[gentoo-user] Simplified apache2

[gentoo-user] Simplified apache2

[James]

Hello,

I  used 2006.1 livecd to install a pII machine. It's going
to becomme a (minimalistic) apache2 server. I just let the 
installation
set the  flags for the install  so I have these flags currently:

CURRENT
USE=" X alsa arts avi berkdb bitmap-fonts cairo cdr cli crypt
 cups dbus dlloader
dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox 
fortran gdbm gif
gnome gpm gstreamer gtk hal input_devices_evdev 
input_devices_keyboard
input_devices_mouse ipv6 isdnlog jpeg kde kernel_linux 
ldap libg++ mad mikmod
mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre
 pdflib perl  png ppds
pppd python qt3 qt4 quicktime readline reflection sdl session 
spell spl  ssl tcpd
truetype truetype-fonts type1-fonts udev unicode 
userland_GNU vorbis win32codecs
x86 xml xorg xv zlib apache2  "


Some of these flag look questionable, such as the one with 
underscores (kernel_linux userland_GNU) as I only found 
information on them, where they are describe as 'undocumented
 use flags'. What's up with these flags?

Where do I look to discern the minimal list of (necessary) system 
flags that 
must be kept?  (I want to avoid negating any flags that are critical).


These are my proposed list of flags:

PROPOSED
 USE=" berkdb bitmap-fonts dbus hal jpeg ldap mp3 mpeg ncurses 
nls nptl nptlonly
ogg pam pcre pdflib perl png python quicktime readline sdl ssl 
tcpd truetype
truetype-fonts type1-fonts udev unicode  vorbis win32codecs  xml 
xv zlib apache2 "

So can I just use this list, or do I have to incluce a -{flag} for each one?

IS there simmpler syntax to globally remove unwanted flags [-*], but, not any
critical system flags? (Is this the same as just leaving the flag out
of the USE param. setting in make.conf?

Are there default system flag settings that I can safely remove?
Where is the list and how do I know which ones can be removed or negated?

My (limited) understanding of flags are that the highest priority are
those set in /etc/portage/package.use, then /etc/make.conf then
the system default flags which may be located in several locations.
Is there any docs or listing of all of these location and details
on precedence?


James

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Simplified apache2

[Michael Crute]

On 9/12/06, James <wireless@tampabay.rr.com> wrote:
>
> I  used 2006.1 livecd to install a pII machine. It's going
> to become a (minimalistic) apache2 server. I just let the
> installation
> set the  flags for the install  so I have these flags currently:

<snip>

Those look a bit excessive for a "minimalist" machine. I would start over ;-)

> Some of these flag look questionable, such as the one with
> underscores (kernel_linux userland_GNU) as I only found
> information on them, where they are describe as 'undocumented
>  use flags'. What's up with these flags?

My understanding is that these are set in the profile and simply tell
portage that you are using Linux. I don't think there is any way
(short of profile hacking) to change them. So don't worry about it.

> Where do I look to discern the minimal list of (necessary) system
> flags that
> must be kept?  (I want to avoid negating any flags that are critical).
>
>
> These are my proposed list of flags:

<snip>

Still a little excessive in my opinion. The approach that I would (do)
take is to put only the bare minimum use flags in make.conf and
override the rest on a per-package level in /etc/portage/package.use.

> So can I just use this list, or do I have to include a -{flag} for each one?
>
> IS there simpler syntax to globally remove unwanted flags [-*], but, not any
> critical system flags? (Is this the same as just leaving the flag out
> of the USE param. setting in make.conf?
>

-* will work but be careful it can break things if you don't know what
your doing.

> Are there default system flag settings that I can safely remove?
> Where is the list and how do I know which ones can be removed or negated?
>
> My (limited) understanding of flags are that the highest priority are
> those set in /etc/portage/package.use, then /etc/make.conf then
> the system default flags which may be located in several locations.
> Is there any docs or listing of all of these location and details
> on precedence?

http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=2

OK, my advice to you would be to start over with a hardened profile.
While hardened is not specifically required I highly recommend it if
this is just going to be a headless server machine.

