name

firefox:

#!/usr/bin/env sh
xdotool search "Mozilla Firefox"
if [ $? == 0 ] ; then
   xdotool search "Mozilla Firefox" windowactivate
   exit
fi
firefox

terminal:

#!/usr/bin/env sh

n=$@
xdotool search "term$n"

if [ $? == 0 ] ; then
   xdotool search "term$n" windowactivate
   exit
fi

xfce4-terminal --initial-title term$n

x11-misc/xautolock https://packages.gentoo.org/packages/x11-misc/xautolock

xautolock -time 1 -locker 'xflock4'

/etc/sudoers.d/user:

• u ALL=(ALL) NOPASSWD:/usr/bin/killall telegram-desktop,/usr/bin/vlock -n,/usr/local/bin/usblock.sh

/usr/local/bin/usblock.sh:

• #!/bin/sh
• echo 0 | tee /sys/bus/usb/devices/*/authorized

Alt+F1 -> Settings -> Session and startup -> Application Autostart -> add

• xautolock -time 10 -locker 'sudo vlock -n ; sudo /usr/local/bin/usblock.sh'

count childrens of processes:

for line in $(ps aux | grep ' bash' | grep Ss | awk '{print $2}') ; do
    child_count=$(ps --no-headers --ppid=$line | grep -v emacsclient | wc -l)
    echo $line $child_count

    if [ $child_count -eq 0 ] ; then
        # parent_pid=$(ps -o ppid= -p $line)
        # ps -u -p $line
        kill -9 $line
    fi
done

Tiling

none of the windows overlapping. (keyboard centeric)

Stacking

(aka floating) traditional desktop metaphor

dynamic

can dynamically switch between tiling or floating window layout.

Wildcard, specifies every possible time interval

• The comma (,): To specify a list of values
• Asterisk (*): To specify all possible values for a field
• / Specify a periodicity/frequency using a slash
• Dash (-): To specify a range of values

Special:

30 4 echo "It is now 4:30 am." 0 22 echo "It is now 10 pm." 30 15 25 12 echo "It is 3:30pm on Christmas Day." 30 3 * * * echo "Remind me that it's 3:30am every day." 0 * * * * echo "It is the start of a new hour." 0 6 1,15 * * echo "At 6am on the 1st and 15th of every month." 0 6 * * 2,3,5 echo "At 6am on Tuesday, Wednesday and Thursdays." 59 23 * * 1-5 echo "Just before midnight on weekdays." 0 */2 * * * echo "Every two hours." 0 20 * * 4 echo "8pm on a Thursday." 0 20 * * Thu echo "8pm on a Thursday." */15 9-17 * * 2-5 echo "Every 15 minutes from 9am-5pm on weekdays." @yearly echo "Happy New Year!"

Enter insert mode:

• i/I insert before cursor/begin of line
• a/A Append text after cursor/end of line
• o/O Append new line below/above
• s/(S or cc) Remove char/whole line
• C remove all after cursor
• r replace one character
• R Enter Replace mode
• J remove \n at the end of line

• jkl;
• Ctrl+b scroll back
• Ctrl+f scroll forward
• 0/$ Move cursor to the begining/end of current line
• :n Jump to the nth line
• :0 Jump to the start of file
• :$ Jump to the end of file
• w/e Move cursor to the beginning/end of the next word
• b Move cursor to the beginning of the previous word

:jumps

• Ctrl + o Jump back to the previous position
• Ctrl + i Jump to the next position

• Esc Enter command mode, esc insert mode
• u Undo changes
• Ctrl + r Redo changes
• yy Copy a line
• p Paste the content of the buffer
• [[ or gg Move to the beginning of a file
• ]] or G Move to the end of a file
• :w Save changes
• :q! Force quit Vim discarding all changes
• dd Delete line
• / Search, n- next N-previous

to line number:

• vi +36 foo.c
• :36

copy area:

1. v visual mode
2. y copy
3. p paste

~/.vim - direcotry

The plugins kept in ~/.vim/pack/*/start folder loaded into Vim memory when it starts

• Any directory under ~/.vim/pack is considered a package.
• The plugins under start/ folder are loaded on startup, while the plugins under opt/ folder are loaded manually
• :packadd pluginopt1 - load plugin from vendor/opt

In normal mode ============

:23,30m200 – Move a section of code to another line.

df, (reverse dF,) – Delete all characters till , on the current line.

I – Go to beginning of the line as insert mode.

$ – In command mode, go to end of the line.

gg – Go to beginning of the file G – Go to end of the file.

CTRL + o, CTRL + i – Jumps back and forward, very useful.

CTRL + h/j/k/l – Move the selection to different split windows and MinibuferExplorer.

CTRL + F – Page down scroll. CTRL + B – Page back scroll.

номера :set number :set nonumber номера курсора :set ruler подсветка результатов поиска :set hlsearch строка :(0) $

Ctrl-U CTRL + B – Page back scroll Ctrl-D CTRL + F – Page down scroll.

Page H M L

Macros: qa Start recording a macro in register a. ^ Move to the beginning of the line. i#include "<Esc> Insert the string #include " at the beginning of the line. $ Move to the end of the line. a"<Esc> Append the character double quotation mark (") to the end of the line. j Go to the next line. q Stop recording the macro.

Now that you have done the work once, you can repeat the change by typing the command "@a" three times.

Macros: include one include two include three include four

Move the cursor to the "o" of "one" and press CTRL-V. Move it down with "3j" to "four". You now have a block selection that spans four lines. Now type:

Imain.<Esc>

The result:

include main.one include main.two include main.three include main.four

:set textwidth=72 ))))))))))))))))))))))))))))))) windows: :split (file name) :new Cltr-W :close :only -close all others :vsplit :vnew

tabs: :tabedit thatfile :tab split :0tabnew - before first one :tabc gt -> (goto tab) gT <- :tabl :tabfir

)))))))))))))))))))))))))))))))

syntax on modeline – моды в самом файле for python:

http://habrahabr.ru/post/64224/ tabstop (по умолчанию 8) — количество пробелов, которыми символ табуляции отображается в тексте. Оказывает влияние как на уже существующие табуляции, так и на новые. В случае изменения значения, «на лету» применяется к тексту.

softtabstop (0) — количество пробелов, которыми символ табуляции отображается при добавлении. Несмотря на то, что при нажатии на Tab вы получите ожидаемый результат (добавляется новый символ табуляции), фактически в отступе могут использоваться как табуляция так и пробелы. Например, при установленных tabstop равной 8 и softtabstop равной 4, троекратное нажатие Tab приведет к добавлению отступа шириной 12 пробелов, однако сформирован он будет из одного символа табуляции и 4 пробелов.

shiftwidth (8) — по умолчанию используется для регулирование ширины отступов в пробелах, добавляемых командами >> и <<. Если значение опции не равно tabstop, как и в случае с softtabstop, отступ может состоять как из символов табуляций так и из пробелов. При включении опции — smarttab, оказывает дополнительное влияние.

smarttab (выключена) — в случае включения этой опции, нажатие Tab в начале строки (если быть точнее, до первого непробельного символа в строке) приведет к добавлению отступа, ширина которого соответствует shiftwidth (независимо от значений в tabstop и softtabstop). Нажатие на Backspace удалит отступ, а не только один символ, что очень полезно при включенной expandtab. Напомню: опция оказывает влияние только на отступы в начале строки, в остальных местах используются значения из tabstop и softtabstop.

expandtab (выключена) — в режиме вставки заменяет символ табуляции на соответствующее количество пробелов. Так же влияет на отступы, добавляемые командами >> и <<.

autoindent (выключена) — копирует отступы с текущей строки при добавлении новой.

smartindent (выключена) — делает то же, что и autoindent плюс автоматически выставляет отступы в «нужных» местах. В частности, отступ ставится после строки, которая заканчивается символом {, перед строкой, которая заканчивается символом }, удаляется перед символом #, если он следует первым в строке и т.д. (подробнее help 'smartindent').

set list - показать конец строки

Syntastic is a Vim plugin that brings syntax checking to Vim.

