1 |
Hi all, |
2 |
|
3 |
I've been thinking about a restricted profile for servers. It should be |
4 |
minimal (no crap useflags) and as secure as possible by default. |
5 |
What I think should be in there: |
6 |
|
7 |
- no X and multimedia useflags by default (-esd -gnome -gtk -kde ...) |
8 |
- put a dhcp client back in system. Not having that sucks, and we can |
9 |
spare the 135kB installed. |
10 |
- put gentoolkit in. equery, revdep-rebuild etc. are needed. |
11 |
- having cron, atd, ... in system would be nice, do we want that? |
12 |
- use as much from hardened profiles as we can. SSP is good :-) |
13 |
(- use hardened-sources by default if possible, PaX etc. is very very |
14 |
good ) |
15 |
- keep default CFLAGS simple - "-O2 -pipe" should be good enough |
16 |
- no LDFLAGS unless there are no known bugs (e.g. "-O1" breaks prelink |
17 |
in some cases) |
18 |
|
19 |
What applications do you install on every system? What sshould be |
20 |
provided for logging, monitoring, intrusion detection? |
21 |
Is there anything that sucks in the default profiles? |
22 |
|
23 |
Thanks for the feedback, |
24 |
|
25 |
Patrick |
26 |
-- |
27 |
Stand still, and let the rest of the universe move |