You probably want to set your machine up with a similar USE= string in make.conf

USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python readline"

I believe that is the bare minimum if you use -*. Now you can compile
your system and you have a blank slate to start working with. As you
start emerging packages just make sure you use the -pv flags for
emerge and check out the available use flags and add the ones you want
to /etc/portage/package.use. Here is an example of my package.use line
for apache2

net-www/apache mpm-prefork threads

This setup works smashingly for me on my production servers by YMMV.
Best of luck.

-Mike

-- 
________________________________
Michael E. Crute
http://mike.crute.org

I may not have gone where I intended to go, but I think I have ended
up where I intended to be. --Douglas Adams
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Simplified apache2

[James]

Michael Crute <mcrute <at> gmail.com> writes:


> Those look a bit excessive for a "minimalist" machine. I would start over 

> You probably want to set your machine up with a similar
 USE= string in make.conf

> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl 
python readline"


> net-www/apache mpm-prefork threads

Hello Mike,

I'll give this approach a whirl.
I use hardened on my firewalls and it works well.

thx

James



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Simplified apache2

[Ryan Tandy]

Michael Crute wrote:
> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python 
> readline"

Even this is a bit more bloated than it needs to be.  I have never used 
'tcpd' or 'berkdb' on any system I run, and 'perl' and 'python' are 
*much* more useful (IMO) as local flags (in package.use) than as global 
ones.  Even 'ssl' doesn't *have* to be there, especially in the global 
scope - 'www-client/links ssl' in package.use should be more than 
sufficient.  One flag missing from that line that I like to have is 
'bzip2' - tar just isn't quite the same without bz2 support. ;)

Also, be careful using the hardened flag without running the hardened 
profile.  The hardened profile masks out a couple of packages and flags 
that don't work so well on a hardened system.

BTW, the flags with underscores in them (kernel_linux, userland_GNU, 
elibc_glibc, video_cards_radeon and such) are known as USE_EXPAND or 
expanded USE flags.  VIDEO_CARDS and ALSA_CARDS are a couple you may be 
familiar with - when they're set in make.conf, emerge expands them 
automatically, so e.g. VIDEO_CARDS="radeon" gets expanded to 
USE="video_cards_radeon".  KERNEL, USERLAND, and ELIBC are there for the 
use of packages that work differently on different systems - 
Gentoo/FreeBSD, Gentoo/OSX, and such - and should *only* be set by your 
profile.

Hope I've helped. :)

Ryan
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Simplified apache2

[James]

Ryan Tandy <tarpman <at> gmail.com> writes:


> Michael Crute wrote:
> > USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python 
> > readline"

Hello Ryan,

glibc croaked during an upgrade/recompile and told me to add:
'nptl nptlonly' to make.conf. I did and the sytem completed a deep recompile
late last night.

> Even this is a bit more bloated than it needs to be.  I have never used 
> 'tcpd' or 'berkdb' on any system I run, and 'perl' and 'python' are 
> *much* more useful (IMO) as local flags (in package.use) than as global 
> ones.  Even 'ssl' doesn't *have* to be there, especially in the global 
> scope - 'www-client/links ssl' in package.use should be more than 
> sufficient.  One flag missing from that line that I like to have is 
> 'bzip2' - tar just isn't quite the same without bz2 support. ;)


Ok,
So I'll test your suggestions. 
The more minimized the global flags are, the more secure the server.

> Also, be careful using the hardened flag without running the hardened 
> profile.  The hardened profile masks out a couple of packages and flags 
> that don't work so well on a hardened system.

Hmmmm,

Not sure I fully grasp what you mean by a 'hardened system'. If you mean
running a hardened kernel with only necessary software installed, then
yes, I run hardened kernels on most servers {dns, web, mail, firwalls....}

If running a hardened system means more than that, please explain,
or point me to some docs.


> BTW, the flags with underscores in them (kernel_linux, userland_GNU, 
> elibc_glibc, video_cards_radeon and such) are known as USE_EXPAND or 
> expanded USE flags.  