You need rewrite URL in body of response. You can do in with sub module:

location /admin/ {
    proxy_pass http://localhost:8080/;
    sub_filter "http://your_server/" "http://your_server/admin/";
    sub_filter_once off; # all strings
    sub_filter_last_modified off; # do not touch Last-Modified header
    # sub_filter_types text/html; # set by default
}

May be useful:

• proxy_redirect / admin
• nginx_substitutions_filter - regex filter

https://nginx.org/en/docs/

/etc/nginx/nginx.conf (specified in /etc/init.d/nginx)

directives:

• error_log logs/error.log warn;
  1. to a particular file, stderr, or syslog (default: logs/error.log)
     • error_log syslog:server=unix:/var/log/nginx.sock debug;
  2. minimal severity level of messages to log
• access_log /spool/logs/nginx-access.log upstream_time;

Settings in the main context are always inherited by other configuration levels (http, server, location)

Error Log Severity Levels

• emerg: Emergency messages when your system may be unstable.
• alert: Alert messages of serious issues.
• crit: Critical issues that need to be taken care of immediately.
• error: An error has occured. Something went wrong while processing a page.
• warn: A warning messages that you should look into it.
• notice: A simple log notice that you can ignore.
• info: Just an information messages that you might want to know.
• debug: Debugging information used to pinpoint the location of error.

default error.log format: log_format combined '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format https://docs.nginx.com/nginx/admin-guide/monitoring/logging/

1 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream

• proxy_ssl_server_name on;

apt is newer

apt -y install …

List packages by criteria apt list

under user

• tigervncserver -localhost no

для работы в Thunar: apt-get install smbclient gvfs-fuse gvfs-backend

https://wiki.debian.org/iptables

iptables-save - show filtered, processed tables and export rules

/etc/asound.conf вторая строка - карта по умолчанию

pcm.!default { type hw card 1 }

ctl.!default { type hw card 0 }

amixer set Master 5+ amixer set Master 5-

• apt-get install openssh-server
• systemctl start ssh

WinSCP

Display not found and PRINT_MODE not set to TEXT, aborting.

• nano .config/dwarf-fortress/init.txt
  • [PRINT_MODE:2D] to [PRINT-MODE:TEXT].

Didn't find any flavor of libncursesw, attempting libncurses (not working)

• apt-install libncursesw5

swapon --show
free -h
fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
cp /etc/fstab /etc/fstab.back
echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab

determines how often the swap space should be used 0 to 100. Higher value means the swap space will be used more frequently:

cat /proc/sys/vm/swappiness
echo 'vm.swappiness=10' | tee -a /etc/sysctl.conf

SWAP=500MB
fallocate -l $SWAP /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
cp /etc/fstab /etc/fstab.back
echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab
cp /etc/sysctl.conf /etc/sysctl.conf.back
echo 'vm.swappiness=10' | tee -a /etc/sysctl.conf

swapon --show

https://debian-handbook.info/

• GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"
• /etc/netplan/50-cloud-init.yaml

network: ethernets: enp3s0: dhcp4: false addresses: [192.168.2.148/24] gateway4: 192.168.2.51 nameservers: addresses: [192.168.2.254] version: 2

netplan apply ip route delete default via 192.168.2.51

iptables

• iptables-save > etc/iptables…

DNS

• systemctl disable systemd-resolved.service
• /etc/resolv.conf - nameserver 1.2.3.4
• nslookup finds ip, but ping doesnt https://askubuntu.com/questions/81797/nslookup-finds-ip-but-ping-doesnt
  • /etc/nsswitch.conf : hosts: files dns

rootless Xorg

• after installation of nvidia proprietary drivers
• /etc/X11/Xwrapper.config
• needs_root_rights=no
• startx – vt1

/etc/fstab proc /proc proc defaults,hidepid=2 0 0

• ntp not used
• https://help.ubuntu.com/lts/serverguide/NTP.html#timedate-info
• /etc/systemd/timesyncd.conf: NTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org
• systemctl restart systemd-timesyncd.service

alias thumb-disable="chmod u-rwx home/u2.cache/thumbnails" alias thumb-enable="chmod u+rwx home/u2.cache/thumbnails"

HP LaserJet P3004/P3005 PCL6 Class Driver 192.168.2.230

steps:

• # apt-get install hplip
• # hp-setup -i 192.168.1.27

• # apt-get install krb5-config krb5-user
• # dpkg-reconfigure krb5-config

/etc/krb5.conf:

• default_realm = INT.RUSNARBANK.RU
• kdc = srv-dc-03.int.rusnarbank.ru
• admin_server = srv-dc-03.int.rusnarbank.ru

connect:

• $ echo 'password' | kinit Chepelev_VS@INT.RUSNARBANK.RU
• $ klist - проверить

Thunderbird address book

• Name:Rusnarbank
• Hostname: srv-dc-03.int.rusnarbank.ru
• Base DN: DC=int,DC=rusnarbank,DC=ru
• port: 389
• Advanced Login methid:kerberos
• Advanced search file: empty!

• sudo apt install cifs-utils

• wget -q https://packages.microsoft.com/keys/microsoft.asc -O- | sudo apt-key add -
• sudo add-apt-repository "deb [arch=amd64] https://packages.microsoft.com/repos/vscode stable main"
• sudo apt install code
• $ code
• во вкладке расширений - @builtin php
• отключить PHP Language Features - стандартные возможности убоги
• установить например: PHP Intelephense,

Режимы защищенности:

• «Базовый» («Орел», несертифицированная версия)
• «Усиленный» («Воронеж»)
  • мандатного контроля целостности
  • замкнутая программная среда
  • подсистема безопасности PARSEC - разработана на основе верифицированной формальной модели безопасности управления доступом и информационными потоками (МРОСЛ ДП-модели).
• «Максимальный» («Смоленск»).
  • мандатное управление доступом для локальной и серверной инфраструктуры.

распределение информации или компонент в системе по заданным уровням целостности, исходя из которых назначаются права доступа на изменение объекта.

PARSEC обеспечивает защиту высокоцелостных компонент от несанкционированной записи из низкоцелостных компонент

пользователь root в Astra Linux Special Edition работает на минимальном уровне целостности 0.

ограничить запуск исполняемых файлов и загрузку исполняемых библиотек только теми, которые подписаны ЭЦП на доверительном ключе, что обеспечивает защиту от загрузки файла или библиотеки без корректной ЭЦП.

принцип управления доступом, суть которого заключается в распределении информации по заданным уровням (конфиденциальности) и выполнении трех основных условий.

• чтение данных доступно пользователю или процессу, который обладает уровнем конфиденциальности таким же, как

у этих данных, или выше.

• запись данных доступна процессу, обладающему таким же или меньшим уровнем конфиденциальности по сравнению с данными.
• действия процессов не приводят к утечке данных с высокого уровня конфиденциальности на низкий.

Контроль за соблюдением правил мандатного контроля целостности и мандатного управления доступом реализуется посредством монитора обращений PARSEC.

основа подсистемы безопасности PARSEC — МРОСЛ ДП-модель, описанная на языке формального метода Event-B.

• Rodin IDE with ProB plugin
• Frama-C code analyzis
• Secure Software Development Lifecycle (SSDL) - practice

• РЕД ОС - базировавшийся на CentOS 6, POSIX, LSB
• ALT Linux - являются отдельной ветвью развития Linux

nvidia-installer –uninstall

repository cuda-rhel9-x86_64

• https://developer.nvidia.com/cuda-11-8-0-download-archive
• dnf install libcudnn8-devel
• dnf install cuda-cudart-12-2

https://docs.nvidia.com/deeplearning/cudnn/install-guide/index.html#verify

• dnf install tigervnc-server-minimal
• cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service
• add 5901/tcp to firewall
• echo ':1=myuser' >> /etc/tigervnc/vncserver.users
• $ echo 'session=xfce' > ~/.vnc/config

https://www.ibm.com/support/pages/how-configure-vnc-server-red-hat-enterprise-linux-8

• distribution=rhel9.2 && curl -s -L https://nvidia.github.io/libnvidia-container/$distribution/libnvidia-container.repo | sudo tee /etc/yum.repos.d/nvidia-container-toolkit.repo
• dnf install nvidia-container-toolkit.repo
• dnf install nvidia-container-toolkit-base-1.12.0-1
• dnf install libnvidia-container1-1.12.0-1
• dnf install nvidia-container-toolkit-1.12.0-1
• dnf install nvidia-container-runtime-3.12.0
• containerd config default | tee /etc/containerd/config.toml

The service reads rules from /etc/sysconfig/nftables.conf.

nft list ruleset > /etc/sysconfig/nftables.conf

Programs are executed natively.

application that launches the command line program by using system call execve(2) and redirecting standard input, output and error streams onto the display.

All provided packages are cross-compiled with Android NDK and only have compatibility patches to get them working on Android

Termux is single-user - username may look like u0_a231 and cannot be changed as it is derived from the user id by Bionic libc.

