Patrick Lauer wrote: > I've been thinking about a restricted profile for servers. It should be > minimal (no crap useflags) and as secure as possible by default. > What I think should be in there:
I've actually been meaning to work through such a profile for a while now, just haven't had time yet. > - no X and multimedia useflags by default (-esd -gnome -gtk -kde ...) Off by default yes, it shouldn't be in use.mask however. > - put a dhcp client back in system. Not having that sucks, and we can > spare the 135kB installed. I suppose this is ok, though I still think this needs to be up to the admin. Its not just the concern about the space it uses, but its another piece of a puzzle someone may not want on their system. > - put gentoolkit in. equery, revdep-rebuild etc. are needed. Yup, good idea. > - having cron, atd, ... in system would be nice, do we want that? Leave this up to the sysadmin to decide. > - use as much from hardened profiles as we can. SSP is good :-) I'd say use the hardened profile as a nice model to go after. It wouldn't take much to remove hardened specific parts of that profile and create a new basic one out of it. We should still have separate profiles from them. Generally, their profile is perfect for a server if you want hardened related stuff. > (- use hardened-sources by default if possible, PaX etc. is very very > good ) Leave the kernel source choice up to the sysadmin > - keep default CFLAGS simple - "-O2 -pipe" should be good enough Yup > What applications do you install on every system? What sshould be > provided for logging, monitoring, intrusion detection? > Is there anything that sucks in the default profiles? I don't think we should add much in the system profile. This decision should still be up to the sysadmin. The hardened profile pretty much sums up a good format for a basic server install. -- Lance Albertson <[EMAIL PROTECTED]> Gentoo Infrastructure | Operations Manager --- GPG Public Key: <http://www.ramereth.net/lance.asc> Key fingerprint: 0423 92F3 544A 1282 5AB1 4D07 416F A15D 27F4 B742 ramereth/irc.freenode.net
signature.asc
Description: OpenPGP digital signature
