Hi all, I've been thinking about a restricted profile for servers. It should be minimal (no crap useflags) and as secure as possible by default. What I think should be in there:
- no X and multimedia useflags by default (-esd -gnome -gtk -kde ...) - put a dhcp client back in system. Not having that sucks, and we can spare the 135kB installed. - put gentoolkit in. equery, revdep-rebuild etc. are needed. - having cron, atd, ... in system would be nice, do we want that? - use as much from hardened profiles as we can. SSP is good :-) (- use hardened-sources by default if possible, PaX etc. is very very good ) - keep default CFLAGS simple - "-O2 -pipe" should be good enough - no LDFLAGS unless there are no known bugs (e.g. "-O1" breaks prelink in some cases) What applications do you install on every system? What sshould be provided for logging, monitoring, intrusion detection? Is there anything that sucks in the default profiles? Thanks for the feedback, Patrick -- Stand still, and let the rest of the universe move
signature.asc
Description: This is a digitally signed message part