All our packages (except root-only ones) are patched to drop any multiuser, setuid/setgid and other similar functionality. We also changed default ports for server packages: ftpd, httpd and sshd have their default ports set to 8021, 8080 and 8022 respectively.

You have free read-write access to all application components including $PREFIX. Be careful since it is very easy to break things by accidentally deleting or overwriting files in $PREFIX.

If Android OS reports support only of 32-bit ABIs, Termux will perform a 32-bit installation only.

• prefix - /data/data/com.termux/files/usr - as /
• home - /data/data/com.termux/files/home - as /home/user

Termux can list only its own processes. You can see more only under rooted shell or ADB.

• some processes, result can't be terminated with pkill <NAME> or killall <NAME> but only with kill <PID>.

ssh

• apt install curl
• curl -LO https://raw.githubusercontent.com/Hax4us/Metasploit_termux/master/metasploit.sh
• chmod 777 metasploit.sh
• ./metasploit.sh

• termux-am - Android Oreo-compatible am command reimplementation.
• termux-am-socket
• termux-backup
• termux-change-repo
• termux-fix-shebang
• termux-info
• termux-open
• termux-open-uri
• termux-reload-settings
• termux-reset
• termux-restore
• termux-setup-package-manager
• termux-setup-storage
• termux-wake-lock
• termux-wake-unlock

• https://github.com/termux/termux-app
• https://termux.github.io/
• https://wiki.termux.com/wiki/Main_Page
• https://wiki.termux.com/wiki/Internal_and_external_storage

haskell

• composability - liberal use of many tiny functions, or UNIX philosophy
• fusion little functions may be pipelined with dot . (fused)

lisp pros

monolithism

procedure tends ti accept many options which configure its behaviou

(no term)

parameter is added to existing function. Composition is a bit wordier and rarely used.

• field - column separated by white space
• record - line of input

• BEGIN {commands} - initialization of variables
• pattern {commands} pattern {commands} … - on every line
• END {commands} -

• field variables: $1, $2, $3, and so on ($0 represents the entire record)
• NR: Number of Records. Keeps a current count of the number of input records read so far from all data files. It starts at zero, but is never automatically reset to zero.[14]
• FNR: File Number of Records. Keeps a current count of the number of input records read so far in the current file. This variable is automatically reset to zero each time a new file is started.[14]
• NF: Number of Fields. Contains the number of fields in the current input record. The last field in the input record can be designated by $NF, the 2nd-to-last field by $(NF-1), the 3rd-to-last field by $(NF-2), etc.
• FILENAME: Contains the name of the current input-file.
• FS: Field Separator. Contains the "field separator" used to divide fields in the input record. The default, "white space", allows any sequence of space and tab characters. FS can be reassigned with another character or character sequence to change the field separator.
• RS: Record Separator. Stores the current "record separator" character. Since, by default, an input line is the input record, the default record separator character is a "newline".
• OFS: Output Field Separator. Stores the "output field separator", which separates the fields when Awk prints them. The default is a "space" character.
• ORS: Output Record Separator. Stores the "output record separator", which separates the output records when Awk prints them. The default is a "newline" character.
• OFMT: Output Format. Stores the format for numeric output. The default format is "%.6g".

• for (initialization; condition; increment/decrement) action
• while (condition) action

print

• print $1, $3 - Displays the first and third fields of the current record, separated by a predefined string called the output field separator (OFS)

network segment - layer 1. connected devices

devices

• router - network layer (layer 3). uses destination IP address. connect different IP networks
• bridge - data link layer (layer 2). multiport bridge function serves as the basis for network switches.
  • switch - data link layer (layer 2) of the OSI model. receive and forward data to the destination device. uses hardware addresses (MAC addresses).
    • Multilayer switch - OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layer
• hub (repeater hubs) - physical layer (layer 1) of the OSI model - connecting multiple Ethernet devices together and making them act as a single network segment, signal introduced at the input of any port appears at the output of every port except the original incoming. learns the identities of connected devices and then only forwards data to the port connected to the device to which it is addressed

• arp is used to manipulate the kernel's ARP cache, usually to add or delete an entry, or to dump the entire cache.
• dnsdomainname reports the system's DNS domain name.
• domainname reports or sets the system's NIS/YP domain name.
• hostname reports or sets the name of the current host system.
• ifconfig is the main utility for configuring network interfaces.
• nameif names network interfaces based on MAC addresses.
• netstat is used to report network connections, routing tables, and interface statistics..
• nisdomainname does the same as domainname.
• plipconfig is used to fine tune the PLIP device parameters, to improve its performance.
• rarp is used to manipulate the kernel's RARP table.
• route is used to manipulate the IP routing table.
• slattach attaches a network interface to a serial line. This allows you to use normal terminal lines for point-to-point links to other computers.
• ypdomainname does the same as domainname.

LiSts all Open Files

• lsof -iTCP -sTCP:LISTEN -P -n
  • -P подавляет, для сетевых файлов, преобразование номеров портов в имена портов.
  • -i позволяет вывести сведения о файлах, интернет-адреса которых соответствуют заданному адресу.
• lsof -u cindy | wc -l - список файлов, открытых конкретным пользователем.
• lsof -u^cindy | wc -l - количество файлов на компьютере, которые открыты всеми пользователями за исключением cindy
• -c сведения о файлах, которые держат открытыми процессы, выполняющие команды, имена которых начинаются с заданных символов.
• lsof -cpython | head -15 - первые 15 файлов, открытых всеми процессами Python, выполняющимися на компьютере.
• lsof +d /usr/bin | head -4 - какие папки и файлы открыты в некоей директории
• lsof -p вывести все файлы, открытые процессом с указанным при вызове команды PID.
• Опция -t подавляет вывод всей информации за исключением ID процессов.
• lsof -l dir - сведения обо всех процессах, имеющих открытые дескрипторы файлов в директории

DNS lookups and displays the answers

• net-dns/bind-tools

examples:

• dig howtogeek.com - get DNS information
• dig -x 1.1.1.1 - reverse DNS requiest
  • dig ptr 148.188.51.209.in-addr.arpa - same
• type of DNS record
• dig howtogeek.com +shor
• dig howtogeek.com +nocomments
• dig redhat.com MX +noall +answer

dig [@server] [name] [type]

• @8.8.8.8 - dns server
• name - dns or IP
• type of DNS record
  • A Record: Links the domain to an IP version 4 address.
  • MX Record: Mail exchange records direct emails sent to domains to the correct mail server.
  • NS Record: Name server records delegate a domain (or subdomain) to a set of DNS servers.
  • TXT Record: Text records store text-based information regarding the domain. Typically, they might be used to suppress spoofed or forged email.
  • SOA Record: Start of authority records can hold a lot of information about the domain. Here, you can find the primary name server, the responsible party, a timestamp for changes, the frequency of zone refreshes, and a series of time limits for retries and abandons.
  • TTL: Time to live is a setting for each DNS record that specifies how long a DNS precursor server is allowed to cache each DNS query. When that time expires, the data must be refreshed for subsequent requests.
  • ANY: This tells dig to return every type of DNS record it can.

DNS lookups and displays the answers

• -port=[port-number] Specify the port for queries. The default port number is 53.
• -type=any View all available records. - Not all actualy
• -type=txt View Text Records
• -type=ns View Domain's NS Records
• -type=mx Mail Exchange server data.
• -type=soa Start of Authority (SOA) records provide authoritative information about the domain and the server, such as the email address of the administrator, serial number, refresh interval, query expiration time, etc.
• nslookup -type=ptr [reverse-ip-address].in-addr.arpa

Internationalized domain name -

• IDNA ToASCII algorithm
• ToASCII and ToUnicode.
  • not applied to the domain name as a whole, but rather to individual labels - to each part separately

• net-misc/whois improved Whois Client GPL-2
• net-misc/jwhois Advanced Internet Whois client capable of recursive queries GPL-3

• iptables -F –flush chain - delete all rules
• iptables -P –policy chain target - target must be ACCEPT or DROP - default policy for chain
• iptables -A –append chain rule

net-firewall/aptables

arptables -A INPUT –source-mac d8:d7:21:22:5a:f4 -j ACCEPT

arptables -P INPUT ACCEPT

• https://www.isc.org/bind/
• https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/dnssec-guide/getting-started.rst

HTTP request and response

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

kernel virtual network devices

• can't be used together
• TUN - network layer device operates in layer 3 carrying IP packets. Used with routing.
• TAP - link layer device and operates in layer 2 carrying Ethernet frames.

max speed

• ethtool enp0s3
• dmesg | grep enp0s3
• mii-tool -v enp0s3
• cat /sys/classes/net/eth0/speed # 1000 = 1000 Mb/s

bandwith usage

• ifstat -r && ifstat -s
• nmon

latency:

