| 1 |
-----Original Message----- |
| 2 |
From: Sam Jorna [mailto:wraeth@g.o] |
| 3 |
Sent: Saturday, March 26, 2016 22:12 |
| 4 |
To: gentoo-user@l.g.o |
| 5 |
Subject: Re: [gentoo-user] The Project Begins! |
| 6 |
|
| 7 |
On 27/03/16 12:51, 80x24 wrote: |
| 8 |
> Hunter Jozwiak wrote: |
| 9 |
>> Hello, |
| 10 |
>> |
| 11 |
>> I am going to now host my web site on a Gentoo server. Firstly, is |
| 12 |
>> there a recommended profile for this, or will the default amd64 |
| 13 |
>> profile |
| 14 |
|
| 15 |
It depends on your use-case and preference, but hardened is often a good |
| 16 |
choice for something that will offer external services (as in over the |
| 17 |
Internet). |
| 18 |
|
| 19 |
>> suffice? Or would it be better to use a hardened profile for this task? |
| 20 |
>> Secondly, does Linode offer the requisite information for things you |
| 21 |
>> MUST have while building a kernel? |
| 22 |
|
| 23 |
The Linode configurations, last time I checked, were significantly out of |
| 24 |
date (including their Gentoo deployment image). Depending on your level of |
| 25 |
paranoia, it may be reasonable for you to boot your Linode using their |
| 26 |
rescue environment and perform a stage-3 install that way. |
| 27 |
Otherwise, you can simply deploy their Gentoo image and update/harden as |
| 28 |
necessary. |
| 29 |
|
| 30 |
As for kernel configuration, I don't recall seeing anything specifically, |
| 31 |
however they do include their default kernel configuration in either |
| 32 |
/boot/config* or /proc/config.gz, so you can use that as a base. |
| 33 |
|
| 34 |
>> And finally, I am going to have |
| 35 |
>> multiple servers. Is there a package that I can use to distribute my |
| 36 |
>> built kernels? |
| 37 |
|
| 38 |
There isn't a package, however depending on how you configure the kernel, |
| 39 |
you can either just copy the .config from one host or another, or the kernel |
| 40 |
make program has options to build archives of the built kernel - see `make |
| 41 |
help` for details. |
| 42 |
|
| 43 |
>> Thanks, you guys are awesome, and keep up the good work, |
| 44 |
>> |
| 45 |
>> Hunter |
| 46 |
>> |
| 47 |
> As far as you know how to hardened security of your servers. Normal |
| 48 |
> profile will be good (Though I still recommend hardened if you're |
| 49 |
> familiar with GRsecurity and other ``hardeded'' stuff). |
| 50 |
> |
| 51 |
> If you go with the hardened version, you will also need to build |
| 52 |
> custom kernel and set kernel to pygrub in Linode profile settings |
| 53 |
> (which selects proper generic kernel by default). And yes you will |
| 54 |
> need a bootloader. |
| 55 |
|
| 56 |
Hardened is not one be-all solution - you can use some hardened features and |
| 57 |
not others. For example, you can convert to the hardened profile and do not |
| 58 |
necessarily need to use hardened-sources. Similarly, if you *do* use |
| 59 |
hardened-sources, you do not need to enable an RBAC (such as GRSecurity or |
| 60 |
SELinux). |
| 61 |
|
| 62 |
If you do use PaX in the kernel, though, you will need to also be on a |
| 63 |
hardened profile to have binaries marked appropriately. |
| 64 |
|
| 65 |
Cheers; |
| 66 |
-- |
| 67 |
Sam Jorna (wraeth) <wraeth@g.o> |
| 68 |
GnuPG Key: D6180C26 |
| 69 |
Okay. Thanks for that information. Is there a more descriptive version of |
| 70 |
the twenty USE flags I should use for Apache, because the index is rather |
| 71 |
vague. I pulled up the wiki page, clicked on a link that was attached to one |
| 72 |
of the USE flags, which in turn opened up another three hundred plus USE |
| 73 |
opportunities. |
Archives