1 |
-----Original Message----- |
2 |
From: Sam Jorna [mailto:wraeth@g.o] |
3 |
Sent: Saturday, March 26, 2016 22:12 |
4 |
To: gentoo-user@l.g.o |
5 |
Subject: Re: [gentoo-user] The Project Begins! |
6 |
|
7 |
On 27/03/16 12:51, 80x24 wrote: |
8 |
> Hunter Jozwiak wrote: |
9 |
>> Hello, |
10 |
>> |
11 |
>> I am going to now host my web site on a Gentoo server. Firstly, is |
12 |
>> there a recommended profile for this, or will the default amd64 |
13 |
>> profile |
14 |
|
15 |
It depends on your use-case and preference, but hardened is often a good |
16 |
choice for something that will offer external services (as in over the |
17 |
Internet). |
18 |
|
19 |
>> suffice? Or would it be better to use a hardened profile for this task? |
20 |
>> Secondly, does Linode offer the requisite information for things you |
21 |
>> MUST have while building a kernel? |
22 |
|
23 |
The Linode configurations, last time I checked, were significantly out of |
24 |
date (including their Gentoo deployment image). Depending on your level of |
25 |
paranoia, it may be reasonable for you to boot your Linode using their |
26 |
rescue environment and perform a stage-3 install that way. |
27 |
Otherwise, you can simply deploy their Gentoo image and update/harden as |
28 |
necessary. |
29 |
|
30 |
As for kernel configuration, I don't recall seeing anything specifically, |
31 |
however they do include their default kernel configuration in either |
32 |
/boot/config* or /proc/config.gz, so you can use that as a base. |
33 |
|
34 |
>> And finally, I am going to have |
35 |
>> multiple servers. Is there a package that I can use to distribute my |
36 |
>> built kernels? |
37 |
|
38 |
There isn't a package, however depending on how you configure the kernel, |
39 |
you can either just copy the .config from one host or another, or the kernel |
40 |
make program has options to build archives of the built kernel - see `make |
41 |
help` for details. |
42 |
|
43 |
>> Thanks, you guys are awesome, and keep up the good work, |
44 |
>> |
45 |
>> Hunter |
46 |
>> |
47 |
> As far as you know how to hardened security of your servers. Normal |
48 |
> profile will be good (Though I still recommend hardened if you're |
49 |
> familiar with GRsecurity and other ``hardeded'' stuff). |
50 |
> |
51 |
> If you go with the hardened version, you will also need to build |
52 |
> custom kernel and set kernel to pygrub in Linode profile settings |
53 |
> (which selects proper generic kernel by default). And yes you will |
54 |
> need a bootloader. |
55 |
|
56 |
Hardened is not one be-all solution - you can use some hardened features and |
57 |
not others. For example, you can convert to the hardened profile and do not |
58 |
necessarily need to use hardened-sources. Similarly, if you *do* use |
59 |
hardened-sources, you do not need to enable an RBAC (such as GRSecurity or |
60 |
SELinux). |
61 |
|
62 |
If you do use PaX in the kernel, though, you will need to also be on a |
63 |
hardened profile to have binaries marked appropriately. |
64 |
|
65 |
Cheers; |
66 |
-- |
67 |
Sam Jorna (wraeth) <wraeth@g.o> |
68 |
GnuPG Key: D6180C26 |
69 |
Okay. Thanks for that information. Is there a more descriptive version of |
70 |
the twenty USE flags I should use for Apache, because the index is rather |
71 |
vague. I pulled up the wiki page, clicked on a link that was attached to one |
72 |
of the USE flags, which in turn opened up another three hundred plus USE |
73 |
opportunities. |