• nmap -sn host
• map -sn -P 443 -d3 ya.ru
• ping

create a test network namespace:

ip netns add test

create a pair of virtual network interfaces (veth-a and veth-b):

ip link add veth-a type veth peer name veth-b

change the active namespace of the veth-a interface:

ip link set veth-a netns test

configure the IP addresses of the virtual interfaces:

ip netns exec test ifconfig veth-a up 192.168.163.1 netmask 255.255.255.0 ifconfig veth-b up 192.168.163.254 netmask 255.255.255.0

configure the routing in the test namespace:

ip netns exec test route add default gw 192.168.163.254 dev veth-a

activate ip_forward and establish a NAT rule to forward the traffic coming in from the namespace you created (you have to adjust the network interface and SNAT ip address):

echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.163.0/24 -o <your internet interface, e.g. eth0> -j SNAT –to-source <your ip address>

(You can also use the MASQUERADE rule if you prefer)

finally, you can run the process you want to analyze in the new namespace, and wireshark too:

ip netns exec test thebinarytotest ip netns exec test wireshark

• useradd –home=/home/ff –create-home –shell /bin/false –user-group ff –groups input,users,video,audio
  • -u $UID -g $GUID
• xhost si:localuser:ff2 ; cd /home/ff2 ; sudo -u ff2 firejail –profile=/etc/firejail/firefox.profile firefox -P -no-remote normal $@
• userdel -r ff # remove user

remove password and lock:

• passwd -ld ff

• one-time password system
• систему генерирования одноразовых паролей на основе стандартов MD4 и MD5
• relies on the difficulty of reversing cryptographic hash functions
• Клиент начинает обмен S/Key, отправляя серверу пакет инициализации, а сервер в ответ отправляет порядковый номер и случайное число, так называемое «зерно» (seed). После этого клиент генерирует одноразовый пароль в ходе операции, состоящей из трех этапов: подготовительного этапа, этапа генерирования и функции выхода. На этапе генерирования клиент многократно использует хеш-функцию и получает 64-разрядную итоговую величину.
• RFC 1760
• vulnerable to a man in the middle attack if used by itself
• vulnerable to certain race conditions

Users group "wheel" can su - to become root

root:x:0:0:root:/root:/usr/bin/zsh

• root - Username
• x - x here denotes password is encrypted
• 0 - UID
• 0 - GID user's group ID
• root - Ifno of the user(GECOS)
• /root - User home directory
• /usr/bin/zsh - Login shell

mark:\(6\).n.:17736:0:99999:7:::

• Username
• \(6\).n. - Encrypted Password
  • * - blank password L - used for service accounts
  • ! - blank password L - user accounts
  • \(1\) – MD5
  • \(2a\) – Blowfish
  • \(2y\) – Eksblowfish
  • \(5\) – SHA-256
  • \(6\) – SHA-512
• 17736 - Last password change epoch date
• 0 - Minimum password age - the number of days that must pass before the user password can be changed
• 99999 - Maximum password age
• Warning period
• Inactivity period - the number of days before the password expires during which the user is warned that the password must be changed
• Inactivity period - The number of days after the user password expires before the user account is disabled
• Expiration date. The date when the account was disabled. It is represented as an epoch date.
• reserved

• emerge –ask app-admin/logcheck
• useradd –home=/home/logcheck –create-home –shell /bin/false –user-group logcheck
• /etc/logcheck/logcheck.conf:
  • SENDMAILTO="root"

ps auxZ | grep -v '^unconfined'

ограниченные программы -v - invert

aa-complain /full/path/to/program

отключить apparmor и смотреть syslog

aa-enforce /full/path/to/program

включить обратно после удаления ненужных ограничений

apparmor_parser -r /etc/apparmor.d/profile

перезагрузить один профиль

aa-status

.

aa-genprof app && app

create profile for app

aa-logprof

for existing profiles - allow/deny acces to certain tasks

Inherit

create rule in paret and executable inherit it from parent

Child

create sub-profile with separete rules

• client /etc/fstab
• server /etc/exports

options

• file systems on a separate partition of a harddisk, we can ensure that malicious users can not simply fill up the entire harddisk by writing large files onto it.
• /home nfs-client(secure) - Prevent normal users on an NFS client from mounting an NFS file system (on server)
• /home nfs-client(ro)
• nfs-clients - use numeric IP addresses or fully qualified domain names, instead of aliases.
• /home nfs-client(root_squash) - while mounting using the command mount, the user ID ?root? on the NFS client will be replaced by the user ID ?nobody? on the NFS server.
• nfs-server:/home /mnt/nfs nfs ro,nosuid,noexec 0 0 - Disable suid (superuser ID) on an NFS file system (on client)
• ssh encryption of traffic: ssh -f -c blowfish -L 7777:nfs-server:2049 -l tony nfs-server /bin/sleep 86400
  • On the NFS client computer, bind a SSH port with NFS port 2049.
  • -c blowfish means SSH will use the algorithm blowfish to perform encryption.
  • -L 7777:nfs-server:2049 means binding the SSH client at port 7777 (or any other port that you want) to communicate with the NFS server at address nfs-server on port 2049.
  • -l tony nfs-server means in the process of login on the authentication server at address nfs-server (specify either the IP address or domain name of the authentication server), use the user login name tony to authenticate on the server.
  • /bin/sleep 86400 means to prevent spawning a shell on the client computer for 1 day (86,400 seconds). You can specify any larger number.

fstab exampe

• home /mnt/nfs nfs tcp,rsize=8192,wsize=8192,intr,rw,bg,nosuid,port=7777,mountport=8888,noauto

show NFS shares only if you are using rpcbind.

showmount --exports dnsmy.local

vectors:

1. HID devices
2. Faked network adapters - are no real danger
3. firmware flashing over the USB connection

• logs
• recent started processed:
  • ps -ef –sort=start_time
  • ps -aux –sort=start_time
  • cd /proc; ls -td –full-time –time-style=+%s [0123456789]*;

For:

• Changes to the global resource are visible to other processes that are members of the name‐ space, but are invisible to other processes.
• Containers

man 7 namespaces

• /proc/<pid>/ns/*

https://medium.com/@pipermerriam/my-guide-to-solid-digital-security-fb76cb19c536#.hmz8imwe6

electromagnetic radiation (EMR) - radio waves, microwaves, infrared, (visible) light, ultraviolet, X-rays, and gamma rays

IEEE 802.11 wireless local area network (WLAN)

The most basic BSS consists of one AP and one STA.

Cellular network or mobile network - require sim card and modem, GMS-2G, UMTS-3g, LTE-4G, 5G

• https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/mediatek
• https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/mediatek/mt7601u

b/g/n

/lib/firmware/mt7601u.bin

Firmware license tags: redistribution allowed, closed source!

• https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers
• https://wireless.wiki.kernel.org/en/users/drivers
• https://deviwiki.com/wiki/Main_Page

1. to keep simple names: touch /etc/udev/rules.d/80-net-name-slot.rules
2. net-wireless/iwd or net-wireless/wpa_supplicant - allows users to connect to WPA enabled access points
3. enable regulatory domain in kernel
4. - rfkill unblock all
   • ifconfig -a
   • ifconfig -v wan0 up

low level device config, WEP, scan

• iw phy [phy1 info]
• iw dev
• iw dev wlan0 info
• iw phy1 reg get
• iw dev wlan0 scan -u passive | less

• debug: /usr/libexec/iwd -d
• iwd keeps the configuration file at /var/lib/iwd as a .psk file with your access point name.