This is nice to know. 
I did not get the memo on this.
Any docs for further reading you can point me to?

thanks for all of the information,
thanks to everyone for help on this,



James



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Rumen Yotov]

Hi,
On Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
James <wireless@tampabay.rr.com> wrote:
> Ryan Tandy <tarpman <at> gmail.com> writes:
> 
> 
> > Michael Crute wrote:
> > > USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
> > > python readline"
> 
You could omit "pic" here IIRC (on a hardened profile) "hardened"
includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
If using a vanilla (desktop & server) profile you'll need 'pie' as well.
Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
> Ok,
> So I'll test your suggestions. 
> The more minimized the global flags are, the more secure the server.
> 
+1
Could also check the flags in "hardened" profile.
> > Also, be careful using the hardened flag without running the
> > hardened profile.  The hardened profile masks out a couple of
> > packages and flags that don't work so well on a hardened system.
+1
> Hmmmm,
> 
> Not sure I fully grasp what you mean by a 'hardened system'. If you
> mean running a hardened kernel with only necessary software
> installed, then yes, I run hardened kernels on most servers {dns,
> web, mail, firwalls....}
> 
> If running a hardened system means more than that, please explain,
> or point me to some docs.
Check hardened docs page on w.g.o, in short hardened means a kernel
with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
or SELinux and all user-land build with SSP,pic,pie (IMHO).
> > BTW, the flags with underscores in them (kernel_linux,
> > userland_GNU, elibc_glibc, video_cards_radeon and such) are known
> > as USE_EXPAND or expanded USE flags.  
> 
> This is nice to know. 
> I did not get the memo on this.
> Any docs for further reading you can point me to?
> 
...SKIP...
> James
HTH.Rumen
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Brian Davis]

Rumen Yotov wrote:
> Hi,
> On Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
> James <wireless@tampabay.rr.com> wrote:
>   
>> Ryan Tandy <tarpman <at> gmail.com> writes:
>>
>>
>>     
>>> Michael Crute wrote:
>>>       
>>>> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
>>>> python readline"
>>>>         
> You could omit "pic" here IIRC (on a hardened profile) "hardened"
> includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
> If using a vanilla (desktop & server) profile you'll need 'pie' as well.
> Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
>   
I have a question on this, why would a package have to use a pic USE 
flag if all that was needed was to complie with -fpic?

>> Ok,
>> So I'll test your suggestions. 
>> The more minimized the global flags are, the more secure the server.
>>
>>     
> +1
> Could also check the flags in "hardened" profile.
>   
>>> Also, be careful using the hardened flag without running the
>>> hardened profile.  The hardened profile masks out a couple of
>>> packages and flags that don't work so well on a hardened system.
>>>       
> +1
>   
>> Hmmmm,
>>
>> Not sure I fully grasp what you mean by a 'hardened system'. If you
>> mean running a hardened kernel with only necessary software
>> installed, then yes, I run hardened kernels on most servers {dns,
>> web, mail, firwalls....}
>>
>> If running a hardened system means more than that, please explain,
>> or point me to some docs.
>>     
> Check hardened docs page on w.g.o, in short hardened means a kernel
> with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
> or SELinux and all user-land build with SSP,pic,pie (IMHO).
>   
>>> BTW, the flags with underscores in them (kernel_linux,
>>> userland_GNU, elibc_glibc, video_cards_radeon and such) are known
>>> as USE_EXPAND or expanded USE flags.  
>>>       
>> This is nice to know. 
>> I did not get the memo on this.
>> Any docs for further reading you can point me to?
>>
>>     
> ...SKIP...
>   
>> James
>>     
> HTH.Rumen
>   
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Brian Davis]

I think I've answered my own question:

On my system, gzip is the only package that contains the pic USE flag. 
Looking at the ebuild, the pic USE flag is used to tell the system not 
to use the assembler code optimizations.

Presumably, assembler code can't be relocated.

