> - no X and multimedia useflags by default (-esd -gnome -gtk -kde ...)
Actually, I find myself having to install at least the basic xorg stuff on servers lately due to various java dependencies(app servers and monitoring software/etc) - but I try to keep it as minimal as possible. I know that is controversial, but I'd vote to keep the X flag in. After all, its just a little more disk space and compile time. > - put a dhcp client back in system. Not having that sucks, and we can > spare the 135kB installed. Agreed. > - put gentoolkit in. equery, revdep-rebuild etc. are needed. Yes, and sysstat, pci-utils, mtr, telnet client (for testing port connections), etc. > - having cron, atd, ... in system would be nice, do we want that? I'd vote no. I have never found any agreement by sysadmins about which cron daemons work best. And, many boxes dont require it. > - use as much from hardened profiles as we can. SSP is good :-) > (- use hardened-sources by default if possible, PaX etc. is very very > good ) absolutely. > - keep default CFLAGS simple - "-O2 -pipe" should be good enough > - no LDFLAGS unless there are no known bugs (e.g. "-O1" breaks prelink > in some cases) > > What applications do you install on every system? What sshould be > provided for logging, monitoring, intrusion detection? > Is there anything that sucks in the default profiles? Personally, I can not stand ssmtp - the first thing I have to do on every box is uninstall it and install postfix. I also wish iptables, ifenslave, and iproute2 were included by default. I also enable keep alives, disable pam authentication, and require key authentication in the ssh server. For monitoring, I use the hyperic-hq-agent (which is commercial, but cheap: http://www.hyperic.net/). For logging, I am experimenting with splunk (http://www.splunk.com/), but I dont think there are any ebuilds yet. It has some kind of dual license where the basic stuff is free, and the professional is $$. Going forward, the new portage logging stuff is pretty cool. Getting an email every time a package upgrade generates log messeges is refreshing. Matt -- gentoo-server@gentoo.org mailing list