WPA/WPA2/Enterprise connections, device control

1. emerge –ask net-wireless/wpa_supplicant
2. bzless /usr/share/doc/${P}/wpa_supplicant.conf.bz2 > /etc/wpa_supplicant/wpa_supplicant.conf
3. chmod o-rwx /etc/wpa_supplicant/wpa_supplicant.conf

• iwconfig
• iwevenqt
• iwgetid
• iwlist
  • scanning
  • frequency/channel - Center frequencies
  • encryption/keys
• iwpriv
• iwspy

direct firmware load failed error -2

• if you built driver into kernel (not as a module) the firmware will not load because at the time kernel loads the root filesystem is not mounted yet.
• include firmware in kernel binary:
  • Device Drivers —> Generic Driver Options —> Firmware loader —>
    • -*- Firmware loading facility
    • () Build named firmware blobs into the kernel binary
    • (/lib/firmware) Firmware blobs root directory

DORMANT - power saving mode

• disable pwer saving

governments assert the right to regulate usage of radio spectrum within their respective territories

• ne-wireless/crda
  • Central Regulatory Domain Agent (CRDA) - can be triggered to update the kernel wireless core's definition of the regulatory permissions for a specific country.
• ne-wireless/wireless-regdb - regulatory database used by CRDA
• use ISO 3166-1 alpha-2 country codes https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

loads the database via udev rule

TODO /etc/default/crda

regilatory database

• binary file format - to have the data available quickly and as compact as possible, authorship and integrity
• embedding the signature into the binary file
• signature is checked against a list of public keys built into the regulatory daemon binary

Kernel:

• Please set CONFIG_CFG80211=m or add regulatory.db and regulatory.db.p7s to CONFIG_EXTRA_FIRMWARE.
  • CONFIG_EXTRA_FIRMWARE="regulatory.db regulatory.db.p7s"
  • CONFIG_EXTRA_FORMWARE_D="/lib/firmare"

• tree /sys/class/net
• ip addr
• ifconfig -a
  • ifconfig -v wlan0 up # activate
• dmesg | grep -i -E 'xx:xx.x|wlan|iwl|80211'
• udevadm monitor –environment kernel

• linux kernel doc https://wireless.wiki.kernel.org/en/users/documentation
• https://docs.google.com/viewer?url=https%3A%2F%2Fwifigid.ru%2Fwp-content%2Fuploads%2F2018%2F11%2Fwifi-3.pdf&hl=ru&embedded=true

• https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers
• https://openwrt.org
• https://github.com/ZerBea/hcxdumptool

• избегайте банковских операций во время подключения к публичным сетям
• никогда не авторизуйтесь в сети, если для подтверждения у вас просят номер телефона, электронную почту или же социальную сеть. В таком случае, этими данными могут воспользоваться злоумышленники
• отключите опцию общего доступа к вашим файлам
• не используйте обнаружение вашего девайся другими пользователями сети
• также нежелательна опция автоматического подключения к открытой сети
• не регистрируйтесь на сайтах во время подключения к общедоступным сетям Wi-Fi
• избегайте сетей в которых соединение периодически прерывается
• при подключении к общей сети - желательно использовать VPN-сервесы

• https://github.com/aircrack-ng/rtl8812au
• https://www.justsomestuff.co.uk/wiki/doku.php/linux/add_driver
• book linux device drivers https://lwn.net/Kernel/LDD3/
• https://stackoverflow.com/questions/8549992/kernel-how-to-add-a-new-source-file-for-kernel-build

I copied aircrack-ng/rtl8812au to kernel folder: drivers/net/wireless/realtek/rtlwifi/ I add line to drivers/net/wireless/realtek/rtlwifi/Makefile: obj-$(CONFIG_88XXAU) += rtl8812au/ I add lines to drivers/net/wireless/realtek/rtlwifi/Kconfig: config 88XXAU tristate "Realtek RTL8812AU USB Wireless Network Adapter" depends on USB select RTLWIFI select RTLWIFI_USB help This is the driver for Realtek RTL8812AU USB I replaced line in file rtl8812au/Makefile : export CONFIG_88XXAU = m with: export CONFIG_88XXAU = y

• The PyGatt library is based on PyBluez,

Bluetooth RSSI (Received Signal Strength Indicator) - measured in decibels (dBm). The more negative the RSSI value, the further away the Bluetooth device.

• guide https://gist.github.com/ssledz/69b7f7b0438e653c08c155e244fdf7d8
• curl 'https://dlcdnets.asus.com/pub/ASUS/wireless/USB-BT400/DR_USB_BT400_1201710_Windows.zip' -o bt400-driver.zip
• id to hex name https://aur.archlinux.org/cgit/aur.git/tree/filelist.txt?h=bcm20702a1-firmware

inter-process communication mechanism

• non-transactional. It is stateful and connection-based
• dbus daemon - runs an actual bus
  • bus address will typically be the filename of a Unix-domain socket such as "tmp.hiddensocket

dev-util/d-feet

alias blueup="rc-service bluetooth up ; sleep 1; bluetoothctl power on && bluetoothctl scan on" alias bluedown="bluetoothctl power off"

/usr/lib/firmware/rtl_bt/rtl8761b_fw.bin OR /lib/firmware/rtl_bt/rtl8761b_fw.bin /usr/lib/firmware/rtl_bt/rtl8761b_config.bin OR /lib/firmware/rtl_bt/rtl8761b_config.bin https://linuxreviews.org/Realtek_RTL8761B https://aur.archlinux.org/packages/rtl8761usb

https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=rtl8761usb

• help help
• current device list
• status show
• scan scan
• disable/enamble power off/on
• connected devices devices

to find devices:

1. activate scan - scan on
2. devices - to get name
3. look back to find out RSSI

bluealsa -p a2dp-sink -p a2dp-source –xapl-resp-name=iPhone –a2dp-volume

BlueALSA volume persistent state storage:

• https://github.com/TheWeirdDev/Bluetooth_Headset_Battery_Level
• https://github.com/arkq/bluez-alsa/blob/master/doc/bluealsa.8.rst

https://elinux.org/images/3/32/Doing_Bluetooth_Low_Energy_on_Linux.pdf

to right

convert image.jpg -rotate 90 image.jpg

to left (keep size)

convert image.jpg -distort SRT -90 image.jpg

for f in /home/u/Desktop/conf/* ; do convert $f -resize 1000x1000 -quality 90% /home/u/Desktop/conf2/$(basename $f) ; done

enhance size:

f="/home/u/Desktop/conf2/a.jpg" ; convert /home/u/Desktop/conf/$(basename "$f") -resize 2000x2000 -quality 93% "$f"

keep aspect rate:

convert a.jpg -geometry 300x300 a2.jpg

get hidden data

• feh –draw-exif
• exiv2 / exifgrep
• exiftool -auU -g1 image

clear hidden data

• exiftool -all= image

for f in /home/u/Desktop/conf2/* ; do exiftool -all= $f ; done

• feh -D 2 /dir

https://stackoverflow.com/questions/38476804/insert-one-image-into-another-using-convert

montage -mode concatenate -tile 1x v[1-9].jpg out.jpg

convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/449.

• /etc/ImageMagick-7/policy.xml: <policy domain="coder" rights="read | write" pattern="PDF" />
• security vulnerability that caused distributions to implement the policy: can allow an attacker to execute arbitrary commands with arbitrary arguments. in Ghostscript

Alt, e, n, Alt+Shift+e, Alt+Shift+e - proxy settings, arrow to choose

articles:

• article https://pixelprivacy.com/resources/browser-fingerprinting/
• 1 https://habr.com/ru/company/selectel/blog/521550/
• 2 https://habr.com/ru/company/selectel/blog/523462/
• entropy https://habr.com/ru/post/357238/

• https://webkay.robinlinus.com/

  https://amiunique.org/fp https://browserleaks.com/

Никогда не развертывать на весь экран

• stats https://www.w3schools.com/browsers/browsers_display.asp
  • most common 1366x768
• get current https://whatismyresolution.com/

firefox -width 1366 -height 768 ( do not work with resistFingerprinting) add-on Window Resizer by antwhere.com https://addons.mozilla.org/en-US/firefox/addon/window-resizer-antwhere/

• 870 - 666 = 102 = 768 + 102 = 1366x870

to true: gfx.direct2d.disabled layers.acceleration.disabled

Font Fingerprint Defender by ilGur https://addons.mozilla.org/en-US/firefox/addon/font-fingerprint-defender/

or

browser.display.use_document_fonts - 0

• check https://browserleaks.com/ssl
• config https://wiki.gentoo.org/wiki/Firefox

security.tls.version.min - 3

https://amiunique.org/stats

• about:config general.useragent.override

popular:

