> > - put a dhcp client back in system. Not having that sucks, > and we can > > spare the 135kB installed. > > I suppose this is ok, though I still think this needs to be > up to the admin. Its not just the concern about the space it > uses, but its another piece of a puzzle someone may not want > on their system.
I think with most people, we emerge the dhcp client when we're first setting up the box but once all is settled down, we just turn it off. It *IS* handy to have it there when you first get going because your bouncing it a few times and it's just not an important task at the beginning to set ip, mask, broadcast when you're not sure what the ultimate IP is gonna be, you can easily just rc-update add it to default, etc., etc., blah, blah, blah. > > - put gentoolkit in. equery, revdep-rebuild etc. are needed. > > Yup, good idea. > > > - having cron, atd, ... in system would be nice, do we want that? > > Leave this up to the sysadmin to decide. > > > - use as much from hardened profiles as we can. SSP is good :-) > > I'd say use the hardened profile as a nice model to go after. > It wouldn't take much to remove hardened specific parts of > that profile and create a new basic one out of it. We should > still have separate profiles from them. Generally, their > profile is perfect for a server if you want hardened related stuff. > > > (- use hardened-sources by default if possible, PaX etc. is > very very > > good ) > > Leave the kernel source choice up to the sysadmin Yes, the kernel source and the ipchains are a matter of choice. They are completely different, for example, setting up an internal server for http versus a bastion host for ftp. You can always tighten the screws as you see fit. I would suggest, though, even using "USE=hardened" as a minimum for any server. > > - keep default CFLAGS simple - "-O2 -pipe" should be good enough > > Yup > > > What applications do you install on every system? What sshould be > > provided for logging, monitoring, intrusion detection? > > Is there anything that sucks in the default profiles? > > I don't think we should add much in the system profile. This > decision should still be up to the sysadmin. The hardened > profile pretty much sums up a good format for a basic server install. screen !!!! And to comment on kashani's note, even if we do only get 50% of the way to everyone's "standard server setup", it's still further along than building one from scratch. We could probably all build our own tools for this but in the long run, it would be quite useful for the community to have a baseline from which they can build they own servers and branch as is needed for each instance. -- Bill -- [email protected] mailing list
