1 |
Patrick Lauer wrote: |
2 |
|
3 |
> I've been thinking about a restricted profile for servers. It should be |
4 |
> minimal (no crap useflags) and as secure as possible by default. |
5 |
> What I think should be in there: |
6 |
|
7 |
I've actually been meaning to work through such a profile for a while |
8 |
now, just haven't had time yet. |
9 |
|
10 |
> - no X and multimedia useflags by default (-esd -gnome -gtk -kde ...) |
11 |
|
12 |
Off by default yes, it shouldn't be in use.mask however. |
13 |
|
14 |
> - put a dhcp client back in system. Not having that sucks, and we can |
15 |
> spare the 135kB installed. |
16 |
|
17 |
I suppose this is ok, though I still think this needs to be up to the |
18 |
admin. Its not just the concern about the space it uses, but its another |
19 |
piece of a puzzle someone may not want on their system. |
20 |
|
21 |
> - put gentoolkit in. equery, revdep-rebuild etc. are needed. |
22 |
|
23 |
Yup, good idea. |
24 |
|
25 |
> - having cron, atd, ... in system would be nice, do we want that? |
26 |
|
27 |
Leave this up to the sysadmin to decide. |
28 |
|
29 |
> - use as much from hardened profiles as we can. SSP is good :-) |
30 |
|
31 |
I'd say use the hardened profile as a nice model to go after. It |
32 |
wouldn't take much to remove hardened specific parts of that profile and |
33 |
create a new basic one out of it. We should still have separate profiles |
34 |
from them. Generally, their profile is perfect for a server if you want |
35 |
hardened related stuff. |
36 |
|
37 |
> (- use hardened-sources by default if possible, PaX etc. is very very |
38 |
> good ) |
39 |
|
40 |
Leave the kernel source choice up to the sysadmin |
41 |
|
42 |
> - keep default CFLAGS simple - "-O2 -pipe" should be good enough |
43 |
|
44 |
Yup |
45 |
|
46 |
> What applications do you install on every system? What sshould be |
47 |
> provided for logging, monitoring, intrusion detection? |
48 |
> Is there anything that sucks in the default profiles? |
49 |
|
50 |
I don't think we should add much in the system profile. This decision |
51 |
should still be up to the sysadmin. The hardened profile pretty much |
52 |
sums up a good format for a basic server install. |
53 |
|
54 |
-- |
55 |
Lance Albertson <ramereth@g.o> |
56 |
Gentoo Infrastructure | Operations Manager |
57 |
|
58 |
--- |
59 |
GPG Public Key: <http://www.ramereth.net/lance.asc> |
60 |
Key fingerprint: 0423 92F3 544A 1282 5AB1 4D07 416F A15D 27F4 B742 |
61 |
|
62 |
ramereth/irc.freenode.net |