| 1 |
> - no X and multimedia useflags by default (-esd -gnome -gtk -kde ...) |
| 2 |
|
| 3 |
Actually, I find myself having to install at least the basic xorg stuff |
| 4 |
on servers lately due to various java dependencies(app servers |
| 5 |
and monitoring software/etc) - but I try to keep it as minimal as |
| 6 |
possible. I know that is controversial, but I'd vote to keep the X |
| 7 |
flag in. After all, its just a little more disk space and compile time. |
| 8 |
|
| 9 |
> - put a dhcp client back in system. Not having that sucks, and we can |
| 10 |
> spare the 135kB installed. |
| 11 |
|
| 12 |
Agreed. |
| 13 |
|
| 14 |
> - put gentoolkit in. equery, revdep-rebuild etc. are needed. |
| 15 |
|
| 16 |
Yes, and sysstat, pci-utils, mtr, telnet client (for testing port |
| 17 |
connections), etc. |
| 18 |
|
| 19 |
> - having cron, atd, ... in system would be nice, do we want that? |
| 20 |
|
| 21 |
I'd vote no. I have never found any agreement by sysadmins about |
| 22 |
which cron daemons work best. And, many boxes dont require it. |
| 23 |
|
| 24 |
> - use as much from hardened profiles as we can. SSP is good :-) |
| 25 |
> (- use hardened-sources by default if possible, PaX etc. is very very |
| 26 |
> good ) |
| 27 |
|
| 28 |
absolutely. |
| 29 |
|
| 30 |
> - keep default CFLAGS simple - "-O2 -pipe" should be good enough |
| 31 |
> - no LDFLAGS unless there are no known bugs (e.g. "-O1" breaks prelink |
| 32 |
> in some cases) |
| 33 |
> |
| 34 |
> What applications do you install on every system? What sshould be |
| 35 |
> provided for logging, monitoring, intrusion detection? |
| 36 |
> Is there anything that sucks in the default profiles? |
| 37 |
|
| 38 |
Personally, I can not stand ssmtp - the first thing I have to do on every box |
| 39 |
is uninstall it and install postfix. |
| 40 |
|
| 41 |
I also wish iptables, ifenslave, and iproute2 were included by default. |
| 42 |
|
| 43 |
I also enable keep alives, disable pam authentication, and require |
| 44 |
key authentication in the ssh server. |
| 45 |
|
| 46 |
For monitoring, I use the hyperic-hq-agent (which is commercial, but cheap: |
| 47 |
http://www.hyperic.net/). |
| 48 |
|
| 49 |
For logging, I am experimenting with splunk (http://www.splunk.com/), but I |
| 50 |
dont think there are any ebuilds yet. It has some kind of dual license where |
| 51 |
the basic stuff is free, and the professional is $$. |
| 52 |
|
| 53 |
Going forward, the new portage logging stuff is pretty cool. Getting an email |
| 54 |
every time a package upgrade generates log messeges is refreshing. |
| 55 |
|
| 56 |
Matt |
| 57 |
-- |
| 58 |
gentoo-server@g.o mailing list |
Archives