Thanks,
Brian

Brian Davis wrote:
>
>
> Rumen Yotov wrote:
>> Hi,
>> On Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
>> James <wireless@tampabay.rr.com> wrote:
>>  
>>> Ryan Tandy <tarpman <at> gmail.com> writes:
>>>
>>>
>>>    
>>>> Michael Crute wrote:
>>>>      
>>>>> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
>>>>> python readline"
>>>>>         
>> You could omit "pic" here IIRC (on a hardened profile) "hardened"
>> includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
>> If using a vanilla (desktop & server) profile you'll need 'pie' as well.
>> Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
>>   
> I have a question on this, why would a package have to use a pic USE 
> flag if all that was needed was to complie with -fpic?
>
>>> Ok,
>>> So I'll test your suggestions. The more minimized the global flags 
>>> are, the more secure the server.
>>>
>>>     
>> +1
>> Could also check the flags in "hardened" profile.
>>  
>>>> Also, be careful using the hardened flag without running the
>>>> hardened profile.  The hardened profile masks out a couple of
>>>> packages and flags that don't work so well on a hardened system.
>>>>       
>> +1
>>  
>>> Hmmmm,
>>>
>>> Not sure I fully grasp what you mean by a 'hardened system'. If you
>>> mean running a hardened kernel with only necessary software
>>> installed, then yes, I run hardened kernels on most servers {dns,
>>> web, mail, firwalls....}
>>>
>>> If running a hardened system means more than that, please explain,
>>> or point me to some docs.
>>>     
>> Check hardened docs page on w.g.o, in short hardened means a kernel
>> with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
>> or SELinux and all user-land build with SSP,pic,pie (IMHO).
>>  
>>>> BTW, the flags with underscores in them (kernel_linux,
>>>> userland_GNU, elibc_glibc, video_cards_radeon and such) are known
>>>> as USE_EXPAND or expanded USE flags.        
>>> This is nice to know. I did not get the memo on this.
>>> Any docs for further reading you can point me to?
>>>
>>>     
>> ...SKIP...
>>  
>>> James
>>>     
>> HTH.Rumen
>>   
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Michael Crute]

On 9/13/06, James <wireless@tampabay.rr.com> wrote:
>
> Not sure I fully grasp what you mean by a 'hardened system'. If you mean
> running a hardened kernel with only necessary software installed, then
> yes, I run hardened kernels on most servers {dns, web, mail, firwalls....}
>
> If running a hardened system means more than that, please explain,
> or point me to some docs.

I guess I should have clarified when I made my initial suggestion. A
hardened system is one that is running the hardened profile. All my
server systems are built from the hardened stage 1 tarball. So
basically, you should not use the hardened useflag if your system was
not built with the hardened profile.

Note that there is more to "hardening" a system than just using a
certain profile or a combination of useflags but its a good start.

-Mike


-- 
________________________________
Michael E. Crute
http://mike.crute.org

I may not have gone where I intended to go, but I think I have ended
up where I intended to be. --Douglas Adams
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Bo Ørsted Andresen]

[-- Attachment #1: Type: text/plain, Size: 213 bytes --]

On Wednesday 13 September 2006 14:36, James wrote:
> The more minimized the global flags are, the more secure the server.

Were I the only one who wasn't quite convinced by that statement?

-- 
Bo Andresen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: Simplified apache2

[Stefan G. Weichinger]

Bo Ørsted Andresen wrote:
> On Wednesday 13 September 2006 14:36, James wrote:
>> The more minimized the global flags are, the more secure the server.
> 
> Were I the only one who wasn't quite convinced by that statement?

No.

Stefan

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

On Wed, 13 Sep 2006 19:01:18 +0200, Bo Ørsted Andresen wrote:

> > The more minimized the global flags are, the more secure the server.  
> 
> Were I the only one who wasn't quite convinced by that statement?

If that means leaving GAPING_SECURITY_HOLE out of USE, then it holds some
truth ;-)


-- 
Neil Bothwick

New Intel opcode #007 PUKE: Put unmeaningful keywords everywhere

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: Simplified apache2

[Daniel da Veiga]

On 9/13/06, Bo Ørsted Andresen <bo.andresen@zlin.dk> wrote:
> On Wednesday 13 September 2006 14:36, James wrote:
> > The more minimized the global flags are, the more secure the server.
>
> Were I the only one who wasn't quite convinced by that statement?
>

No... I think it is a little "rush" to state something like that...