• https://beamtic.com/user-agents/?browser=FireFox
• https://whatmyuseragent.com/browser/firefox/ff
• Mozilla/5.0 (Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
• Mozilla/5.0 (Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
• Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

to true

• webgl.disabled
• privacy.firstparty.isolate

to false

• geo.enabled

FOR VPN: media.peerconnection.enabled

Disable JavaScript https://github.com/dpacassi/disable-javascript Font Fingerprint Defender https://addons.mozilla.org/en-US/firefox/addon/window-resizer-antwhere/ WindowResizer CanvasBlocker by Korbinian Kapsner github.com/kkapsner

javascript.enabled

about:profiles

firefox -width 1366 -height 768 -P -no-remote second

https://www.gnu.org/philosophy/javascript-trap.html

https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded_Builds

Extension must be

1. zipped:
   • zip -r -FS a.zip mouseless-plugin-master/* –exclude '.git'
   • 7z a a.xpi librejs-7.20.2/* -r
2. zip must be signed with api or web-ext sign to xpi format

xpinstall.signatures.required false - but not working

diff -Z mouseless-plugin-master/ mouseless_jk-0.12.2-an+fx-linux/

https://github.com/mortie/mouseless-plugin with krita images extracted https://github.com/aaact-aatia/mouseless-plugin https://addons.mozilla.org/en-US/firefox/addon/mouseless-plugin/

not working

• alt
• meta
• go forward
• page up,page down , fast ones

https://github.com/brookhong/Surfingkeys https://addons.mozilla.org/en-US/firefox/addon/surfingkeys_ff/

USE="-gmp-autoupdate" has disabled the following plugins from updating or installing into new profiles:

• gmp-gmpopenh264
• gmp-widevinecdm

network.proxy.socks_remote_dns true network.dns.disablePrefetch true network.dns.disableIPv6 true media.peerconnection.enabled false

• https://github.com/pyllyukko/user.js/
• https://github.com/arkenfox/user.js/
  • app.update.enabled false
  • extensions.update.enabled false
  • security.OCSP.enabled 1 - for normal 0 - for tor
  • dom.security.https_only_mode - true for normal, false for tor
  • plugins.update.notifyUser false
  • dom.event.contextmenu.enabled - uncomment
  • places.history.enabled - true for normal false for tor
  • may request something
    • browser.safebrowsing.enabled - false
    • browser.safebrowsing.phishing.enabled - false
    • browser.safebrowsing.malware.enabled - false
  • keyword.enabled true
  • image.webp.enabled false - by hands now

By default your browser trusts 100's of Certificate Authorities (CAs)

Settings -> Privacy & Security -> Certificates

allow self signed:

• network.stricttransportsecurity.preloadlist to False

Random User-Agent by Paramtamtam

require privacy.resistFingerprinting to be disabled

Plugins:

• User-Agent Switcher (GPLv3) https://gitlab.com/ntninja/user-agent-switcher
• MIT http://www.whatuseragent.com/ - github.com - alert(window.navigator.userAgent) - not hide

check User-Agent inside of JavaScript

• alert(window.navigator.userAgent)

permissions.default.image

• 1 – Always load the images
• 2 – Never load the images
• 3 – Don't load third images

• /path/to/firefox –start-debugger-server 6000 -headless
• /path/to/firefox –start-debugger-server ws:6000 -headless
• about:debugging
• https://github.com/mozilla/node-firefox
• https://github.com/saucelabs/foxdriver

https://pythonbasics.org/selenium-firefox-headless/

• https://addons.mozilla.org/en-US/firefox/addon/switcher_proxy/
• https://github.com/vheidari/switcher

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://play.google.com/log?format=json&hasfast=true&authuser=0. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 503.

• about:config
  • security.fileuri.strict_origin_policy

no microphone - alsa - type asym - pcm.capture

• https://wiki.gentoo.org/wiki/ALSA#Soundcard_only_available_for_one_application
• https://forums.gentoo.org/viewtopic-t-1112016-start-0.html

https://mymictest.com/headphone-mic-test https://www.onlinemictest.com/tuners/pitch-detector/

browser.cache.check_doc_frequency

0

Check for a new version of a page once per session (a session starts when the first application window opens and ends when the last application window closes).

1

Check for a new version every time a page is loaded.

2

Never check for a new version - always load the page from cache.

3

Check for a new version when the page is out of date. (Default)

browser.cache.disk.enable or browser.cache.memory.enable must be set to true for this preference to work as mentioned above.

apt install autoconf automake g++ make libtool libtorrent-dev libcurl4-openssl-dev libncurses-dev cmake tmux wget

cd usr/local/src git clone https://github.com/rakshasa/rtorrent wget https://github.com/rakshasa/rtorrent/releases/download/v0.9.8/rtorrent-0.9.8.tar.gz tar xpf rtorrent-0.9.8.tar.gz cd rtorrent-0.9.8

• ldconfig
• autoconf
• ./autogen.sh
• ./configure
• make & make install

Throttling

• a/s/d Increase the upload throttle by 1/5/50 KB.
• z/x/c Decrease the upload throttle by 1/5/50 KB.
• A/S/D Increase the download throttle by 1/5/50 KB.
• Z/X/C Decrease the download throttle by 1/5/50 KB.

main

• ^q quit
• ^s Start download. Runs hash first unless already done.
• ^d Stop an active download, or remove a stopped download.
• ^k Stop and close the files of an active download.
• backspace Add torrent using an URL or file path. Use tab to view directory content and do auto-complete. Also, wildcards can be used. For example: ~/torrent/*
• return Same as backspace, except the torrent remains inactive. (Use ^s to activate)
• l View log. Exit by pressing the space-bar.
• +/- Change priority of torrent.
• ^r Initiate hash check of torrent. Without starting to download/upload.
• alt+shift+r - filter
• shift+L - toggle view layout

keys

• 1 Show all downloads
• 2 Show all downloads, ordered by name
• 3 Show started downloads
• 4 Show stopped downloads
• 5 Show complete downloads
• 6 Show incomplete downloads
• 7 Show hashing downloads
• 8 Show seeding downloads
• 9 Show leeching downloads
• 0 Show active downloads
• * Change the priority of all files
• / Collapse directories. While collapsed, press right to expand the selected directory.
• space Change the file priority; applies recursively when done on a directory

[Throttle 500/600 KB]

• 500/600 - upload/download

[D 15/0]

• Current number of download slots in use/the maximum (the maximum is shown as 0 if unlimited).

[H 1/32]

• Current number of active HTTP requests (for tracker announces and downloads of .torrent files)/the maximum.

[U 3/14]

• Current number of upload slots in use/the maximum, which depends on the global upload rate limit.

[S 6/40/768]

• The three numbers represent handshakes/open sockets/max open sockets.

[F 4/128]

• The two numbers represent open files/max open files. The library dynamically closes the least used files as needed.

lags because of http dns request - they are single-threaded

iptables -t raw -I PREROUTING -p udp –dport 6881 -j CT –notrack iptables -t raw -I OUTPUT -p udp –sport 6881 -j CT –notrack

in gernel:

• Network options -> Network packet filtering framework -> IP: Netfiltering configuration -> [*] raw table support

/etc/systemd/system/rtorrent.service

[Unit]
Description=My daemon

[Service]
Type=forking
User=rtorrent
Group=rtorrent

ExecStartPre=-/bin/rm -f /home/rtorrent/session/rtorrent.lock
ExecStart=/usr/bin/tmux new-session -d rtorrent /usr/local/bin/rtorrent -n -o import=/home/rtorrent/.rtorrent.rc

ExecStop=/usr/bin/killall -w -s INT /usr/local/bin/rtorrent
Restart=on-failure
RestartSec=15
# After=network.target

[Install]
WantedBy=multi-user.target

mail is sent from mail host to mail host using SMTP. Every mail host runs a mail transfer agent (MTA).

• sending: MUA will pipe outgoing mail to the /usr/lib/sendmail application. It will take care of your mail and pass it on to the next mail host.
• receiving: mail delivery agent (MDA) keeps files. When your computer is that mail host, this file is called a spool, and sometimes located in the directory var/spool/mail. All your MUA has to do is read mail from the spool, then.

When your computer is not always connected to the internet, you must get the mail from the remote mail host using a protocol such as POP3 or IMAP.

• IMAP - to retrieve email messages from a mail server over a TCP/IP connection. IMAP is defined by RFC 9051. Leaving email content on the server.
  • 143 – this is the default port which does not provide any encryption
  • 993 - IMAP over SSL/TLS (IMAPS)

• POP3 - POP3 (Post Office Protocol) - older than IMAP, delete message from server after download.

  • Port 110 is the default POP3 port and it is not encrypted.
  • Port 995 – SSL/TLS port, also known as POP3S
  • Modern POP3 clients allow you to keep a copy of your messages on the server if you explicitly select this

  option.

• SMTP - Simple Mail Transfer Protocol (SMTP)

  • 25 - send messages in plain text, although if the mail server supports it, it can be encrypted with

  TLS. Therefore, many Internet service providers block it, as it represents a security risk.

  • Port 2525 is an alternative to the SMTP port 25 and can be encrypted over TLS.
  • 587 – This is the port IANA registered as the secure SMTP port, and it requires an explicit TLS

  connection. However, if the email server does not support TLS, the message will be sent in plain text.

