1 |
> - no X and multimedia useflags by default (-esd -gnome -gtk -kde ...) |
2 |
|
3 |
Actually, I find myself having to install at least the basic xorg stuff |
4 |
on servers lately due to various java dependencies(app servers |
5 |
and monitoring software/etc) - but I try to keep it as minimal as |
6 |
possible. I know that is controversial, but I'd vote to keep the X |
7 |
flag in. After all, its just a little more disk space and compile time. |
8 |
|
9 |
> - put a dhcp client back in system. Not having that sucks, and we can |
10 |
> spare the 135kB installed. |
11 |
|
12 |
Agreed. |
13 |
|
14 |
> - put gentoolkit in. equery, revdep-rebuild etc. are needed. |
15 |
|
16 |
Yes, and sysstat, pci-utils, mtr, telnet client (for testing port |
17 |
connections), etc. |
18 |
|
19 |
> - having cron, atd, ... in system would be nice, do we want that? |
20 |
|
21 |
I'd vote no. I have never found any agreement by sysadmins about |
22 |
which cron daemons work best. And, many boxes dont require it. |
23 |
|
24 |
> - use as much from hardened profiles as we can. SSP is good :-) |
25 |
> (- use hardened-sources by default if possible, PaX etc. is very very |
26 |
> good ) |
27 |
|
28 |
absolutely. |
29 |
|
30 |
> - keep default CFLAGS simple - "-O2 -pipe" should be good enough |
31 |
> - no LDFLAGS unless there are no known bugs (e.g. "-O1" breaks prelink |
32 |
> in some cases) |
33 |
> |
34 |
> What applications do you install on every system? What sshould be |
35 |
> provided for logging, monitoring, intrusion detection? |
36 |
> Is there anything that sucks in the default profiles? |
37 |
|
38 |
Personally, I can not stand ssmtp - the first thing I have to do on every box |
39 |
is uninstall it and install postfix. |
40 |
|
41 |
I also wish iptables, ifenslave, and iproute2 were included by default. |
42 |
|
43 |
I also enable keep alives, disable pam authentication, and require |
44 |
key authentication in the ssh server. |
45 |
|
46 |
For monitoring, I use the hyperic-hq-agent (which is commercial, but cheap: |
47 |
http://www.hyperic.net/). |
48 |
|
49 |
For logging, I am experimenting with splunk (http://www.splunk.com/), but I |
50 |
dont think there are any ebuilds yet. It has some kind of dual license where |
51 |
the basic stuff is free, and the professional is $$. |
52 |
|
53 |
Going forward, the new portage logging stuff is pretty cool. Getting an email |
54 |
every time a package upgrade generates log messeges is refreshing. |
55 |
|
56 |
Matt |
57 |
-- |
58 |
gentoo-server@g.o mailing list |