From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-50888-garchives=archives.gentoo.org@gentoo.org>)
	id 1GNU8v-0004FH-9m
	for garchives@archives.gentoo.org; Wed, 13 Sep 2006 12:47:05 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.8/8.13.6) with SMTP id k8DCkPfA018853;
	Wed, 13 Sep 2006 12:46:25 GMT
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by robin.gentoo.org (8.13.8/8.13.6) with ESMTP id k8DCbSSj031802
	for <gentoo-user@lists.gentoo.org>; Wed, 13 Sep 2006 12:37:29 GMT
Received: from localhost (localhost [127.0.0.1])
	by smtp.gentoo.org (Postfix) with ESMTP id 58B7A6480C
	for <gentoo-user@lists.gentoo.org>; Wed, 13 Sep 2006 12:37:28 +0000 (UTC)
Received: from smtp.gentoo.org ([127.0.0.1])
 by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 21403-14 for <gentoo-user@lists.gentoo.org>;
 Wed, 13 Sep 2006 12:37:24 +0000 (UTC)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTP id C9D4A64735
	for <gentoo-user@gentoo.org>; Wed, 13 Sep 2006 12:37:23 +0000 (UTC)
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1GNTz7-0001Ze-AG
	for gentoo-user@gentoo.org; Wed, 13 Sep 2006 14:37:00 +0200
Received: from buffer.net ([24.73.161.102])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-user@gentoo.org>; Wed, 13 Sep 2006 14:36:57 +0200
Received: from wireless by buffer.net with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-user@gentoo.org>; Wed, 13 Sep 2006 14:36:57 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-user@lists.gentoo.org
From: James <wireless@tampabay.rr.com>
Subject: [gentoo-user]  Re: Simplified apache2
Date: Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
Message-ID:  <loom.20060913T142442-90@post.gmane.org>
References:  <loom.20060912T142340-527@post.gmane.org> <558b73fb0609120808k799baf30j41560442b9c38d12@mail.gmail.com> <45074266.7050301@gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version:  1.0
Content-Type:  text/plain; charset=us-ascii
Content-Transfer-Encoding:  7bit
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: main.gmane.org
User-Agent: Loom/3.14 (http://gmane.org/)
X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.13) Gecko/20060911)
Sender: news <news@sea.gmane.org>
X-Virus-Scanned: amavisd-new at gentoo.org
X-Spam-Status: No, score=-2.529 required=5.5 tests=[AWL=-0.007,
 BAYES_00=-2.599, TW_KD=0.077]
X-Spam-Score: -2.529
X-Spam-Level: 
X-Archives-Salt: 2b076a49-84c8-4b17-9fbb-b65a19403e84
X-Archives-Hash: 1b4fdbea0925599e8db21f39a1041431

Ryan Tandy <tarpman <at> gmail.com> writes:


> Michael Crute wrote:
> > USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python 
> > readline"

Hello Ryan,

glibc croaked during an upgrade/recompile and told me to add:
'nptl nptlonly' to make.conf. I did and the sytem completed a deep recompile
late last night.

> Even this is a bit more bloated than it needs to be.  I have never used 
> 'tcpd' or 'berkdb' on any system I run, and 'perl' and 'python' are 
> *much* more useful (IMO) as local flags (in package.use) than as global 
> ones.  Even 'ssl' doesn't *have* to be there, especially in the global 
> scope - 'www-client/links ssl' in package.use should be more than 
> sufficient.  One flag missing from that line that I like to have is 
> 'bzip2' - tar just isn't quite the same without bz2 support. ;)


Ok,
So I'll test your suggestions. 
The more minimized the global flags are, the more secure the server.

> Also, be careful using the hardened flag without running the hardened 
> profile.  The hardened profile masks out a couple of packages and flags 
> that don't work so well on a hardened system.

Hmmmm,

Not sure I fully grasp what you mean by a 'hardened system'. If you mean
running a hardened kernel with only necessary software installed, then
yes, I run hardened kernels on most servers {dns, web, mail, firwalls....}

If running a hardened system means more than that, please explain,
or point me to some docs.


> BTW, the flags with underscores in them (kernel_linux, userland_GNU, 
> elibc_glibc, video_cards_radeon and such) are known as USE_EXPAND or 
> expanded USE flags.  

This is nice to know. 
I did not get the memo on this.
Any docs for further reading you can point me to?

thanks for all of the information,
thanks to everyone for help on this,



James



-- 
gentoo-user@gentoo.org mailing list