Hi, I'm currently working for a company that provides managed security solutions. Linux is used fairly extensively in the internal infrastructure. Currently it's Mandrake, however my immediate superior (who is the Mandrake guy) is open minded and has allowed me to run up some Debian installations so he can see what it's capable of.
Firstly, the main reason why he chose Mandrake in the first place (over say the likes of Red Hat) was that you were able to do a minimalist installation, and actually not get very much. (i.e. the base system was very minimalist). Unlike Red Hat, where in the installation process you'd tell it to install "nothing" (i.e. just a base system) and you'd wind up with all sorts of things running that you really didn't want running (like an SMTP server). The other reason was it is apparently relatively easy to create a "build" under Mandrake and just blat this build onto as many boxes as you like (I'm guessing something like Red Hat's KickStart). Okay, so he's let me run with Debian (for the time being at least, which I'm happy with because I really don't like supporting RPM based systems). Some of the requirements that were given to me was that we had to be able deploy a consistent "build" of Debian, generally task oriented. So we might have a build for a Debian box that was a DNS server, a build for a Debian box that was an SMTP relay, a proxy server etc etc. At this point I asked on the Debian-User list for something KickStart-ish and was directed to FAI (Fully Automatic Install) and after a couple of weeks of playing around I believe I can make this work for me. FAI is a Good Thing (tm) as I previously had a gripe that Debian had nothing KickStart-ish. The reason that I'm writing this email, is because I have a gripe about the base Debian packages. We want these "builds" to be as "hardened" as possible. For example, we don't want compilers installed, unnecessary binaries floating around, etc etc. I really don't want to deviate from using the packaging system to maintain what's installed. I don't want to wind up with a Frankenstein Debian installation that can't be maintained easily. It's just not the Debian Way either. One thing in particular is inetd. It seems it's unavoidable to have inetd installed, with the netbase package depending on netkit-inetd. Is it possible to completely remove the inetd binary and use a diversion or something to keep the package system reasonably happy with what's happened (I'm not very clued up on more advanced elements of the packaging system like diversions). (Side issue, but why the heck is Woody shipping with inetd and not xinetd? After seeing the way Red Hat manages xinetd based services, it's so much more elegant than using update-inetd). Secondly, even the base system comes with exim installed and port 25 open (granted, I haven't checked to see if it's only on localhost). A lot of reasonably necessary packages depend on a mail-transport-agent virtual package being installed. For example, on my home machine, if I try to remove the sendmail package, I can also kiss goodbye: apache at linpopup log2mail logcheck logrotate mailx mindterm mutt netsaint samba squid squid-cgi Some of these I find a little bit strange to be losing because I've gotten rid of my mail transport agent... Log rotation, for example, is something I'd need and want in any build I make. I don't understand why I lose at but not cron either... So my main conundrum at present is what is the best way to make a truly minmalist Debian installation, the "Debian Way", in a highly security conscious environment? I'd really like to see Debian get up in this organisation. Anything insightful (and hopefully not inciteful) appreciated. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
