| 1 |
> > - put a dhcp client back in system. Not having that sucks, |
| 2 |
> and we can |
| 3 |
> > spare the 135kB installed. |
| 4 |
> |
| 5 |
> I suppose this is ok, though I still think this needs to be |
| 6 |
> up to the admin. Its not just the concern about the space it |
| 7 |
> uses, but its another piece of a puzzle someone may not want |
| 8 |
> on their system. |
| 9 |
|
| 10 |
I think with most people, we emerge the dhcp client when we're first setting |
| 11 |
up the box but once all is settled down, we just turn it off. It *IS* handy |
| 12 |
to have it there when you first get going because your bouncing it a few |
| 13 |
times and it's just not an important task at the beginning to set ip, mask, |
| 14 |
broadcast when you're not sure what the ultimate IP is gonna be, you can |
| 15 |
easily just rc-update add it to default, etc., etc., blah, blah, blah. |
| 16 |
|
| 17 |
> > - put gentoolkit in. equery, revdep-rebuild etc. are needed. |
| 18 |
> |
| 19 |
> Yup, good idea. |
| 20 |
> |
| 21 |
> > - having cron, atd, ... in system would be nice, do we want that? |
| 22 |
> |
| 23 |
> Leave this up to the sysadmin to decide. |
| 24 |
> |
| 25 |
> > - use as much from hardened profiles as we can. SSP is good :-) |
| 26 |
> |
| 27 |
> I'd say use the hardened profile as a nice model to go after. |
| 28 |
> It wouldn't take much to remove hardened specific parts of |
| 29 |
> that profile and create a new basic one out of it. We should |
| 30 |
> still have separate profiles from them. Generally, their |
| 31 |
> profile is perfect for a server if you want hardened related stuff. |
| 32 |
> |
| 33 |
> > (- use hardened-sources by default if possible, PaX etc. is |
| 34 |
> very very |
| 35 |
> > good ) |
| 36 |
> |
| 37 |
> Leave the kernel source choice up to the sysadmin |
| 38 |
|
| 39 |
Yes, the kernel source and the ipchains are a matter of choice. They are |
| 40 |
completely different, for example, setting up an internal server for http |
| 41 |
versus a bastion host for ftp. You can always tighten the screws as you see |
| 42 |
fit. I would suggest, though, even using "USE=hardened" as a minimum for any |
| 43 |
server. |
| 44 |
|
| 45 |
> > - keep default CFLAGS simple - "-O2 -pipe" should be good enough |
| 46 |
> |
| 47 |
> Yup |
| 48 |
> |
| 49 |
> > What applications do you install on every system? What sshould be |
| 50 |
> > provided for logging, monitoring, intrusion detection? |
| 51 |
> > Is there anything that sucks in the default profiles? |
| 52 |
> |
| 53 |
> I don't think we should add much in the system profile. This |
| 54 |
> decision should still be up to the sysadmin. The hardened |
| 55 |
> profile pretty much sums up a good format for a basic server install. |
| 56 |
|
| 57 |
screen !!!! |
| 58 |
|
| 59 |
And to comment on kashani's note, even if we do only get 50% of the way to |
| 60 |
everyone's "standard server setup", it's still further along than building |
| 61 |
one from scratch. We could probably all build our own tools for this but in |
| 62 |
the long run, it would be quite useful for the community to have a baseline |
| 63 |
from which they can build they own servers and branch as is needed for each |
| 64 |
instance. |
| 65 |
|
| 66 |
-- |
| 67 |
Bill |
| 68 |
-- |
| 69 |
gentoo-server@g.o mailing list |
Archives