-- 
Daniel da Veiga
Computer Operator - RS - Brazil
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V-
PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++
------END GEEK CODE BLOCK------

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Simplified apache2

[Harm Geerts]

On Wednesday 13 September 2006 21:13, Daniel da Veiga wrote:
> On 9/13/06, Bo Ørsted Andresen <bo.andresen@zlin.dk> wrote:
> > On Wednesday 13 September 2006 14:36, James wrote:
> > > The more minimized the global flags are, the more secure the server.
> >
> > Were I the only one who wasn't quite convinced by that statement?
>
> No... I think it is a little "rush" to state something like that...

There is a little truth in it.
If you decrease the amount of packages installed, you also decrease the amount 
of packages installed that contain a security hole.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Simplified apache2

[Michael Stewart (vericgar)]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]

Michael Crute wrote:
> net-www/apache mpm-prefork threads

As a side note from the Apache maintainer:
This USE-flag combination is pointless.

The threads USE-flag is only used if you don't specify a MPM USE-flag,
and caused the mpm to be mpm-worker. (If threads is not set, the MPM
defaults to mpm-prefork)

-- 
Michael Stewart                                     vericgar@gentoo.org
Gentoo Developer                        http://dev.gentoo.org/~vericgar

GnuPG Key ID 0x08614788 available on http://pgp.mit.edu
--


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 254 bytes --]

Re: [gentoo-user] Simplified apache2

[Michael Crute]

On 9/13/06, Michael Stewart (vericgar) <vericgar@gentoo.org> wrote:
> Michael Crute wrote:
> > net-www/apache mpm-prefork threads
>
> As a side note from the Apache maintainer:
> This USE-flag combination is pointless.
>
> The threads USE-flag is only used if you don't specify a MPM USE-flag,
> and caused the mpm to be mpm-worker. (If threads is not set, the MPM
> defaults to mpm-prefork)

Hmm... I seem to remember some problem with PHP only compiling if
threads was set to on. Maybe not, will have to test it to see if there
is any good reason that I still have that in my package.use. Thanks
for the tip.

-Mike

-- 
________________________________
Michael E. Crute
http://mike.crute.org

I may not have gone where I intended to go, but I think I have ended
up where I intended to be. --Douglas Adams
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Simplified apache2

[Michael Stewart (vericgar)]

[-- Attachment #1: Type: text/plain, Size: 770 bytes --]

Michael Crute wrote:
> Hmm... I seem to remember some problem with PHP only compiling if
> threads was set to on. Maybe not, will have to test it to see if there
> is any good reason that I still have that in my package.use. Thanks
> for the tip.
> 
> -Mike
> 

PHP and apache are not the same software.

If you have USE="threads" for PHP, then you have to use a threaded MPM
for apache (mpm-worker would be the suggested one).

If you do not have USE="threads" for PHP then you have to use a
non-threaded MPM for apache (mpm-prefork).

-- 
Michael Stewart                                     vericgar@gentoo.org
Gentoo Developer                        http://dev.gentoo.org/~vericgar

GnuPG Key ID 0x08614788 available on http://pgp.mit.edu
--


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 254 bytes --]

Re: [gentoo-user] Simplified apache2

[Brian Davis]

Can one covert a non-hardended machine to use the hardended-profile, or 
do you have to start from scratch?

