| 1 |
Hi all, |
| 2 |
|
| 3 |
I've been thinking about a restricted profile for servers. It should be |
| 4 |
minimal (no crap useflags) and as secure as possible by default. |
| 5 |
What I think should be in there: |
| 6 |
|
| 7 |
- no X and multimedia useflags by default (-esd -gnome -gtk -kde ...) |
| 8 |
- put a dhcp client back in system. Not having that sucks, and we can |
| 9 |
spare the 135kB installed. |
| 10 |
- put gentoolkit in. equery, revdep-rebuild etc. are needed. |
| 11 |
- having cron, atd, ... in system would be nice, do we want that? |
| 12 |
- use as much from hardened profiles as we can. SSP is good :-) |
| 13 |
(- use hardened-sources by default if possible, PaX etc. is very very |
| 14 |
good ) |
| 15 |
- keep default CFLAGS simple - "-O2 -pipe" should be good enough |
| 16 |
- no LDFLAGS unless there are no known bugs (e.g. "-O1" breaks prelink |
| 17 |
in some cases) |
| 18 |
|
| 19 |
What applications do you install on every system? What sshould be |
| 20 |
provided for logging, monitoring, intrusion detection? |
| 21 |
Is there anything that sucks in the default profiles? |
| 22 |
|
| 23 |
Thanks for the feedback, |
| 24 |
|
| 25 |
Patrick |
| 26 |
-- |
| 27 |
Stand still, and let the rest of the universe move |
Archives