I don't see why you'd want to have a dhcp client on a server but any way...
How about the profile contains minimal packages like say no productivity/office packages, no X like you said no games (besides maybe game servers) basicly clear out every thing that doesn't make sence on a server. A great Idea would be some thing like virtual packages with flexible use flags that represent use full combinations of packages on production servers. What I'm getting at is this: There are some greate Howto this with that and that articles in the gentoo sysadmin docs as well as www.gentoo-wiki.com why not create say -- a virtual_postfix package with appropriate use flags to combine say your choice of imap/pop server, db backend, authentication system, antivirus and spamfilters -- all in one package! It might even be better if such a packages default use flags are so use full that most would use it - a sort of standard. a nother issue I find very taxing is scanning thru config files during/after updates to try catch the configs that would break my setup. Can't we have some means to check whether or not the admin has ever edited a config file by hand and if so be more don't auto update but if so do. I guess I'm getting at a more complex config management system. It might also have helped if config files where more standard - say if they all used some vaguely similar xml format -----Original Message----- From: Patrick Lauer [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 28, 2006 12:37 PM To: [email protected] Subject: [gentoo-server] Ideas for a server profile? Hi all, I've been thinking about a restricted profile for servers. It should be minimal (no crap useflags) and as secure as possible by default. What I think should be in there: - no X and multimedia useflags by default (-esd -gnome -gtk -kde ...) - put a dhcp client back in system. Not having that sucks, and we can spare the 135kB installed. - put gentoolkit in. equery, revdep-rebuild etc. are needed. - having cron, atd, ... in system would be nice, do we want that? - use as much from hardened profiles as we can. SSP is good :-) (- use hardened-sources by default if possible, PaX etc. is very very good ) - keep default CFLAGS simple - "-O2 -pipe" should be good enough - no LDFLAGS unless there are no known bugs (e.g. "-O1" breaks prelink in some cases) What applications do you install on every system? What sshould be provided for logging, monitoring, intrusion detection? Is there anything that sucks in the default profiles? Thanks for the feedback, Patrick -- Stand still, and let the rest of the universe move -- [email protected] mailing list
