Here's a proposal for a "Definition Base System": Multiuser system with: * Local login (via /etc/passwd) * network setup via ethernet * default filesystems used (ext3) directly (without evms, lvm, mdraid etc) * no services running by default
My questions for discussion are especially the following:
* What do you think of this? Do you have better ideas?
* Is the "base system definition" ok? What's missing - or is it still too much or should made clearer?
I think it's a great idea (and I hope that it's something that will be then apply to SLES version:-) I like the idea of having no services running by default. In fact I would see this base system as a system more secure by default. For instance I would had the removal of various users in /etc/passwd that should be added only when you install the relevant packages (lp, news, ....) Maybe, instead of modifying the base system (which could maybe confuse users), a "minimal system" pattern could be created. Regarding what should be included in this minimal pattern, I would be minimalist, even if it would mean for me to have to install a few packages once the installation if finished: it's always more dangerous to remove packages and users than to add them (the first version of my hardening script used to remove the news user and the relevant folders in /var creating a problem in syslog-ng because it was trying to set permissions on folders that were not existing anymore). For instance, in a minimul system, I would have only one software "per category". For instance only one shell. As to which software to choose, I immagine that it will be impossible to make everyone happy but as I said above, I prefer to have something to add that something to remove. Your suggestions (Local login (via /etc/passwd), network setup via ethernet, default filesystems used (ext3) directly (without evms, lvm, mdraid etc), no services running by default) makes really sense to me. Obviously, only the relevant yast packages should be included Kind regards, Gaël