  • Port 465 – SSL/TLS port, also known as SMTPS

• support Maildir and IMAP4 mailboxes
• New messages, message deletions and flag changes can be propagated both ways.

Thread-based e-mail indexer, supporting quick search and tagging

You must tag your folders by hands with "notmuch tag". (maildir.synchronize_flags do only base tagging.) https://github.com/notmuch/notmuch-wiki/blob/master/initial_tagging.mdwn

sync with isyc:

mbsync -aV && notmuch new && notmuch tag --input=filename

+saved – folder:SAVED +sent – folder:Sent +spam – folder:Spam +bks – folder:bks +book – folder:book +pol – folder:pol

installation steps see emacsh#MissingReference

• /var/spool/mail or /var/mail
• net-mail/mailutils

forward email destined for the root user to another email (say a postfix mail account)

• All you need to do is create a file named ".forward" in the "root" directory and on the first line enter the email address you want to forward to.

It is a email header generated at sending email server. private/public key pair. sign each message as it is sent. When a message is sent, we create a hash from the content of the message headers and then use your private key to sign the hash. the public key is added to the DNS records for your domain to broadcast it to the world to help verify your messages.

dig +short _spf.mail.yahoo.com TXT

Receiving Mail Server:

• extract dkim-signature from email header
• validate message using public key from DKIM DNS entry to answer: Was message unchanged?

contains encrypted hash value of email body and headers

• DKIM domain - nslookup -q=TXT brisbane._domainkey.example.net
  • _domainkey - is fixed

DKIM record together with DMARC (and even SPF) you can also protect your domain against malicious emails sent on behalf of your domains

DKIM Selectors - specified in the DKIM-Signature header and indicates where the public key portion of the DKIM keypair exists in DNS. “s=”

• Domains can have multiple public DKIM keys, and the selector value makes sure recipient servers are using the correct public key.

size options Options -> Panel options … -> Use SI size units [New Left Panel] user_format=half type name mark size:4 space mtime

Options -> Panel options … -> Lynx-like motion - lift to parrent, right go in directory

navigation

• C-up/C-down - up down
• page-up/page-down - C/A-v
• C - page-up/page-down down/up by directory
• Tab switch frame
• Alt-1 help
• F4 open in default editor (env EDITOR) or Emacs Dired (env PAGER)
• Enter open in system (mime type) editor
• F9 top menu
  • F9 l g file listing
• Alt + . hiddent files
• Ctrl+Space size of directory
• Alt/Ctrl + s Quick search
• Alt + ? Opens search dialog
• Alt + U/Y move to the next/\previous directory in the history
• Alt+Shift+h history
• Alt + i Sync panels
• Shift + F3 raw preview
• Alt + t loop panel list mode
• Ctrl + u swap panels
• Alt + o load directory to other panel

select files

• Indert/C-t tag file
• +/-*\ - select/unselect/inverse_selected/unselect

console

• Alt + Tab autocompletion in console
• Ctrl + o switch to console and back
• Ctrl/Alt + Enter copy file name to console
• Cltr + Shift + Enter Copy full path to console
• C - H show console history

advanced

• Alt+e change charset of panel
• Alt + , top bottom for long file names

https://klimer.eu/2015/05/01/use-midnight-commander-like-a-pro/

• Writer (Word)
• Calc (Excel)
• Impress (PowerPoint)
• Draw (Visio)
• Math
• Base (Access)

• git clone –depth 1 https://review.coreboot.org/coreboot.git

Download the required submodules:

• git submodule update –depth 1 –init –checkout –recursive
• or git clone –recursive https://review.coreboot.org/coreboot

mkdir -p ~/work/coreboot/3rdparty/blobs/mainboard/lenovo/t420

cd util/ifdtool make

print a partition table, and extract some blobs.

• ifdtool -x flash.bin
• mv flashregion_3_gbe.bin gbe.bin
• mv flashregion_2_intel_me.bin me.bin
• mv flashregion_0_flashdescriptor.bin descriptor.bin
• mv gbe.bin me.bin descriptor.bin coreboot/3rdparty/blobs/mainboard/lenovo/t420/

core:

• make distclean
• make nconfig
• make crossgcc-i386 CPUS=${nproc}
• make iasl
• make
• build/coreboot.rom and .config

flash only bios:

• $./util/ifdtool/ifdtool -f t420.layout t420.bin
• flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=22000 -l t420.layout -i bios –noverify -w coreboot.rom

configuration in nvramcui

• secondary payloads -> nvramcui
• general setup -> option backend to use -> use CMOD for cinfiguration values

• make - already have
• gcc - already have
• iasl - sys-power/iasl
• pkg-config - dev-util/pkgconf - already have
• libssl-dev (openssl) - dev-libs/openssl - already have
• dev-lang/gnat-gpl

optional

• sys-libs/ncurses
• flex and bison

You need to connect CS# (Pin 1 for the W25Q32BV, goes to CS0# on the Raspberry Pi), SO (Pin 2, MISO on RaspberryPi), GND (Pin 4), SI (Pin5, MOSI on Raspberry Pi), SCLK (Pin 6) and Vcc (Pin 8, 3.3V on RaspberryPi, connect before RaspberryPi is powered on!)

My S430 has two of them. The bigger one (8MByte) contains the flash descriptor table and the Intel ME firmware. The smaller one (4MByte) is for the BIOS.

https://www.coreboot.org/Network_console http://pcengines.github.io/apu2-documentation/generating_coreboot_support_logs/

network console

• # openvpn –mktun –dev tap0
• # ip addr add 10.0.1.27/24 dev tap0 (00:13:d4:76:a2:ac) Destination MAC address of remote system (NEW) │ │ (10.0.1.27) Destination IP of logging system (NEW) │ │ (10.0.1.253) IP address of coreboot system (NEW)

• coreinfo is a small payload which can display system information such as PCI info, or an NVRAM dump.
• libpayload used as a basis for coreboot payloads.

https://www.coreboot.org/Coreinfo https://www.coreboot.org/Libpayload

• Ponoma 5250 Test Clip - For connecting to the bios chip.
• Female to Female Breadboard Jumper Cables - Also known as Dupont wires.
• Raspberry Pi(3 or 4) - running the latest version or Raspberry Pi OS
• flashrom - on R PI
• coreboot
• It is a good idea to update the Embedded Controller to the latest version. The easiest way to do this is install the latest version of the factory bios. Coreboot is unable to touch the EC. You will be unable to update it after flashing unless you revert to the factory bios.

• used in conjunction with acceleration in the form of a Type-I hypervisor such as KVM (Kernel-based Virtual Machine) or Xen.
  • Type 1 hypervisor has direct access to the hardware resources.
• KVM as the accelerator of choice due to its GPL licensing and availability
• KVM resides in Linux kernel and there is a little configuration for it

SoftMMU is an overloaded term in QEMU. In terms of features the SoftMMU is the mechanism by which the TCG allows the emulation of virtual memory.

• "system emulation" - rovides a virtual model of an entire machine (CPU, memory and emulated devices) to run a guest OS. In this mode the CPU may be fully emulated, or it may work with a hypervisor such as KVM, Xen, Hax or Hypervisor.Framework to allow the guest to run directly on the host CPU.
  • A softmmu target is the standard qemu use-case of emulating an entire system (like VirtualBox or VMWare, but with optional support for emulating CPU hardware along with peripherals)
• “user mode emulation”, where QEMU can launch processes compiled for one CPU on another CPU. In this mode the

CPU is always emulated. CPU is always emulated.

• user targets execute user-mode code only; the (somewhat shockingly ambitious) purpose of these targets is to "magically" allow importing user-space linux ELF binaries from a different architecture into the native system (that is, they are like multilib, without the awkward need for a software stack or CPU capable of running it).

• qemu-system-x86_64 is the binary or command for Qemu which is used to create 64-bit x86 VMs.

