1 |
> > - put a dhcp client back in system. Not having that sucks, |
2 |
> and we can |
3 |
> > spare the 135kB installed. |
4 |
> |
5 |
> I suppose this is ok, though I still think this needs to be |
6 |
> up to the admin. Its not just the concern about the space it |
7 |
> uses, but its another piece of a puzzle someone may not want |
8 |
> on their system. |
9 |
|
10 |
I think with most people, we emerge the dhcp client when we're first setting |
11 |
up the box but once all is settled down, we just turn it off. It *IS* handy |
12 |
to have it there when you first get going because your bouncing it a few |
13 |
times and it's just not an important task at the beginning to set ip, mask, |
14 |
broadcast when you're not sure what the ultimate IP is gonna be, you can |
15 |
easily just rc-update add it to default, etc., etc., blah, blah, blah. |
16 |
|
17 |
> > - put gentoolkit in. equery, revdep-rebuild etc. are needed. |
18 |
> |
19 |
> Yup, good idea. |
20 |
> |
21 |
> > - having cron, atd, ... in system would be nice, do we want that? |
22 |
> |
23 |
> Leave this up to the sysadmin to decide. |
24 |
> |
25 |
> > - use as much from hardened profiles as we can. SSP is good :-) |
26 |
> |
27 |
> I'd say use the hardened profile as a nice model to go after. |
28 |
> It wouldn't take much to remove hardened specific parts of |
29 |
> that profile and create a new basic one out of it. We should |
30 |
> still have separate profiles from them. Generally, their |
31 |
> profile is perfect for a server if you want hardened related stuff. |
32 |
> |
33 |
> > (- use hardened-sources by default if possible, PaX etc. is |
34 |
> very very |
35 |
> > good ) |
36 |
> |
37 |
> Leave the kernel source choice up to the sysadmin |
38 |
|
39 |
Yes, the kernel source and the ipchains are a matter of choice. They are |
40 |
completely different, for example, setting up an internal server for http |
41 |
versus a bastion host for ftp. You can always tighten the screws as you see |
42 |
fit. I would suggest, though, even using "USE=hardened" as a minimum for any |
43 |
server. |
44 |
|
45 |
> > - keep default CFLAGS simple - "-O2 -pipe" should be good enough |
46 |
> |
47 |
> Yup |
48 |
> |
49 |
> > What applications do you install on every system? What sshould be |
50 |
> > provided for logging, monitoring, intrusion detection? |
51 |
> > Is there anything that sucks in the default profiles? |
52 |
> |
53 |
> I don't think we should add much in the system profile. This |
54 |
> decision should still be up to the sysadmin. The hardened |
55 |
> profile pretty much sums up a good format for a basic server install. |
56 |
|
57 |
screen !!!! |
58 |
|
59 |
And to comment on kashani's note, even if we do only get 50% of the way to |
60 |
everyone's "standard server setup", it's still further along than building |
61 |
one from scratch. We could probably all build our own tools for this but in |
62 |
the long run, it would be quite useful for the community to have a baseline |
63 |
from which they can build they own servers and branch as is needed for each |
64 |
instance. |
65 |
|
66 |
-- |
67 |
Bill |
68 |
-- |
69 |
gentoo-server@g.o mailing list |