<html><body bgcolor="#FFFFFF"><div>Allen, responses in-line</div><div><br></div><div>-Scott<br><br>On Jun 29, 2010, at 11:53 PM, George Allen <<a href="mailto:glallen01@gmail.com">glallen01@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><span></span><span>1) Is there a bare-bones version of RHEL/Centos that is the equivalent</span><br><span>of a 'server' or 'jeos' install? I did a Centos 5.5 install the other</span><br><span>day, picked only the "server task" (to put it in debian terms) and</span><br><span>still came out with a 2gig install. I'll try again without selecting</span><br><span>anything and see what it comes down to.</span><br></div></blockquote><div><br></div><div>If you don't select anything in the package install you'll still get GNOME and X, plus a bunch of standard apps like Firefox. It sounds like you want, on the installer package selection screen, to "Customize" your packages. If you're doing more than one or two boxes the same way, you'll want to use kickstart to automate the installation. There is a chapter in the Red Hat Installation Guide on Kickstart available from <a href="http://www.redhat.com/docs"><a href="http://www.redhat.com/docs">http://www.redhat.com/docs</a></a></div><div><br></div><br><blockquote type="cite"><div><span></span><span>2) What is the best way to manage application of "configuration</span><br><span>items." There are the standard version control systems to track</span><br><span>changes. But I'd like something that can manage OS configuration items</span><br><span>based on a policy document. Maybe puppet, bastille, or cfengine? I'll</span><br><span>read up on each of these, but what do you suggest?</span><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" color="#0023A3"><br></font></font></div></blockquote><div><br></div><div>I use puppet, and have been quite happy.</div><div><br></div><br><blockquote type="cite"><div><span>3) We get re-digested forms of CVEs that we're told to check and prove</span><br><span>compliance with. Our windows shop has this system in place with tools</span><br><span>that can read the XML of these alerts, execute scripts to test against</span><br><span>them (on windows), and then generate another report of compliance. We</span><br><span>will </span><br></div></blockquote><br><div>I was a little too happy with the delete there, stupid phone! But to answer your question, I've not seen anything that does what you want, though I've not looked that hard. All the fixed CVEs are listed in an RPMs changelog, so if you have the CVE number, you could grep the changelog for it. If the CVE is there, it's fixed, if not, you need to find, or wait for, an update.</div><div><br></div><div>-Scott</div></body></html>