Set RAM or Memory Size For Qemu VM:

• qemu-system-x86_64 -m 256

qemu-system-x86_64 -cdrom iso_image -cpu host -enable-kvm -m 256 -smp cores=2 -m 256 -name poftut.com -nographic file=fedoraraw.qcow2,if=virtio,format=qcow2

• -smp option which will enable multiple CPU cores with the core=2
• -m 256 - w56 MiB
• -name - VM name will be displayed in the Window header of the Qemu
• -nographic - if you need console only
• file=fedoraraw.qcow2,if=virtio - "if" is used to provide the driver or interface type for the disk.
  • virtio - Virtio was chosen to be the main platform for IO virtualization in KVM
• -enable-kvm - starts QEMU in KVM mode
• -cpu host is to emulate the host processor. There is a list of supported architectures available – qemu-system-x86_64 -cpu ?

qemu-system-x86_64 -drive if=pflash,format=raw,readonly,file=build/coreboot.rom -drive file=~/example.img -serial stdio -m 1G

exit:

• Ctrl-A X
• ALT-2 instead of CTRL-ALT-2, then type quit

iso qemu-system-x86_64 -drive format=raw,media=cdrom,readonly,file=debian-8.2.0-amd64-DVD-1.iso

img qemu-system-x86_64 -drive format=raw,file=x86-64.img

text mode:

• -curses - ALT-2 instead of CTRL-ALT-2, then type quit
• -nographic

graphic -vga type:

• std

qemu-img create -f qcow2 example.img 100M

• -f qcow2 - recommended since it is dynamically allocated
• 100M size of image

get info:

• qemu-img info example.img

resize

• qemu-img resize ubuntu.qcow2 +5GB

chech for errors

• qemu-img check ubuntu.qcow2

• Units - are the objects that systemd knows how to manage
• section - denoted by [ and ]

• .service: A service unit describes how to manage a service or application on the server. This will include how to start or stop the service, under which circumstances it should be automatically started, and the dependency and ordering information for related software.
• .socket: A socket unit file describes a network or IPC socket, or a FIFO buffer that systemd uses for socket-based activation. These always have an associated .service file that will be started when activity is seen on the socket that this unit defines.
• .device: A unit that describes a device that has been designated as needing systemd management by udev or the sysfs filesystem. Not all devices will have .device files. Some scenarios where .device units may be necessary are for ordering, mounting, and accessing the devices.
• .mount: This unit defines a mountpoint on the system to be managed by systemd. These are named after the mount path, with slashes changed to dashes. Entries within /etc/fstab can have units created automatically.
• .automount: An .automount unit configures a mountpoint that will be automatically mounted. These must be named after the mount point they refer to and must have a matching .mount unit to define the specifics of the mount.
• .swap: This unit describes swap space on the system. The name of these units must reflect the device or file path of the space.
• .target: A target unit is used to provide synchronization points for other units when booting up or changing states. They also can be used to bring the system to a new state. Other units specify their relation to targets to become tied to the target’s operations.
• .path: This unit defines a path that can be used for path-based activation. By default, a .service unit of the same base name will be started when the path reaches the specified state. This uses inotify to monitor the path for changes.
• .timer: A .timer unit defines a timer that will be managed by systemd, similar to a cron job for delayed or scheduled activation. A matching unit will be started when the timer is reached.
• .snapshot: A .snapshot unit is created automatically by the systemctl snapshot command. It allows you to reconstruct the current state of the system after making changes. Snapshots do not survive across sessions and are used to roll back temporary states.
• .slice: A .slice unit is associated with Linux Control Group nodes, allowing resources to be restricted or assigned to any processes associated with the slice. The name reflects its hierarchical position within the cgroup tree. Units are placed in certain slices by default depending on their type.
• .scope: Scope units are created automatically by systemd from information received from its bus interfaces. These are used to manage sets of system processes that are created externally.

unit

/etc/systemd/system/my.service

[Unit]
Description=My daemon

[Service]
ExecStart=/usr/bin/mydaemon
Restart=on-failure

[Install]
WantedBy=multi-user.target

• X- prefix to the section name - non-standard sections to be parsed by applications other than systemd
• section order does not matter
• 1, yes, on, and true for affirmative and 0, no off, and false for the opposite answer

[Section]
Directive1=value
Directive2=value

[Unit] - first section

• for
  • defining metadata for the unit
  • configuring the relationship of the unit to other units
• Description=
• Documentation=: This directive provides a location for a list of URIs for documentation.
• Requires=: This directive lists any units upon which this unit essentially depends
• Wants=: This directive is similar to Requires=, but less strict.
• BindsTo=: This directive is similar to Requires=, but also causes the current unit to stop when the associated unit terminates.
• Before=: The units listed in this directive will not be started until the current unit is marked as started if they are activated at the same time.
• After=: The units listed in this directive will be started before starting the current unit.
• Conflicts=: This can be used to list units that cannot be run at the same time as the current unit
• Condition…=: There are a number of directives that start with Condition which allow the administrator to test certain conditions prior to starting the unit
• Assert…=: Similar to the directives that start with Condition, these directives check for different aspects of the running environment to decide whether the unit should activate

[Install] - last section (optional) - define the behavior or a unit if it is enabled or disabled

• WantedBy= The difference is that this directive is included in the ancillary unit allowing the primary unit listed to remain relatively clean.
• RequiredBy=: This directive is very similar to the WantedBy= directive, but instead specifies a required dependency that will cause the activation to fail if not met
• Alias=: This directive allows the unit to be enabled under another name as well.
• Also=: This directive allows units to be enabled or disabled as a set.
• DefaultInstance=: For template units (covered later) which can produce unit instances with unpredictable names, this can be used as a fallback value for the name if an appropriate name is not provided.

[Service]

Type=

simple

The main process of the service is specified in the start line. This is the default if the Type= and Busname= directives are not set, but the ExecStart= is set. Any communication should be handled outside of the unit through a second unit of the appropriate type (like through a .socket unit if this unit must communicate using sockets).

forking

This service type is used when the service forks a child process, exiting the parent process almost immediately. This tells systemd that the process is still running even though the parent exited.

oneshot

This type indicates that the process will be short-lived and that systemd should wait for the process to exit before continuing on with other units. This is the default Type= and ExecStart= are not set. It is used for one-off tasks.

dbus

This indicates that unit will take a name on the D-Bus bus. When this happens, systemd will continue to process the next unit.

notify

This indicates that the service will issue a notification when it has finished starting up. The systemd process will wait for this to happen before proceeding to other units.

idle

This indicates that the service will not be run until all jobs are dispatched.

type specific dericitves:

• RemainAfterExit=: This directive is commonly used with the oneshot type. It indicates that the service should be considered active even after the process exits.
• PIDFile=: If the service type is marked as “forking”, this directive is used to set the path of the file that should contain the process ID number of the main child that should be monitored.
• BusName=: This directive should be set to the D-Bus bus name that the service will attempt to acquire when using the “dbus” service type.
• NotifyAccess=: This specifies access to the socket that should be used to listen for notifications when the “notify” service type is selected This can be “none”, “main”, or "all. The default, “none”, ignores all status messages. The “main” option will listen to messages from the main process and the “all” option will cause all members of the service’s control group to be processed.

User=, Group= and SupplementaryGroups= -

ExecStart=: This specifies the full path and the arguments of the command to be executed to start the process. This may only be specified once (except for “oneshot” services). If the path to the command is preceded by a dash “-” character, non-zero exit statuses will be accepted without marking the unit activation as failed.

executable prefixes:

• @ second specified token will be passed as "argv[0]" to the executed process (instead of the actual filename), followed by the further arguments specified
• - non-zero exit code is recorded, but has no further effect and is considered equivalent to success
• : environment variable substitution is not applied.
• + the process is executed with full privileges. User=, Group=, CapabilityBoundingSet=, PrivateDevices=, PrivateTmp= not applied
• ! Similar to the "+" but …
• !! similar to "!" only has an effect on systems lacking support for ambient process capabilities.

other

• ExecStartPre=: This can be used to provide additional commands that should be executed before the main process is started. This can be used multiple times. Again, commands must specify a full path and they can be preceded by “-” to indicate that the failure of the command will be tolerated.
• ExecStartPost=: This has the same exact qualities as ExecStartPre= except that it specifies commands that will be run after the main process is started.
• ExecReload=: This optional directive indicates the command necessary to reload the configuration of the service if available.
• ExecStop=: This indicates the command needed to stop the service. If this is not given, the process will be killed immediately when the service is stopped.
• ExecStopPost=: This can be used to specify commands to execute following the stop command.
• RestartSec=: If automatically restarting the service is enabled, this specifies the amount of time to wait before attempting to restart the service.
• Restart=: This indicates the circumstances under which systemd will attempt to automatically restart the service. This can be set to values like “always”, “on-success”, “on-failure”, “on-abnormal”, “on-abort”, or “on-watchdog”. These will trigger a restart according to the way that the service was stopped.
• TimeoutSec=: This configures the amount of time that systemd will wait when stopping or stopping the service before marking it as failed or forcefully killing it. You can set separate timeouts with TimeoutStartSec= and TimeoutStopSec= as well.

[Socket]

[Automount]

[Swap]

[Path]

[Timer]

[Slice]