Michael Crute wrote:
> On 9/12/06, James <wireless@tampabay.rr.com> wrote:
>>
>> I  used 2006.1 livecd to install a pII machine. It's going
>> to become a (minimalistic) apache2 server. I just let the
>> installation
>> set the  flags for the install  so I have these flags currently:
>
> <snip>
>
> Those look a bit excessive for a "minimalist" machine. I would start 
> over ;-)
>
>> Some of these flag look questionable, such as the one with
>> underscores (kernel_linux userland_GNU) as I only found
>> information on them, where they are describe as 'undocumented
>>  use flags'. What's up with these flags?
>
> My understanding is that these are set in the profile and simply tell
> portage that you are using Linux. I don't think there is any way
> (short of profile hacking) to change them. So don't worry about it.
>
>> Where do I look to discern the minimal list of (necessary) system
>> flags that
>> must be kept?  (I want to avoid negating any flags that are critical).
>>
>>
>> These are my proposed list of flags:
>
> <snip>
>
> Still a little excessive in my opinion. The approach that I would (do)
> take is to put only the bare minimum use flags in make.conf and
> override the rest on a per-package level in /etc/portage/package.use.
>
>> So can I just use this list, or do I have to include a -{flag} for 
>> each one?
>>
>> IS there simpler syntax to globally remove unwanted flags [-*], but, 
>> not any
>> critical system flags? (Is this the same as just leaving the flag out
>> of the USE param. setting in make.conf?
>>
>
> -* will work but be careful it can break things if you don't know what
> your doing.
>
>> Are there default system flag settings that I can safely remove?
>> Where is the list and how do I know which ones can be removed or 
>> negated?
>>
>> My (limited) understanding of flags are that the highest priority are
>> those set in /etc/portage/package.use, then /etc/make.conf then
>> the system default flags which may be located in several locations.
>> Is there any docs or listing of all of these location and details
>> on precedence?
>
> http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=2
>
> OK, my advice to you would be to start over with a hardened profile.
> While hardened is not specifically required I highly recommend it if
> this is just going to be a headless server machine.
>
> You probably want to set your machine up with a similar USE= string in 
> make.conf
>
> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python 
> readline"
>
> I believe that is the bare minimum if you use -*. Now you can compile
> your system and you have a blank slate to start working with. As you
> start emerging packages just make sure you use the -pv flags for
> emerge and check out the available use flags and add the ones you want
> to /etc/portage/package.use. Here is an example of my package.use line
> for apache2
>
> net-www/apache mpm-prefork threads
>
> This setup works smashingly for me on my production servers by YMMV.
> Best of luck.
>
> -Mike
>
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Simplified apache2

[James]

Brian Davis <bridavis <at> comcast.net> writes:


> Can one covert a non-hardended machine to use the hardended-profile, or 
> do you have to start from scratch?


Hello Brian,

The short  answer is YES. The correct answer is you have to 
read quite a lot (I'm in the middle of that) and decide
which 'path/technology' you want to follow. Here's docs
you should start looking at:

http://www.gentoo.org/proj/en/hardened/primer.xml
http://www.gentoo.org/proj/en/hardened/

I choose 'SElinux' as the path to follow for me
that makes most sense. Since the NSA was the prime
motivator, it's an easy path to convince my clients
to follow. Although SElinux is not a complete
solution, other complementary software  combined with 
SElinux does provide for a complete (security) solution,
almost..... 


http://www.gentoo.org/proj/en/hardened/selinux/
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2

hth,
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2
James



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[bridavis]

[-- Attachment #1: Type: text/plain, Size: 1302 bytes --]

Thanks James!

-------------- Original message -------------- 
From: James <wireless@tampabay.rr.com> 

> Brian Davis comcast.net> writes: 
> 
> 
> > Can one covert a non-hardended machine to use the hardended-profile, or 
> > do you have to start from scratch? 
> 
> 
> Hello Brian, 
> 
> The short answer is YES. The correct answer is you have to 
> read quite a lot (I'm in the middle of that) and decide 
> which 'path/technology' you want to follow. Here's docs 
> you should start looking at: 
> 
> http://www.gentoo.org/proj/en/hardened/primer.xml 
> http://www.gentoo.org/proj/en/hardened/ 
> 
> I choose 'SElinux' as the path to follow for me 
> that makes most sense. Since the NSA was the prime 
> motivator, it's an easy path to convince my clients 
> to follow. Although SElinux is not a complete 
> solution, other complementary software combined with 
> SElinux does provide for a complete (security) solution, 
> almost..... 
> 
> 
> http://www.gentoo.org/proj/en/hardened/selinux/ 
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml 
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2 
> 
> hth, 
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2 
> James 
> 
> 
> 
> -- 
> gentoo-user@gentoo.org mailing list 
> 

[-- Attachment #2: Type: text/html, Size: 1733 bytes --]